Re: 4.0 frozen
* Stephen Schaff wrote: So, I thought I would post my dmesg here and see if it grabs the attention of anyone who knows better than I do. Any insight would be much appreciated. It turns my stomach to think I'd have to reinstall with a different OS. If this system is critical for you, you might consider installing a hardware watchdog timer which will then reboot the machine if it hangs.
Problems in my wireless card
Hi, I have a Atheros AR5BMB5, and I run openbsd 4.0, and atheros don`t work. Can anyone help me? -- Serrano Neves - a.k.a eth0 / www.eth0.eti.br Realmente Seguro? http://secure.eth0.eti.br Talk is cheap. Show me the code. - Linus Torvalds
Re: Errors Compiling OpenOffice
You do not have to set the ulimit. The port does it for you from know on in the build environment. If you want to compile OOo on stable, you are on your own. OOo needs a couple of things that are in current. On (16/12/06 22:42), Travers Buda wrote: On Sat, 16 Dec 2006 22:35:24 -0600 Travers Buda [EMAIL PROTECTED] wrote: On Sat, 16 Dec 2006 11:24:52 -0500 Jim Michael [EMAIL PROTECTED] wrote: I encountered the following errors when compiling OpenOffice on a fresh install of 4.0-stable on an i386. Dmesg is also included Upgrade to current, openoffice should not work with the -stable gcc. Also do ulimit -n 1024. Travers Buda Duh. Sorry. You're on i386... probably with -release ports, right? If so, don't pay any attention to me. But since you're compiling it yourself, I'm assuming that you want the -current openoffice. -current OO may compile on -stable i386, but it would be best to use the latest in-tree gcc. Travers Buda
Re: don't beat me... IPSec and wlan
Is this even possilbe? I've done some more homework and as I understand it right now I have to add one configuration per client. On Saturday 16 December 2006 18:33, Chris C. wrote: Hi, We're currently (since 4 hours :() building a new wlan for my home network. My confuguration is as follows: re0: link to my router (juniper) which is connected to a private line... fxp0: link to my workstations fxp1: link to my accespoint (Linksys WRT54GL, acting as a bridge) fxp2: optical link to my servers switch fxp3: connected to a via board ne1: link to a very old device using bnc ne3: currently unused brige0: sould be ne1 + ne3 in the future... I want to protect my wlan using ipsec, I've already tried openvpn but it don't like the way it works... wlan clients get their ip's using dhcp on the 10.0.0.0/24 subnet, it works great. I've blocked all incoming traffic in fxp1 using pf, but what I don't get to work is ipsec :( as I've more than one laptop/wireless devices and there are one or two devices added dynamically (usually some firends laptop...) I need to be able to allow multiple peers to connect at the same time. I've read man 5 ipsec.conf and also some guides on the net (mostly outdated...), but don't understand the whole stuff. What do I have to configure in ipsec.conf to allow multiple connections from 10.0.0.0/24 to my internal LAN and the Internet? Could someone guide me to an up-to-date howto/manpage or an example? Thanks!
Re: console switching problem from desktop
Denny White wrote: There are actually 2 problems. First one is, when using ctrl-alt-f1 so forth, it goes to the other console fine, but when I try to switch back, all I see on the screen is the output from the underlying x rather than the desktop. If you use xdm to start X, your custom settings below call for trouble. /etc/X11/xdm/Xservers forces the X server to use ttyC4, which should not have a getty process attached. The other problem is, when I'm on the desktop in an xterm window, it's as though the settings in .profile like my aliases I have setup, aren't recognized, like they're not in the current environment settings. xsession or xinitrc files don't source your .profile. you need to start xterm with the '-ls' option or the loginShell resource set to TRUE to have the shell executed in them source it. Or put your settings in ~/.xsession (for xdm) or ~/.xinitrc (for startx). I never had anything like this happen when running 3.9. Now, on 4.0, I did a clean install, started having the problem, moved to stable, now current. Problem is still there. I'd suggest you compare your current setup with the one you used before (you did a backup, did you?). X has almost not changed between 3.9 and 4.0. -+-neil-+-
IPSec trouble
Yes, again... I am trying to set up VPN using IPSec, right now very basic setup, and it doesn't work as expected. Hosts being involved are keibi that acts as server, and trying to connect to it laptop sentan. ipsec.conf on keibi: ike passive esp from any to any \ srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] ipsec.conf on sentan: ike dynamic esp from egress to any peer keibi.my.domain \ srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] local.pub from sentan copied onto both hosts to /etc/isakmpd/pubkeys/ufqdn/[EMAIL PROTECTED], from keibi onto both hosts to /etc/isakmpd/pubkeys/ufqdn/[EMAIL PROTECTED] On sentan in tcpdump I see some isakmp exchange... yet the only result from that is the following messages in keibi's /var/log/messages: Dec 17 14:07:10 keibi isakmpd[27563]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Dec 17 14:07:10 keibi isakmpd[27563]: dropped message from 192.168.9.196 port 4500 due to notification type NO_PROPOSAL_CHOSEN Dec 17 14:07:10 keibi isakmpd[27563]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Dec 17 14:07:10 keibi isakmpd[27563]: dropped message from 192.168.9.196 port 4500 due to notification type NO_PROPOSAL_CHOSEN Dec 17 14:07:10 keibi isakmpd[27563]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 0a11e980: 10.17.233.128, responder id /: 0.0.0.0/0.0.0.0 Dec 17 14:07:10 keibi isakmpd[27563]: dropped message from 192.168.9.196 port 4500 due to notification type NO_PROPOSAL_CHOSEN What am I doing wrong? I thought with that setup it should work, and I did have it working with something very similiar some time ago... Both boxes are: OpenBSD 4.0-current (GENERIC) #1269: Fri Dec 15 17:00:17 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC -- viq
Re: don't beat me... IPSec and wlan
On 17/12/06, Chris C. [EMAIL PROTECTED] wrote: Is this even possilbe? I've done some more homework and as I understand it right now I have to add one configuration per client. No, at least from that message: http://marc.theaimsgroup.com/?l=openbsd-miscm=116436607912261w=2 But you will need to have the keys/passphrases/certificates distributed to clients. -- viq
Re: Errors Compiling OpenOffice
I apologize. I incorrectly reported that I am using stable. I did upgrade ports to -current on 12/16 before make install. Robert Nagy wrote: You do not have to set the ulimit. The port does it for you from know on in the build environment. If you want to compile OOo on stable, you are on your own. OOo needs a couple of things that are in current. On (16/12/06 22:42), Travers Buda wrote: On Sat, 16 Dec 2006 22:35:24 -0600 Travers Buda [EMAIL PROTECTED] wrote: On Sat, 16 Dec 2006 11:24:52 -0500 Jim Michael [EMAIL PROTECTED] wrote: I encountered the following errors when compiling OpenOffice on a fresh install of 4.0-stable on an i386. Dmesg is also included Upgrade to current, openoffice should not work with the -stable gcc. Also do ulimit -n 1024. Travers Buda Duh. Sorry. You're on i386... probably with -release ports, right? If so, don't pay any attention to me. But since you're compiling it yourself, I'm assuming that you want the -current openoffice. -current OO may compile on -stable i386, but it would be best to use the latest in-tree gcc. Travers Buda
Re: don't beat me... IPSec and wlan
Original message Date: Sun, 17 Dec 2006 14:00:14 +0100 From: Chris C. [EMAIL PROTECTED] Subject: Re: don't beat me... IPSec and wlan To: misc@openbsd.org Is this even possilbe? I've done some more homework and as I understand it right now I have to add one configuration per client. search the archives, they contain all the info you need: http://marc.theaimsgroup.com/?l=openbsd-miscr=1w=2 reading the man pages sounds like it would be a good exercise for ya. FYI, openbsd tends to not be a howto-driven OS. google will likely cough up such a howto if you bother to search more thoroughly. cheers, jake
