Re: dhcpd question

[Paul de Weerd]

On Sat, Dec 16, 2006 at 04:55:45PM +0800, Lars Hansson wrote:
| On Saturday 16 December 2006 06:47, Craig Skinner wrote:
|  Don't do that. DJB junk is not in ports for good reasons.
| 
| And the reason has nothing to do with the quality of DJB's stuff.

Even though many would argue that it sucks.

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Re: wifi signal triangulation

[Reyk Floeter]

On Sun, Dec 17, 2006 at 12:09:12PM -0600, Jacob Yocom-Piatt wrote:
 only today have i tried out hostapd, it is quite neat. while adding a 2nd AP 
 to
 my network a thought occurred to me: if you had 3 APs that were sufficiently
 spread out and had tightly synced clocks you could likely triangulate the 
 source
 of a wifi signal with a fair deal of accuracy.
 
 is this doable?
 

yes

but it needs some heavy math ;). you can get some results by using the
signal strength, but it is probably better if you also use the round
trip time and some low level information.

once we implemented it with hostapd, a sql patch (to allow the central
hostapd sensor to log into a postgresql database), some gps
coordinates, and a hacked psql script to directly query the
triangulated results from the database. a guy from the ccc implemented
a php frontend to draw the station coodinates on an area map, but i
would prefer an implementation using svg and firefox without the need
of a server-side scripting language now ;).

unfortunately, our code got lost after the experiment, but i may still
find the hostapdsql diff.

reyk

Journal des cadeaux d'entreprise : Editorial Décembre

[Michelle Walter]

 Newsletter n012 Editorial Dicembre 2006 Cette fois nous y sommes, au
coeur de la remise des cadeaux de fin d'annie. Pour les retardataires,
nous avons silectionni quelques cadeaux d'affaires tout ` fait siduisants,
mais dij` les collections 2007 pointent le bout de leur nez et nous
n'avons pas pu nous empjcher d'y piocher quelques trisors.

Pour tout savoir sur un cadeau d'affaire qui vous siduit, cliquez sur le
visuel correspondant. Bonne lecture ` vous, Michelle Walter
Ridaction du Journal des Cadeaux d'Entreprise Actualiti produit [IMAGE]
Tourne-disque, le retour... (lundi 11 dicembre 2006)

Un profil ritro pour ce magnifique tourne-disque Hifi avec radio et
lecteur CD semi-automatique.

Lire la suite...[IMAGE] Ecriture et visibiliti... (lundi 11 dicembre
2006)

Exceptionnel, ce set de 3 marqueurs a l'immense avantage de prisenter une
grande surface de marquage sur son socle : 60 x 25 mm.

Lire la suite...[IMAGE] Textile iquitable et incontournable (lundi 11
dicembre 2006)

Issue du commerce iquitable, une toute jeune marque de polos et t-shirts
en coton 100% biologique se fait remarquer.

Lire la suite...[IMAGE] L'actualiti du cadeau d'entreprise
[IMAGE]

Offre riservie exclusivement aux entreprises.

Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel
du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et
d'opposition aux donnies personnelles vous concernant. Pour ne plus
recevoir d'informations de notre part, Cliq uez ici

OpenBSD and antispam - question

[smonek]

I have lan ( 50 computers ) and router OpenBSD 4.0 / Pf 
I also have mail server ( external isp )

mailserver -internet-router-lan

a need antispam gateway for my lan but i dont know who i can use with pf ( 
spamassisin / spamd  pop3 proxy ? ) 

Re: wifi signal triangulation

[Mitja Muženič]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 On Behalf Of Reyk Floeter
 Sent: Monday, December 18, 2006 11:22 AM
 To: Jacob Yocom-Piatt
 Cc: misc@openbsd.org
 Subject: Re: wifi signal triangulation
 
 On Sun, Dec 17, 2006 at 12:09:12PM -0600, Jacob Yocom-Piatt wrote:
  only today have i tried out hostapd, it is quite neat. 
 while adding a 2nd AP to
  my network a thought occurred to me: if you had 3 APs that 
 were sufficiently
  spread out and had tightly synced clocks you could likely 
 triangulate the source
  of a wifi signal with a fair deal of accuracy.
  
  is this doable?
  
 
 yes
 
 but it needs some heavy math ;). you can get some results by using the
 signal strength, but it is probably better if you also use the round
 trip time and some low level information.

I'm curious about this, especially about the final triangulation resolution.
The wifi signal propagates at the speed of light, 300k km/s, so to get a
(relatively poor) distance resolution of 1 km, one would need to be able to
reliably clock times smaller than (1 km) / (300k km/s) = 3 * 10^-6 s, or in
other words, less than three microseconds. 

GSM does something similar - since GSM is using TDMA, the signal from a
mobile terminal have to reach the base station during a specific timeframe
slot. On the mobile terminal there is a parameter called TA (for Timing
Advance) that shows the timing correction factor because of the distance to
the BTS, and if I recall correctly, it is possible to get a 250m resolution
out of TA. But GSM hardware is probably more suitable for this than regular
PC hardware.


 
 once we implemented it with hostapd, a sql patch (to allow the central
 hostapd sensor to log into a postgresql database), some gps
 coordinates, and a hacked psql script to directly query the
 triangulated results from the database. a guy from the ccc implemented
 a php frontend to draw the station coodinates on an area map, but i
 would prefer an implementation using svg and firefox without the need
 of a server-side scripting language now ;).

Do you happen to have a screen capture of the result?

 
 unfortunately, our code got lost after the experiment, but i may still
 find the hostapdsql diff.
 
 reyk
 

Mitja

Re: wifi signal triangulation

[Reyk Floeter]

On Mon, Dec 18, 2006 at 05:15:08AM -0600, Sam Fourman Jr. wrote:
 I would be interested in trying the hostapdsql diff
 

ok, i need to clean it up and bring it in sync with the current
hostapd first.

reyk

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Henning Brauer]

* Dag Richards [EMAIL PROTECTED] [2006-12-18 06:10]:
 I block all inbound traffic to my networks not required for operations.

(most of) icmp qualifies as required for operations. especially 
including echo-request and -reply.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Protection NDD

[Marie-Thé]

Bonjour,

Ce courrier dinformation vous est envoyi devant labus et le trop grand
nombre dentreprises, qui sont victimes du diptt de leurs raisons
sociales par des tiers sur Internet.

Vous avez probablement riservi votre nom de domaine en .FR,

Mais lavez-vous igalement protigi dans les autres extensions, avec ou
sans tiret ?

Tous les jours, nous conseillons sur la protection des noms de domaine
aussi bien les