Re: 4.0 frozen
Original message Date: Sun, 17 Dec 2006 02:57:56 +0100 From: Dimitry Andric [EMAIL PROTECTED] Subject: Re: 4.0 frozen To: Stephen Schaff [EMAIL PROTECTED] Cc: misc@openbsd.org Stephen Schaff wrote: Yesterday it inexplicably went dark. ... wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 wd0d: device timeout reading fsbn 234162112 of 234162112-234162239 (wd0 bn 235334857; cn 14648 tn 233 sn 58), retrying wd0: soft error (corrected) wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 ... more of those IDE errors ... Maybe dying disks? i must second this suggestion. almost every time i've seen these IDE timeout messages, it means that the disk(s) are damaged, close to dead or totally dead. i find that doing disk intensive operations, e.g. extracting src.tar.gz, with the machine in question will likely reproduce the timeouts if this is the case. cheers, jake
recurring ral-related panic
i've had this panic occur 6-8 times since i replaced wi cards, one on an openbsd client, the other on an openbsd AP running in hostap mode, with ral cards. it seems to be related to my brother using his winxp laptop to pull 200 KBps through the ral AP. the AP is running a snapshot from Dec 8 that was updated from from a Jul 7 snapshot. i believe i've applied all the changes needed to keep the machine up-to-date, but am not certain of this. i had to pull the ddb info by typing it myself since this machine doesn't keep its console on com0 (it says switching console to com0 then boots to C0), despite the correct entries being in ttys and boot.conf. below is the ddb output followed by dmesg: kernel: integer divide fault trap, code = 0 stopped at rt2661_setup_tx_desc+0xc5: idivl 0x1c(%ebp), %eax ddb trace rt2661_setup_tx_desc(d0a2c000,d67aa070,8,0,5f4) at rt2661_setup_tx_desc+0xc5 rt2661_tx_data(d0a2c000,d2c48700,d0af3600,0) at rt2661_tx_data+0x3c1 rt2661_start(d0a2c030,d2c53808,6,23a4bb6) at rt2661_start+0x1b3 ether_output(d0a2c030,d2c48a00,d077ac6c,d2bf2ec4,d0a537b8) at ether_output+0x364 ip_output(d2c48a00,0,d077ac68,1,0,0,44,1) at ip_output+0x98b ip_forward(d2c48a00,0,0,50,d0a2b05c) at ip_forward+0x1a3 ipv4_input(d2c48a00,d0a1fc80,0,d08ad000) at ipv4_input+0x258 ipintr(58,10,10,10,d08ad000) at ipintr+0x64 Bad frame pointer: 0xd08aee24 ddb ps PID PPIDPGRPUID S FLAGS WAITCOMMAND 69731 69730 3 0x4082 ttyin getty 70 1 70 0 3 0x4082 ttyin getty 21812 1 21812 0 3 0x4082 ttyin getty 99371 99370 3 0x4082 ttyin getty 75671 75670 3 0x4082 ttyin getty 991 1 991 0 3 0x80select cron 12631 32536 0 3 0x4083 select kdc 12741 12740 3 0x40180 select sendmail 89831 89830 3 0x80select sshd 30465 1 30465 0 3 0x180 select inetd 37581 375877 3 0x180 polldhcpd 15354 15405 15405 83 3 0x180 pollntpd 15405 1 15405 0 3 0x80pollntpd 26211 6493649373 3 0x180 pollsyslogd 64931 64930 3 0x88netio syslogd 13 0 0 0 3 0x100200crypto_wa crypto 12 0 0 0 3 0x100200aiodoned aiodoned 11 0 0 0 3 0x100200syncer update 10 0 0 0 3 0x100200cleaner cleaner 9 0 0 0 3 0x100200reaper reaper 8 0 0 0 3 0x100200pgdaemon pagedaemon 7 0 0 0 3 0x100200pftmpfpurge 6 0 0 0 3 0x100200wait wskbd_hotkey 5 0 0 0 3 0x100200usbtsk usbtask 4 0 0 0 3 0x100200usbevt usb0 3 0 0 0 3 0x100200apmev apm0 2 0 0 0 3 0x100200kmalloc kmthread 1 0 1 0 3 0x4080 waitinit 0 -1 0 0 3 0x80200 scheduler swapper OpenBSD 4.0-current (GENERIC) #1247: Fri Dec 8 11:44:40 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium (P54C) (GenuineIntel 586-class) 167 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8 cpu0: F00F bug workaround installed real mem = 66678784 (65116K) avail mem = 52465664 (51236K) using 844 buffers containing 3457024 bytes (3376K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(27) BIOS, date 08/15/96, BIOS32 rev. 0 @ 0xfd971 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 6 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:08:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82437VX rev 0x01 pcib0 at pci0 dev 8 function 0 Intel 82371SB ISA rev 0x01 pciide0 at pci0 dev 8 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at
Re: IPSec trouble
On Sun, Dec 17, 2006 at 02:16:48PM +0100, viq wrote:
Yes, again... I am trying to set up VPN using IPSec, right now very
basic setup, and it doesn't work as expected.
Hosts being involved are keibi that acts as server, and trying to
connect to it laptop sentan.
there's an error in ipsecctl in -current which breaks ipsecctl unless you are
loading your rules with the verbose flag ( ie. ipsecctl -vf ipsec.conf )
I found it today and am just waiting for an okay to commit the fix,
could you try out this diff in the meantime ?
Index: ike.c
===
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.58
diff -u -p -u -p -r1.58 ike.c
--- ike.c 30 Nov 2006 21:35:34 - 1.58
+++ ike.c 17 Dec 2006 05:33:02 -
@@ -578,6 +578,7 @@ ike_connect(struct ipsec_rule *r, FILE *
static int
ike_gen_config(struct ipsec_rule *r, FILE *fd)
{
+ ike_setup_ids(r);
ike_section_general(r, fd);
ike_section_peer(r, fd);
if (ike_section_p1(r, fd) == -1) {
@@ -598,6 +599,7 @@ ike_gen_config(struct ipsec_rule *r, FIL
static int
ike_delete_config(struct ipsec_rule *r, FILE *fd)
{
+ ike_setup_ids(r);
#if 0
switch (r-ikemode) {
case IKE_ACTIVE:
@@ -683,7 +685,6 @@ ike_setup_ids(struct ipsec_rule *r)
int
ike_print_config(struct ipsec_rule *r, int opts)
{
- ike_setup_ids(r);
if (opts IPSECCTL_OPT_DELETE)
return (ike_delete_config(r, stdout));
else
--
Mathieu Sauve-Frankel
Re: recurring ral-related panic
On Sun, Dec 17, 2006 at 08:41:31AM -0600, Jacob Yocom-Piatt wrote: i've had this panic occur 6-8 times since i replaced wi cards, one on an openbsd client, the other on an openbsd AP running in hostap mode, with ral cards. it seems to be related to my brother using his winxp laptop to pull 200 KBps through the ral AP. the AP is running a snapshot from Dec 8 that was updated from from a Jul 7 snapshot. i believe i've applied all the changes needed to keep the machine up-to-date, but am not certain of this. i had to pull the ddb info by typing it myself since this machine doesn't keep its console on com0 (it says switching console to com0 then boots to C0), despite the correct entries being in ttys and boot.conf. below is the ddb output followed by dmesg: kernel: integer divide fault trap, code = 0 stopped at rt2661_setup_tx_desc+0xc5: idivl 0x1c(%ebp), %eax ddb trace rt2661_setup_tx_desc(d0a2c000,d67aa070,8,0,5f4) at rt2661_setup_tx_desc+0xc5 rt2661_tx_data(d0a2c000,d2c48700,d0af3600,0) at rt2661_tx_data+0x3c1 rt2661_start(d0a2c030,d2c53808,6,23a4bb6) at rt2661_start+0x1b3 ether_output(d0a2c030,d2c48a00,d077ac6c,d2bf2ec4,d0a537b8) at ether_output+0x364 ip_output(d2c48a00,0,d077ac68,1,0,0,44,1) at ip_output+0x98b ip_forward(d2c48a00,0,0,50,d0a2b05c) at ip_forward+0x1a3 ipv4_input(d2c48a00,d0a1fc80,0,d08ad000) at ipv4_input+0x258 ipintr(58,10,10,10,d08ad000) at ipintr+0x64 Bad frame pointer: 0xd08aee24 This sounds like the rate of 0 problem I thought had been worked around. Try using a fixed rate from the options listed in ifconfig -m ral0 and see if you can still reproduce it.
Re: Errors Compiling OpenOffice
On Sun, Dec 17, 2006 at 08:22:05AM -0500, Jim Michael wrote:
I apologize. I incorrectly reported that I am using stable. I
did upgrade ports to -current on 12/16 before make install.
Did you also upgrade your base system to -current?
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: 4.0 frozen
Jacob Yocom-Piatt wrote: wd0d: device timeout reading fsbn 234162112 of 234162112-234162239 (wd0 bn 235334857; cn 14648 tn 233 sn 58), retrying wd0: soft error (corrected) Maybe dying disks? i must second this suggestion. almost every time i've seen these IDE timeout messages, it means that the disk(s) are damaged, close to dead or totally dead. Note that these errors can also be caused by any other part of the IDE subsystem, e.g. the controller, the cables, etc. Or even by bad RAM... For sanity's sake, do a full hardware diagnostic of the machine.
Disable IPv6 on OpenBSD 4.0
Hi all,
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process that
need ipv6 to startup??
many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: 4.0 frozen
Original message Date: Sun, 17 Dec 2006 02:57:56 +0100 From: Dimitry Andric [EMAIL PROTECTED] Subject: Re: 4.0 frozen To: Stephen Schaff [EMAIL PROTECTED] Cc: misc@openbsd.org Stephen Schaff wrote: Yesterday it inexplicably went dark. ... wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 wd0d: device timeout reading fsbn 234162112 of 234162112-234162239 (wd0 bn 235334857; cn 14648 tn 233 sn 58), retrying wd0: soft error (corrected) wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 ... more of those IDE errors ... Maybe dying disks? Running # atactl wd0 smartstatus is also a quick way to check. I've got something in rc.local for that... Travers Buda
Re: mixerctl issue on macppc
On Fri, Dec 15, 2006 at 04:29:31PM -0800, Ben Calvert wrote: using the current snapshot from 12/14 on Macppc, using a Tibook 400, using mixerctl to set the output volumes to 0 results in low volume, instead of no volume. $ mixerctl -a outputs.select=speaker outputs.speaker=0,0 outputs.headphones=0,0 source=cd master=0,0 What else should I be looking at? mixerctl is supposed to do the job (provided that your device supports it). are you using an USB device? could you provide contents of /var/run/dmesg.boot and the output of 'audioctl -a' ? -- Alexandre
OpenBSD 4.0 - brconfig error message
Hi, I am running OpenBSD 4.0 and when the system booting up the following message was printed on the screen brconfig: bridge0 Operation not permitted May i know what causes the error message? It seems the bridge is running ok? even though with the error message The following is the output of brconfig, ifconfig and the /etc/bridgename.bridge0 shu:/root# cat /etc/bridgename.bridge0 add fxp0 add fxp1 stp fxp0 stp fxp1 hellotime 2 maxage 20 fwddelay 15 up shu:/root# ifconfig bridge0 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge shu:/root# brconfig bridge0 bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp designated: id 00:04:27:c0:e9:00 priority 10 fxp1 flags=abLEARNING,DISCOVER,STP,AUTOEDGE,AUTOP2P port 2 ifpriority 128 ifcost 65535 discarding role alternate fxp0 flags=abLEARNING,DISCOVER,STP,AUTOEDGE,AUTOP2P port 1 ifpriority 128 ifcost 65535 forwarding role root Addresses (max cache: 100, timeout: 240): 00:03:31:e1:93:fc fxp0 0 flags=0 Thank you Edy
Re: don't beat me... IPSec and wlan
On Sunday 17 December 2006 14:41, Jacob Yocom-Piatt wrote: Original message Date: Sun, 17 Dec 2006 14:00:14 +0100 From: Chris C. [EMAIL PROTECTED] Subject: Re: don't beat me... IPSec and wlan To: misc@openbsd.org Is this even possilbe? I've done some more homework and as I understand it right now I have to add one configuration per client. search the archives, they contain all the info you need: http://marc.theaimsgroup.com/?l=openbsd-miscr=1w=2 reading the man pages sounds like it would be a good exercise for ya. FYI, openbsd tends to not be a howto-driven OS. google will likely cough up such a howto if you bother to search more thoroughly. thanks... did a little more testing and got it working using a pre-shared key and a static ip. I'll try to figure out how to configure it using dynamic ip (I've already seen I need to config a srcid... but what is the srcid? the mailadress I'll have to give during creation of the certificate?) and X-509 next weekend. -- Greetings Chris
wifi signal triangulation
only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? cheers, jake
Re: Disable IPv6 on OpenBSD 4.0
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Philip Guenther
Re: Disable IPv6 on OpenBSD 4.0
** Reply to message from carlopmart [EMAIL PROTECTED] on Sun, 17 Dec 2006 17:31:03 +0100 Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Why do you think you need to do this? That is, what problem is the presence of IPv6 support causing you? If you just don't want to deal with the possibility of IPv6 traffic, you could easily configure PF to block all IPv6. Dave -- Dave Anderson [EMAIL PROTECTED]
Re: wifi signal triangulation
Jacob Yocom-Piatt wrote: only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? cheers, jake Dunno if it's doable or not, but I'd think just grabbing a pair of directional antennae, tuning them to whichever channel you're listening for, and taking a cross-bearing would be quicker, easier, and possibly cheaper (especially if some undergrads build the antennae out of Pringles cans ;) )
Re: mixerctl issue on macppc
On Sun, 17 Dec 2006 17:19:02 +0100 Alexandre Ratchov [EMAIL PROTECTED] wrote: On Fri, Dec 15, 2006 at 04:29:31PM -0800, Ben Calvert wrote: using the current snapshot from 12/14 on Macppc, using a Tibook 400, using mixerctl to set the output volumes to 0 results in low volume, instead of no volume. $ mixerctl -a outputs.select=speaker outputs.speaker=0,0 outputs.headphones=0,0 source=cd master=0,0 What else should I be looking at? mixerctl is supposed to do the job (provided that your device supports it). are you using an USB device? Nope. just the on-board stuff. could you provide contents of /var/run/dmesg.boot [ using 360300 bytes of bsd ELF symbol table ] console out [ATY,RageM3p12A]console in [keyboard] ADB found using parent ATY,RageM3p12Parent:: memaddr b400 size 400, : consaddr b6008000, : ioaddr b002, size 2: memtag 8000, iotag 8000: width 1152 linebytes 1280 height 768 depth 8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0-current (GENERIC) #1128: Thu Dec 14 18:36:52 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 536870912 (524288K) avail mem = 481820672 (470528K) using 1254 buffers containing 26841088 bytes (26212K) of memory mainbus0 (root): model PowerBook3,2 cpu0 at mainbus0: 7410 (Revision 0x1103): 500 MHz: 1MB backside cache memc0 at mainbus0: uni-n ki2c0 at memc0 offset 0xf8001000 iic0 at ki2c0 mpcpcibr0 at mainbus0 pci: uni-north, Revision 0xff pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 11 function 0 Apple Uni-N AGP rev 0x00 vgafb0 at pci0 dev 16 function 0 ATI Mobility M3 rev 0x02, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) mpcpcibr1 at mainbus0 pci: uni-north, Revision 0x0 pci1 at mpcpcibr1 bus 0 pchb1 at pci1 dev 11 function 0 Apple Uni-N rev 0x00 macobio0 at pci1 dev 23 function 0 Apple Keylargo rev 0x03 openpic0 at macobio0 offset 0x4: version 0x4614 macgpio0 at macobio0 offset 0x50 macgpio1 at macgpio0 irq 47 programmer-switch at macgpio0 not configured firewire-linkon at macgpio0 not configured escc-legacy at macobio0 offset 0x12000 not configured zsc0 at macobio0 offset 0x13000: irq 22,23 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 awacs0 at macobio0 offset 0x14000: irq 24,9,10 speaker audio0 at awacs0 timer at macobio0 offset 0x15000 not configured adb0 at macobio0 offset 0x16000 irq 25: via-pmu, 3 targets akbd0 at adb0 addr 2: PowerBook G4 keyboard (Inverted T) wskbd0 at akbd0: console keyboard, using wsdisplay0 ams0 at adb0 addr 3: EMP trackpad tpad 2-button, 400 dpi wsmouse0 at ams0 mux 0 abtn0 at adb0 addr 7: brightness/volume/eject buttons apm0 at adb0: battery flags 0x5, 99% charged battery at macobio0 offset 0x0 not configured backlight at macobio0 offset 0xf300 not configured ki2c1 at macobio0 offset 0x18000 iic1 at ki2c1 wdc0 at macobio0 offset 0x1f000 irq 19: DMA wd0 at wdc0 channel 0 drive 0: HITACHI_DK23EB-40 wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors wd0(wdc0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 4 wdc1 at macobio0 offset 0x2 irq 20: DMA atapiscsi0 at wdc1 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, DVD-ROM SR-8187, HA18 SCSI0 5/ cdrom removable cd0(wdc1:0:0): using BIOS timings, DMA mode 2 wdc2 at macobio0 offset 0x21000 irq 21: DMA wi0 at macobio0 offset 0x3 irq 57: wi0: Firmware 8.70 variant 1, address 00:30:65:02:3b:54 ohci0 at pci1 dev 24 function 0 Apple USB rev 0x00: irq 27, version 1.0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ohci1 at pci1 dev 25 function 0 Apple USB rev 0x00: irq 28, version 1.0 usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered cbb0 at pci1 dev 26 function 0 TI PCI1211 CardBus rev 0x00: irq 58 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 mpcpcibr2 at mainbus0 pci: uni-north, Revision 0x16 pci2 at mpcpcibr2 bus 0 pchb2 at pci2 dev 11 function 0 Apple Uni-N Eth rev 0x00 Apple Uni-N Eth Firewire rev 0x01 at pci2 dev 14 function 0 not configured gem0 at pci2 dev 15 function 0 Apple Uni-N GMAC rev 0x01: irq 41, address 00:03:93:87:be:52 bmtphy0 at gem0 phy 0: BCM5221 100baseTX PHY, rev. 3 uhidev0 at uhub0 port 1 configuration 1 interface 0 uhidev0: Kensington Kensington Expert Mouse, rev 1.10/1.00, addr 2, iclass 3/1 ums0 at uhidev0: 4 buttons and Z dir. wsmouse1 at ums0 mux 0 bootpath: '/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/bsd' boot device: wd0. root on wd0a rootdev=0x0 rrootdev=0xb00 rawdev=0xb02 and the output of 'audioctl -a' ? name=AWACS version= config=awacs
Re: dspam on OpenBSD 4.0
On Sat, Dec 16, 2006 at 07:37:11PM -0600, Vijay Sankar wrote: Good day, I am trying out the package dspam-3.6.8p1-mysql and ran into the following problem -- not able to get any answers after days of searching the dspam lists, various archives, etc. Apologize in advance for sending this to the OBSD list but am hoping someone here can help. All the various features seem to work (spam is being quarantined for the most part). However, if I attempt to train by forwarding an unsolicited message to [EMAIL PROTECTED], (forwarding to the [EMAIL PROTECTED] by root works) I get the following error: Dec 16 19:18:33 mx1 sendmail[5394]: kBH1IX53005394: from=vsankar, size=2773, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Dec 16 19:18:34 mx1 sm-mta[30713]: kBH1IXA2030713: from=[EMAIL PROTECTED], size=2934, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost.sankars.com [127.0.0.1] Dec 16 19:18:34 mx1 sendmail[5394]: kBH1IX53005394: [EMAIL PROTECTED], ctladdr=vsankar (1002/1002), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=32773, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (kBH1IXA2030713 Message accepted for delivery) Looks good, so far. Dec 16 19:18:34 mx1 dspam[20346]: Unable to create directory: /var/dspam/data: Permission denied Dec 16 19:18:34 mx1 dspam[20346]: Unable to open file for writing: /var/dspam/data/vsankar/vsankar.stats: Permission denied Dec 16 19:18:34 mx1 dspam[20346]: Unable to create directory: /var/dspam/data: Permission denied Dec 16 19:18:34 mx1 sm-mta[4842]: kBH1IXA2030713: to=|/usr/local/bin/dspam --user root --class=spam --source=error, ctladdr=[EMAIL PROTECTED] (1/0), delay=00:00:01, xdelay=00:00:00, mailer=prog, pri=33163, dsn=2.0.0, stat=Sent I had set the ownership of all files in /var/dspam to _dspam:_dspam initially. But you don't have a directory /var/dspam/data? I got that one by just installing dspam (on -current, admittedly). After install, I have $ ls -laR /var/dspam/ total 12 drwxr-xr-x 3 _dspam _dspam 512 Dec 16 16:29 . drwxr-xr-x 26 rootwheel 512 Dec 16 16:29 .. drwxr-xr-x 2 _dspam _dspam 512 Dec 16 16:29 data /var/dspam/data: total 8 drwxr-xr-x 2 _dspam _dspam 512 Dec 16 16:29 . drwxr-xr-x 3 _dspam _dspam 512 Dec 16 16:29 .. After these errors, I tried various combinations of users and groups (root:wheel, _dspam:wheel, smmsp:smmsp and also tried chmod 777. I get the same errors regardless. Please let me know if you have any suggestions. Create /var/dspam/data and set the permissions as above. Do _NOT_, under any circumstance, try to solve this by running dspam as root. Yes, I mean you. Also, check mount options and such. If you still can't get it to work, please post the results of 'ls -laR /var/dspam'. Joachim
Re: OpenBSD -Current and WINE
On Thu, Dec 14, 2006 at 03:10:55PM -0600, Sam Fourman Jr. wrote: helllo misc@ I was wondering if someone out there has a wine port newer than the one in the ports tree I am looking for wine 0.9.24 or better I am assuming there is some technical issue as to why there is not a updated wine in the tree Yes, the WINE developers, according to their site, `do not currently understand how threads work on OpenBSD' or something along those lines. IIRC, they have used some Linux-specific implementation ever since the last time the port was updated. Having a newer WINE would be neat, but it would be a lot of work, I suppose. Joachim
Re: wifi signal triangulation
On 12/17/06, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? cheers, jake Doesn't ifconfig or something give you signal strength? xD -- Jim Capozzoli
Re: vim Easy Mode Broken?
On Fri, Dec 15, 2006 at 09:32:23PM -0500, Jim Razmus wrote:
* Sideris Michael [EMAIL PROTECTED] [061214 20:50]:
On Thu, Dec 14, 2006 at 07:29:58PM -0500, Jim Razmus wrote:
On both 4.0 release and -current (13/12/2006) I find vim -y does not
work as it did on 3.9. Likely a question for the vim lists, but I'm
hoping someone will confirm what I'm experiencing.
vim -y should start in an emacs-like mode. However, I'm finding the
-y switch does nothing. In all cases I install the no_x11 flavor. My
users pointed this behavior out after my upgrade to 4.0.
From vim(1):
evim eview
The GUI version in easy mode. Starts a new win-
dow. Can also be done with the -y argument.
-y Start Vim in easy mode, just like the exe-
cutable was called evim or eview. Makes
Vim behave like a click-and-type editor.
So, I guess that by using the -y arg causes vim to start in GUI and easy
mode. Now, since you mention that you are installing the -no_x11 version
of vim I think it makes sense that you see no difference. Hope that
helps.
Good thought, but I think it's not the case. All my users have vim -y
in their muttrc file. Also, we've always ssh'd to the server and ran
mutt in a shell (no GUI). I've confirmed the same behavior on a couple
other 4.0 release i386 machines too.
So something definitely changed with vim between the 3.9 and 4.0
releases. I'm digging into the vim cvs history for clues along with our
ports tree for clues.
The port does not install /usr/local/share/vim/vim70/evim.vim with the
no_x11 FLAVOR. The diff below reverses this, and *appears* to work
(NOTE: this is against -current; it might apply to -stable, or not, but
the idea should be obvious).
I personally don't see why these files shouldn't be installed on the
no_x11 flavor - evim.vim is actually useful, and the other two might be.
And it's not like vim is lightweight, anyway - saving three files
doesn't seem very useful...
But maybe there's a good reason why this was done the way it is? I CC'ed
the maintainer, maybe he'll find the time to respond...
If this works for you, and Chris (= the maintainer) doesn't respond
soonish telling us why this was done in this way, please let us know.
Joachim
--- ../../../editors/vim/pkg/PFRAG.no-no_x11-main Tue Nov 21
12:25:03 2006
+++ pkg/PFRAG.no-no_x11-mainSun Dec 17 12:56:30 2006
@@ -90,6 +90,3 @@
@man man/ru.UTF-8/man1/gvimdiff.1
@man man/ru.UTF-8/man1/rgview.1
@man man/ru.UTF-8/man1/rgvim.1
-share/vim/${P}/evim.vim
-share/vim/${P}/gvimrc_example.vim
-share/vim/${P}/syntax/eviews.vim
diff -Nurd ../../../editors/vim/pkg/PLIST-main pkg/PLIST-main
--- ../../../editors/vim/pkg/PLIST-main Tue Nov 21 12:25:03 2006
+++ pkg/PLIST-main Sun Dec 17 13:20:28 2006
@@ -1266,4 +1266,7 @@
share/vim/${P}/tutor/tutor.zh.big5
share/vim/${P}/tutor/tutor.zh.euc
share/vim/${P}/vimrc_example.vim
+share/vim/${P}/evim.vim
+share/vim/${P}/gvimrc_example.vim
+share/vim/${P}/syntax/eviews.vim
!%%no_x11%%
Re: Disable IPv6 on OpenBSD 4.0
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option exists in OpenBSD.
Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process that
need ipv6 to startup??
Yeah, that's one way to end up with a system for which the developers
will basically ignore you if you report a problem. Is that what
you're trying to accomplish?
Yes, my security staff orders to disable IPv6 protocol on all our firewalls ...
Philip Guenther
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: 4.0 frozen
Yeah. I did some testing last night - to know avail. When it bailed today, I restarted it, expecting the raid to rebuild as it always does. This time it didn't! It booted right up using wd1 and failed wd0 in raid0. Kinda makes me happy I built it that way (special thanks to this page: http://www.argon18.com/raid_openbsd.html ). So, I think that wd0 may be the cause of the whole problem, and I'll replace it right away and keep an eye on it to make sure that there aren't other problems. Thanks everyone for your great suggestions. I've been exploring them all. Best Regards, Stephen On 17-Dec-06, at 12:48 PM, Artur Grabowski wrote: Stephen Schaff [EMAIL PROTECTED] writes: wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 wd0d: device timeout reading fsbn 234162112 of 234162112-234162239 (wd0 bn 235334857; cn 14648 tn 233 sn 58), retrying wd0: soft error (corrected) wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 wd0d: device timeout reading fsbn 234997440 of 234997440-234997567 (wd0 bn 236170185; cn 14700 tn 233 sn 6), retrying wd0: soft error (corrected) wd0(pciide1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 pciide1:0:0: bus-master DMA error: missing interrupt, status=0x21 wd0d: device timeout reading fsbn 235719872 of 235719872-23571 (wd0 bn 236892617; cn 14745 tn 225 sn 17), retrying wd0: soft error (corrected) This is a pretty good indication of what's going wrong. Your disk is sad. //art
Re: Disable IPv6 on OpenBSD 4.0
On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart [EMAIL PROTECTED] wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
simply priorizing acks
hi misc,
i just want to start using altq with simply priorizing the tcp acks (and
the other lowdelay stuff as it's stated in jaceks great firewallbook). i
looked in /usr/share/pf/ackpri and added the rules there to my pf.conf.
i don't know why it doesn't work, maybe i am too blind to see what i am
doing wrong.
if i add the queue-rules to the ruleset, it stops working.
i am using 4.0 -stable.
maybe someone can hit me with a cluestick, what i am doing wrong.
here's my pf.conf:
#
# Macros#
#
ext_if=pppoe0
int_if=sis0
internal_net=192.168.75.0/24
#
# Tables#
#
table bad-ssh persist
table no-ftpproxy const {XXX.XXX.32.128/25, 192.168.83.0/24}
#
# Options #
#
set require-order yes
set block-policy drop
set optimization normal
set skip on lo0
#
# Normalization #
#
scrub in all
#
# Queueing #
#
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
#
# NAT rules #
#
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
nat on $ext_if from $int_if:network to any - ($ext_if)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 4000:4100 \
- 192.168.75.30
rdr pass on $ext_if proto tcp from any to ($ext_if) port 6881:6889 \
- 192.168.75.30
rdr pass on $int_if proto tcp from $internal_net to ! no-ftpproxy port
ftp - 127.0.0.1 port 8021
#
# Ruleset #
#
block in log all
block in quick on $int_if inet proto tcp from ! 192.168.75.30 to \
! $internal_net port 25
block in quick from bad-ssh
anchor ftp-proxy/*
pass out quick on $ext_if proto tcp from ($ext_if) to any flags S/SA \
keep state queue (q_def, q_pri)
#pass in quick on $ext_if proto tcp from any to ($ext_if) flags S/SA \
#keep state queue (q_def, q_pri)
# ssh von aussen auf machen
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA \
keep state (max-src-conn-rate 3/30, overload bad-ssh flush global) \
queue (q_def, q_pri)
pass in on $int_if inet from $internal_net to any modulate state
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state
#
# IPSec #
#
pass in proto esp from XXX.XXX.124.34 to ($ext_if)
pass out proto esp from ($ext_if) to XXX.XXX.124.34
pass in on enc0 proto ipencap from XXX.XXX.124.34 to ($ext_if)
pass in on enc0 from 192.168.83.0/24 to 192.168.75.0/24
pass in on enc0 from XXX.XXX.32.128/25 to 192.168.75.20/24
pass in on $ext_if proto udp from XXX.XXX.124.34 port = 500 to \
($ext_if)port = 500
pass out on $ext_if proto udp from ($ext_if) port = 500 to \
XXX.XXX.124.34 port = 500
#
#
# Antispoof #
#
antispoof for $ext_if
please note, that's it's not working, regardless if the rule
#pass in quick on $ext_if proto tcp from any to ($ext_if) flags S/SA \
#keep state queue (q_def, q_pri)
is active or not.
TIA,
marc
FWIW, here's the dmesg of this box:
OpenBSD 4.0-stable (GENERIC) #2: Mon Nov 20 16:48:40 CET 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Duron(tm) Processor (AuthenticAMD 686-class, 64KB L2 cache)
1.35 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 536375296 (523804K)
avail mem = 481329152 (470048K)
using 4256 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/09/02, BIOS32 rev. 0 @
0xfdae0, SMBIOS rev. 2.3 @ 0xf0630 (23 entries)
bios0: ECS K7S5A
apm0 at bios0: Power Management spec V1.2
apm0: AC on, no battery
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7950/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:02:0 (SiS 85C503 System rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 SiS 735 PCI rev 0x01
ppb0 at pci0 dev 1 function 0 SiS 86C201 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 ATI Radeon VE QY rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 SiS 85C503 System rev 0x00
ohci0 at pci0 dev 2 function 2 SiS 5597/5598 USB rev 0x07: irq 11,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: SiS OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci0 dev 2 function 3 SiS 5597/5598 USB rev 0x07: irq 10,
version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: SiS OHCI root hub, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
pciide0 at pci0 dev 2
Re: IPSec trouble
On 17/12/06, Mathieu Sauve-Frankel [EMAIL PROTECTED] wrote: On Sun, Dec 17, 2006 at 02:16:48PM +0100, viq wrote: Yes, again... I am trying to set up VPN using IPSec, right now very basic setup, and it doesn't work as expected. Hosts being involved are keibi that acts as server, and trying to connect to it laptop sentan. there's an error in ipsecctl in -current which breaks ipsecctl unless you are loading your rules with the verbose flag ( ie. ipsecctl -vf ipsec.conf ) I found it today and am just waiting for an okay to commit the fix, could you try out this diff in the meantime ? I didn't try the diff yet, only loading with -v flag... And something funny happens. I have IPv6 working as well in my network, and with those very basic rules I have posted, esp traffic travels over IPv4, yet only IPv6 traffic gets encapsulated... snip patch -- Mathieu Sauve-Frankel -- viq
Re: Disable IPv6 on OpenBSD 4.0
** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17 Dec 2006 15:17:01 -0500 On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. Unfortunately, the fact that they're clueless doesn't make it possible to ignore their demands. Fortunately, it's almost trivial to configure PF to block all incoming and outgoing IPv6 on your external interface (or on all of your interfaces). The question is, can you convince the powers-that-be that doing this is sufficient? It clearly should be, since it prevents any possibility of communicating via IPv6. Good luck, Dave -- Dave Anderson [EMAIL PROTECTED]
XFCE default keybinding missing, why?
Hello, after using OpenBSD on some routers since 3.5, I installe OpenBSD 4.0 on one of my laptops (an IBM Thinkpad A30p). Everything is working fine, no real problem with X configuration, sound is working and so on. I use xfce as window-manager from ports. Xfce has been my standard window-manager on all of my systems for years. Main reason is, it is light-weight and it has alt-tab for switching windows. But not on OpenBSD. After digging around I found that there is a patch in the ports-tree for xfwm, which disables all default keybindings: patch-themes_default_keys_keythemerc No big problem but why is this so? Regards Stefan Kell
Re: IPSec trouble
On 17/12/06, viq [EMAIL PROTECTED] wrote: On 17/12/06, Mathieu Sauve-Frankel [EMAIL PROTECTED] wrote: On Sun, Dec 17, 2006 at 02:16:48PM +0100, viq wrote: Yes, again... I am trying to set up VPN using IPSec, right now very basic setup, and it doesn't work as expected. Hosts being involved are keibi that acts as server, and trying to connect to it laptop sentan. there's an error in ipsecctl in -current which breaks ipsecctl unless you are loading your rules with the verbose flag ( ie. ipsecctl -vf ipsec.conf ) I found it today and am just waiting for an okay to commit the fix, could you try out this diff in the meantime ? I didn't try the diff yet, only loading with -v flag... And something funny happens. I have IPv6 working as well in my network, and with those very basic rules I have posted, esp traffic travels over IPv4, yet only IPv6 traffic gets encapsulated... snip patch ...which works fine when on sentan (the ike dynamic host) I applied the patch and loaded the rules using the newly built ipsecctl. (sudo ./ipsecctl -f /etc/ipsec.conf) Thank you :) -- Mathieu Sauve-Frankel -- viq -- viq
Re: console switching problem from desktop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Today Neil E. Sprinlan wrote:
Denny White wrote:
There are actually 2 problems. First one is, when using
ctrl-alt-f1 so forth, it goes to the other console fine,
but when I try to switch back, all I see on the screen is
the output from the underlying x rather than the desktop.
If you use xdm to start X, your custom settings below call for trouble.
/etc/X11/xdm/Xservers forces the X server to use ttyC4, which should not
have a getty process attached.
The other problem is, when I'm on the desktop in an xterm
window, it's as though the settings in .profile like my
aliases I have setup, aren't recognized, like they're not
in the current environment settings.
xsession or xinitrc files don't source your .profile.
you need to start xterm with the '-ls' option or the loginShell resource
set to TRUE to have the shell executed in them source it.
Or put your settings in ~/.xsession (for xdm) or ~/.xinitrc (for startx).
I never had anything
like this happen when running 3.9. Now, on 4.0, I did a
clean install, started having the problem, moved to stable,
now current. Problem is still there.
I'd suggest you compare your current setup with the one you used before
(you did a backup, did you?). X has almost not changed between 3.9 and
4.0.
-+-neil-+-
Thanks for the answer, Neil. I've finally got it straightened
out. And I use startx for x. The pertinent ttys settings are
below. ttyC4 is once again off. I had misread the instructions
a long time back, always used that terminal for x, it never
seemed to have any problem.
The other part about sourcing .profile from xterm puzzles me
still, since I never had to add any switches in the fluxbox
menu to the xterm command before in 3.7 through 3.9. It now
reads (xterm) {xterm -ls } and all the aliases I use are once
again there, so I know .profile is being sourced. And yep, I
do a full dump at least monthly incrementals in between. ;)
Thanks again for the info.
Denny White
(/etc/ttys snip)
console /usr/libexec/getty Pc vt220 off insecure
ttyC0 /usr/libexec/getty Pc vt220 on insecure
ttyC1 /usr/libexec/getty Pc vt220 on insecure
ttyC2 /usr/libexec/getty Pc vt220 on insecure
ttyC3 /usr/libexec/getty Pc vt220 on insecure
ttyC4 /usr/libexec/getty Pc vt220 off insecure
ttyC5 /usr/libexec/getty Pc vt220 on insecure
ttyC6 /usr/libexec/getty Pc vt220 on insecure
ttyC7 /usr/libexec/getty Pc vt220 on insecure
-
|.
. |L /|
_ . |\ _| \--+._/| .
/ ||\| Y J ) / |/| ./
J |)'( |` F`.'/ ,.
-| F __ .- f Merry Christmas Y
| / .-'. `. /-. L___ | and a |
J \ \ | | O\|.-' l Happy New Year j
_J \ .-\/ O | | \ |F `-.___.,-'
'-F -_. \ .-' `-' L__ ) /
__J _ _. -' )._. |-' _,' ,'
`-|.' /_. \_| F `-..___..,-'_.,'
/.- ._.
/'/.' .' `\
/L /' |/ _.-'-\
/'J ___.---'\|
|\ .--' V | `. `
|/`. `-. `._)
/ .-.\
\ ( `\
`.\
GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net
Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A
iD8DBQFFha+Qy0Ty5RZE55oRAp33AKC+gzjFCvuvxV5mGzSZ/4rmwGW3+gCfR/ly
KOsYJxztr/EBsDJ//VIQrzI=
=Q1XX
-END PGP SIGNATURE-
Re: Disable IPv6 on OpenBSD 4.0
* carlopmart [EMAIL PROTECTED] [2006-12-17 21:14]: Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... block quick inet6 -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Disable IPv6 on OpenBSD 4.0
Jason Dixon wrote on Sun, Dec 17, 2006 at 03:17:01PM -0500: On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo-request too. If they really force you to conform to that kind of security staff orders, minimize the breakage by using pf(4) - and pf only. In particular, do refrain from rolling your own kernel to remove IPv6. If i remember correctly, the last time INET6 #ifdefs needed correction for -current in CVS is about a week ago. Correctness and reliability of IPv6-disabled kernels is not regarded as a high priority issue - but you might wish for maximum correctness and reliablity of your firewalls.
Re: Disable IPv6 on OpenBSD 4.0
Dave Anderson wrote:
** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17
Dec 2006 15:17:01 -0500
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Yes, my security staff orders to disable IPv6 protocol on all our
firewalls ...
Your security staff is clueless. I bet they like to block icmp echo-
request too.
Unfortunately, the fact that they're clueless doesn't make it possible
to ignore their demands. Fortunately, it's almost trivial to configure
PF to block all incoming and outgoing IPv6 on your external interface
(or on all of your interfaces). The question is, can you convince the
powers-that-be that doing this is sufficient? It clearly should be,
since it prevents any possibility of communicating via IPv6.
Good luck,
Dave
I don't know Dave, but I could try it...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Jason Dixon wrote:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option exists in OpenBSD.
Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process
that
need ipv6 to startup??
Yeah, that's one way to end up with a system for which the developers
will basically ignore you if you report a problem. Is that what
you're trying to accomplish?
Yes, my security staff orders to disable IPv6 protocol on all our
firewalls ...
Your security staff is clueless. I bet they like to block icmp
echo-request too.
je, je ..:) Sure jason, but I am only a simple administrator ...
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: console switching problem from desktop
On Sun, 17 Dec 2006 13:04:16 - (GMT) Neil E. Sprinlan [EMAIL PROTECTED] wrote: Denny White wrote: The other problem is, when I'm on the desktop in an xterm window, it's as though the settings in .profile like my aliases I have setup, aren't recognized, like they're not in the current environment settings. xsession or xinitrc files don't source your .profile. you need to start xterm with the '-ls' option or the loginShell resource set to TRUE to have the shell executed in them source it. Or put your settings in ~/.xsession (for xdm) or ~/.xinitrc (for startx). http://www.openbsd.org/faq/faq8.html#ksh Ben
Re: dhcpd question
I'm running dnsmasq as a caching dns and as such it seems to do its job and it is easy to configure. The idea was to run it as dhcp+dns but I later found out that the version in the ports-tree[1] is known not to work on 4.0[2]. [1] dnsmasq-2.31 http://ports.openbsd.nu/net/dnsmasq [2] release notes on Dnsmasq 2.35 http://freshmeat.net/projects/dnsmasq/?branch_id=1991release_id=239661 /Markus [EMAIL PROTECTED] wrote: - Original Message - From: Markus Bergkvist [EMAIL PROTECTED] Date: Friday, December 15, 2006 7:11 pm Subject: Re: dhcpd question To: misc@openbsd.org I noticed no-one has suggested dnsmasq, any reason for that? Just curious. /Markus Craig Skinner wrote: On Fri, Dec 15, 2006 at 12:04:15AM +0530, Siju George wrote: long time back I did this on my firewalls http://cr.yp.to/djbdns/install.html http://cr.yp.to/djbdns/run-cache-x.html Don't do that. DJB junk is not in ports for good reasons. Bind is patched and chrooted in base. It wont take long to set up a caching proxy resolver for a LAN. If you get stuck, just ask. I just set up pdnsd. Seems to do the job. Any comments on this piece of software. I would also like to hear about users of dnsmasq. Peter
Re: recurring ral-related panic
Original message Date: Mon, 18 Dec 2006 02:07:31 +1100 From: Jonathan Gray [EMAIL PROTECTED] Subject: Re: recurring ral-related panic To: misc@openbsd.org kernel: integer divide fault trap, code = 0 stopped at rt2661_setup_tx_desc+0xc5: idivl 0x1c(%ebp), %eax ddb trace This sounds like the rate of 0 problem I thought had been worked around. Try using a fixed rate from the options listed in ifconfig -m ral0 and see if you can still reproduce it. media and mode are now explicitly set. the AP seems to be doing fine under load now. will post back if the issue pops up again with these parameters set. cheers, jake
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart [EMAIL PROTECTED] wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters.
Re: Disable IPv6 on OpenBSD 4.0
Hi! On Sun, Dec 17, 2006 at 03:56:08PM -0500, Dave Anderson wrote: ** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17 Dec 2006 15:17:01 -0500 On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. Unfortunately, the fact that they're clueless doesn't make it possible to ignore their demands. Fortunately, it's almost trivial to configure PF to block all incoming and outgoing IPv6 on your external interface (or on all of your interfaces). The question is, can you convince the powers-that-be that doing this is sufficient? It clearly should be, since it prevents any possibility of communicating via IPv6. Don't ask don't tell. I.e. just block quick inet6 in pf, tell them ok, I've blocked IPv6, and as long as they don't ask *how* he blocked it, it's done. Good luck, Dave Kind regards, Hannah.
Cartao Terra
Clique na figura ou no link abaixo para ver o cartco por inteiro. WebCard enviado por Quem te admira muito! ver O Terra nco se responsabiliza pelo contezdo das mensagens enviadas. Cartco enviado pelo sistema Terra. [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
Re: Errors Compiling OpenOffice
On Sunday 17 December 2006 08:22, Jim Michael wrote: I apologize. I incorrectly reported that I am using stable. I did upgrade ports to -current on 12/16 before make install. [snip] You can't mix 4.0-stable with a 4.0-current ports tree. Well, you can, sorta, but you are on your own for this and you don't want to do that. If you want OpenOffice, I'd upgrade a system to 4.0-current and use that till 4.1 comes out. --STeve Andre'
Re: OpenBSD -Current and WINE
On Sun, 17 Dec 2006 12:00:19 +0100 Joachim Schipper [EMAIL PROTECTED] wrote: Yes, the WINE developers, according to their site, `do not currently understand how threads work on OpenBSD' or something along those lines. IIRC, they have used some Linux-specific implementation ever since the last time the port was updated. Having a newer WINE would be neat, but it would be a lot of work, I suppose. And I doubt it could be handled with compat.linux very easily either. Travers Buda
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: wifi signal triangulation
On Sun, 17 Dec 2006 12:09:12 -0600 (CST) Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? cheers, jake Well, it's doable. Not really too practical though, since you'd have to see the client from all 3 transcievers. You'd also have to map out the distance/signal strength in order to accurately superimpose a map (also consider differences in obstructions.) And, different radios have different power... Plus, wifi's range is not all THAT fantastic... so even if you have the client on all three transcievers, the area they could be in is fairly limited, especially if we're only talking about one floor. If you're concerned about security... what the hell am I talking about... you're running OpenBSD, no, wait, it's a FANTASTIC OS even without the security stuff which is really just a product of excelence... Lock that network down and use authpf =). Some sort of authenticated gateway... wonder if anything else can do that besides pf. Meh. Travers Buda
Re: openbsd 4.0 ralink problem low operation range
On Friday 15 December 2006 09:51, you wrote: So far for all you people who have complained about lousy ral(4) range or reception, only one of you has posted a dmesg (and even it was incomplete) and none of you have posted your interface config. Irrelevant. Don't let this interrupt your complain-fest, but if you want to move beyond whinging and start trying to figure out what the bad performing cards have in common then you know what you have to do... Don't let this interrupt your comprehension. The common factor is ral radios.
Re: openbsd 4.0 ralink problem low operation range
On Mon, Dec 18, 2006 at 02:02:00AM +, pedro la peu wrote: Don't let this interrupt your complain-fest, but if you want to move beyond whinging and start trying to figure out what the bad performing cards have in common then you know what you have to do... Don't let this interrupt your comprehension. The common factor is ral radios. People using 802.11 is also a common factor here. Is it unfathomable to you that the issue can be more nuanced than wireless chipset?
Re: console switching problem from desktop
|. . |L /| _ . |\ _| \--+._/| . / ||\| Y J ) / |/| ./ J |)'( |` F`.'/ ,. -| F __ .- f Merry Christmas Y | / .-'. `. /-. L___ | and a | J \ \ | | O\|.-' l Happy New Year j _J \ .-\/ O | | \ |F `-.___.,-' '-F -_. \ .-' `-' L__ ) / __J _ _. -' )._. |-' _,' ,' `-|.' /_. \_| F `-..___..,-'_.,' /.- ._. /'/.' .' `\ /L /' |/ _.-'-\ /'J ___.---'\| |\ .--' V | `. ` |/`. `-. `._) / .-.\ \ ( `\ `.\ Sorry for talking rubbish... How did you get this cool ASCII graphics with the callout? :) I am interested. It is just too good man! I hope ppl don't get angry that I am so childish... regards, Girish -- Linux is for folks who hate Windoze. FreeBSD is for folks who love UNIX. OpenBSD is for folks who can't live without UNIX.
Re: Disable IPv6 on OpenBSD 4.0
On Monday 18 December 2006 00:31, carlopmart wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? Depends on what you mean by disable. There's no option to prevent Ipv6 from being active but it's trivial to block all ipv6 traffic with pf. --- Lars Hansson
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Monday 18 December 2006 07:28, Dag Richards wrote: What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Blocking icmp is a) totally pointless, and b) makes troubleshooting much more difficult. --- Lars Hansson
Re: openbsd 4.0 ralink problem low operation range
On Mon, 18 Dec 2006, pedro la peu wrote: On Friday 15 December 2006 09:51, you wrote: So far for all you people who have complained about lousy ral(4) range or reception, only one of you has posted a dmesg (and even it was incomplete) and none of you have posted your interface config. Irrelevant. Knowing the MAC and RF versions of the affected cards is irrelevant? Don't let this interrupt your complain-fest, but if you want to move beyond whinging and start trying to figure out what the bad performing cards have in common then you know what you have to do... Don't let this interrupt your comprehension. The common factor is ral radios. I guess ral(4) that works fine over 20m through several double-brick walls is a figment of my imagination then... -d
Re: dspam on OpenBSD 4.0
Good day, Thank you very much for taking the time to think about this and for your detailed reply. Yes, /var/dspam/data was already there after I installed the package (I am not using -current, just OpenBSD 4.0 from the CD and packages from mirror.arcticnet.ca. I am not sure whether the way I have set stuff up is the best possible approach but after I did a chmod 2771 on /var/dspam I am able to retrain etc. On this test server, every spam message has been classified correctly!! dspam seems to complement spamd (the OpenBSD spamd) and milter-regex very well, so far. In case there is a better way than doing chmod 2771, please do let me know. Here is the output from ls -laR /var/dspam. The reason why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because I couldn't get the system statistics and quarantine information from the dspam.cgi program without opening that up. Also, there is still one final problem. If user vsankar (unprivileged account) uses the dspam.cgi program and decides to reclassify a message already classified as spam by dspam, I get the following error in /var/log/maillog Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code 1: /usr/libexec/mail.local -d vsankar Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser For now, I am thinking of avoiding using the dspam.cgi altogether and just moving the vsankar.mbox quarantine file into /home/vsankar/mail and accessing it through my webmail client if I ever want to reclassify email. But it would be nice to be able to do a Deliver Checked from the dspam.cgi interface. mx1# ls -laR /var/dspam total 104 4 drwxrws--x 3 _dspam _dspam512 Dec 16 19:18 . 4 drwxr-xr-x 27 rootwheel 512 Dec 16 14:33 .. 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 data 88 -rwxrwxrwx 1 _dspam _dspam 43199 Dec 17 20:45 system.log /var/dspam/data: total 28 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 . 4 drwxrws--x 3 _dspam _dspam 512 Dec 16 19:18 .. 4 drwxrws--x 2 _dspam _dspam 512 Dec 16 16:06 root 4 drwxrwsrwx 2 _dspam _dspam 512 Dec 17 09:55 vsankar /var/dspam/data/root: total 60 4 drwxrws--x 2 _dspam _dspam512 Dec 16 16:06 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 36 -rwxrws--x 1 _dspam _dspam 17276 Dec 17 01:30 root.log 12 -rwxrws--x 1 _dspam _dspam 4130 Dec 16 16:22 root.mbox 4 -rwxrws--x 1 _dspam _dspam 13 Dec 17 01:30 root.stats /var/dspam/data/vsankar: total 208 4 drwxrwsrwx 2 _dspam _dspam512 Dec 17 09:55 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 24 -rwxrwxrwx 1 _dspam _dspam 11881 Dec 17 20:45 vsankar.log 160 -rwxrwxrwx 1 _dspam _dspam 81766 Dec 17 20:45 vsankar.mbox 4 -rw-r--r-- 1 www _dspam 5 Dec 17 09:54 vsankar.mbox.size 0 -rw-rw 1 www _dspam 0 Dec 17 09:54 vsankar.mbox.stamp 4 -rw-r--r-- 1 www _dspam228 Dec 17 09:38 vsankar.retrain.log 4 -rw-r--r-- 1 www _dspam 10 Dec 17 09:38 vsankar.rstats 4 -rwxrwxrwx 1 _dspam _dspam 14 Dec 17 20:45 vsankar.stats Also, just as an FYI, this is what I get with dspam_stats vsankar: TP True Positives: 47 TN True Negatives: 2 FP False Positives: 5 FN False Negatives:16 SC Spam Corpusfed: 0 NC Nonspam Corpusfed: 0 TL Training Left:2493 SHR Spam Hit Rate 74.60% HSR Ham Strike Rate: 71.43% OCA Overall Accuracy: 70.00% The 5 false positives were due to me not feeding dspam any notspam messages. What happened was I forwarded (as root) the Welcome to OpenBSD 4.0 message to vsankar five times and they all got classified as spam. After retraining, I am able to send that message through from root to vsankar. Since this is a test machine (MX preference 30 compared to 10 on the real mail servers) I only get spam on this machine, so I still have some ways to go to understand how this all works in a real-life scenario. Thanks again, Vijay On Sun, 2006-17-12 at 13:07 +0100, Joachim Schipper wrote: On Sat, Dec 16, 2006 at 07:37:11PM -0600, Vijay Sankar wrote: Good day, I am trying out the package dspam-3.6.8p1-mysql and ran into the following problem -- not able to get any answers after days of searching the dspam lists, various archives, etc. Apologize in advance for sending this to the OBSD list but am hoping someone here can help. All the various features seem to work (spam is being quarantined for the most part). However, if I attempt to train by forwarding an unsolicited message to [EMAIL PROTECTED], (forwarding to the [EMAIL PROTECTED] by root works) I get the following error: Dec 16 19:18:33 mx1 sendmail[5394]: kBH1IX53005394: from=vsankar, size=2773, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Dec 16
Re: openbsd 4.0 ralink problem low operation range
On Monday 18 December 2006 03:05, Damien Miller wrote: Knowing the MAC and RF versions of the affected cards is irrelevant? Yes. I guess ral(4) that works fine over 20m through several double-brick walls is a figment of my imagination then... No. A sensitive ral radio would be.
Re: OpenBSD -Current and WINE
Would you happen to have a link where the WINEdevlopers state that? it would be a interesting read.There is still much more I must learn about the differences between FreeBSD and OpenBSD. Sam Fourman Jr. On 12/17/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Dec 14, 2006 at 03:10:55PM -0600, Sam Fourman Jr. wrote: helllo misc@ I was wondering if someone out there has a wine port newer than the one in the ports tree I am looking for wine 0.9.24 or better I am assuming there is some technical issue as to why there is not a updated wine in the tree Yes, the WINE developers, according to their site, `do not currently understand how threads work on OpenBSD' or something along those lines. IIRC, they have used some Linux-specific implementation ever since the last time the port was updated. Having a newer WINE would be neat, but it would be a lot of work, I suppose. Joachim
Re: limiting outbound throughput from an IP using altq
- Original Message -
From: Stuart Henderson [EMAIL PROTECTED]
Sent: Friday, December 15, 2006 12:05 AM
Subject: Re: limiting outbound throughput from an IP using altq
On 2006/12/14 16:33, rootrider wrote:
Traffic is being assigned to the nick_int queue, and inbound
(from the internet to the lan) traffic is being limited... to
my
surprise. That doesn't even make any sense to me.
Use the same name for queues on each interface, e.g.
altq on $ext_if cbq bandwidth 950Kb queue { nick, other }
queue nick on $ext_ifbandwidth 1% priority 1 cbq
queue other on $ext_if bandwidth 99% priority 7
cbq(default, borrow)
altq on $int_if cbq bandwidth 8Mb queue { nick, other }
queue nick on $int_ifbandwidth 1% priority 1 cbq
queue other on $int_if bandwidth 99% priority 7
cbq(default)
'pass...keep state queue foo_in' rules mean that packets
matching the
state (i.e. in _both_ directions) are assigned to queue foo_in,
which is
not what you want. Using 'queue..on $if1' and 'queue...on $if2'
creates
two queues with the same name so that a single 'pass' rule
assigns
packets to the queue for whichever interface is relevant.
(thanks to Henning on the pf mailing list for the tip about
this).
well, I tried this.. even plugged the exact text in here and used
that as my sole altq configuration. I got the exact same result I
had before: unlimited upload speed and download speed limited to
80 kbps. I've got to be missing something somewhere... Isn't
there anyone with a working pf.conf that limits upload speed of
an IP?
--
Joel
[rootrider]
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net I block all inbound traffic to my networks not required for operations. I have a dns server I allow inbound udp / tcp 53, if its not running other services thats all I allow. I run rules on the dns server that block it from making outbound connections except to 53 on servers off my network, and ntp to the time servers. Why would I let icmp in? I have telnet turned off on all the servers, but I still block port 23, or actually fail to open it. Tools can be written to use icmp as a transport, obviously anything can be used as a transport which is why we only allow traffic inbound to servers with services running we want public. Why should I allow someone to ping my dns server? If you need to see if the server is up telnet to port 53, a traceroute will die at the hop above the firewall, I know which ip that is. I don't care/need others to do so.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote: Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? I block all inbound traffic to my networks not required for operations. You don't use icmp echo-request for your network operations? Do you think you're gaining something by filtering ping on your firewall? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSD -Current and WINE
On Sun, 17 Dec 2006 22:09:15 -0600 Sam Fourman Jr. [EMAIL PROTECTED] wrote: Would you happen to have a link where the WINEdevlopers state that? it would be a interesting read.There is still much more I must learn about the differences between FreeBSD and OpenBSD. The difference is linux, and BSD, respectively. =) Travers Buda
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Mon, 18 Dec 2006 00:34:20 -0500 Jason Dixon [EMAIL PROTECTED] wrote: You don't use icmp echo-request for your network operations? Do you think you're gaining something by filtering ping on your firewall? Amen... obey RFC 1122. 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes. An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. Use something along the line of: pass in inet proto icmp all icmp-type $icmp_types keep state in pf.conf Fer instance, note the recent journal on undeadly.org about the max states DNS problem. ICMP helped there. It's nice to be able to diagnose connectivity with as many tools as possible. Travers Buda
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
servers with services running we want public. Why should I allow someone to ping my dns server? If I'm having problems resolving a host address that is supposed to be handled by your server one of the first things I'll do is see if I have general connectivity to your server. I'll ping it. If there is no answer I'll most likely assume transient net errors and put the problem off until later. So what, you say. Well, if there are real DNS problems you won't be notified. Maybe you don't care. If you need to see if the server is up telnet to port 53, a traceroute will die at the hop above the firewall, I know which ip that is. I don't care/need others to do so. If I can't ping I'll assume I can't telnet. A traceroute will confirn net connectivity issues. Eventually, assuming I need your DNS server to work correctly, I'll attempt to get in touch. From my perspective the only thing your blocking ICMP has done is delay third party notification of DNS issues. To me (and I'll be the first to admit that this is nothing but opinion and I won't pretend that my opinion is any better than yours) I see more harm than good in blocking icmp. I like it when other people tell me I've screwed something up because I can find it and fix it faster. As for the person who wants to dispable ipv6... I think henning@ had the best solution: use pf. A rule such as block ipv6 drop quick all at the top of your ruleset should do the trick. // marc
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Marco S Hyman wrote: snip To me (and I'll be the first to admit that this is nothing but opinion and I won't pretend that my opinion is any better than yours) I see more harm than good in blocking icmp. I like it when other people tell me I've screwed something up because I can find it and fix it faster. You can add my violent agreement. Most people are actually good, at least if it takes them little effort. I can't imagine that the objective of security is to have to withdraw and hide from everything and everybody. Imagine removing the highway markers and street signs because they might help the terrorists.
Howard told Sal that he shouldn't expect Beth not to be upset with him about something like that because it was a rough joke to make about her.
One of the guys is saying that he gave Anna the house thinking that she was going to pay him for it. Sal wondered why he has to be the one who Beth doesn't like. He went through just a couple and said that he had gotten a ton of feedback about that and everyone seems to have loved it. Captain Janks said that there's one moment on the Gary Roast where Sal said something about Beth and Howard gave him a look like he wanted to kill him. He said this is their first real argument and he doesn't want her growing it back. Gary told Howard that Jon Hein told him about letting his kids hit the buttons randomly in the voting machines when he seen a bunch of names he doesn't recognize. She joked that she was going to go wash her horse face and get going. Howard said maybe it's that he's talking about kids or something. Howard said that Gary actually got off pretty easy with the roast because people were concentrating on other people. The guy said that he's also now a sponsor of the show. Borat Movie Discussions. Howard said he and Beth have been having an argument over whether or not she should grow the hair back on her bush. Howard told Gary to book him to do the show because he'd be a great guest. Artie said it's called a Goupoline. He said it was really depressing and he's not even sure what happened because the movie made no sense to him. Howard thought that was bad news but Artie said they should be able to edit it in any way, it shouldn't make much difference. Howard said that's fine but Beth will never have him over after he says something like he did. That's what his mother has called it for all these years, he wasn't sure if that was the right name for it or not. Howard wanted to get his girlfriend on the phone to find out if she's okay but Gary wasn't able to get in touch with her. Howard told him he was just kidding when he told him to roast her more. Robin said she saw this movie ''The Prestige'' and really liked that. He said that Dice got kind of distracted by the people yelling out his name so he actually had some people thrown out because they wouldn't stop. He said he's not that demanding usually but maybe this is too much for her. Howard said he heard some of the stuff that went on and was going to bring that up himself. Artie said he can't wait for Thursday so he can bust on Crazy Alice. She said that they'll be talking about Artie and the Dice Man's comedy show from Saturday night. Howard told Gary to book him to do the show because he'd be a great guest. Sal came in and said that the roast is a way for comedians to get under people's skin. Howard played some clips of Dice trying to get past the people in the crowd who were chanting Artie's name. He had to play that one clip before going to break. Sal said he knows that Artie is just joking about that stuff though. She said she has a real complex about her looks and comments like that really hurt. He also talked about how tough it was to do anything at K-Rock by the time they were leaving. [demime 1.01d removed an attachment of type image/gif which had a name of printing.gif]
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net I block all inbound traffic to my networks not required for operations. I have a dns server I allow inbound udp / tcp 53, if its not running other services thats all I allow. I run rules on the dns server that block it from making outbound connections except to 53 on servers off my network, and ntp to the time servers. Why would I let icmp in? I have telnet turned off on all the servers, but I still block port 23, or actually fail to open it. Tools can be written to use icmp as a transport, obviously anything can be used as a transport which is why we only allow traffic inbound to servers with services running we want public. Why should I allow someone to ping my dns server? If you need to see if the server is up telnet to port 53, a traceroute will die at the hop above the firewall, I know which ip that is. I don't care/need others to do so. Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted.
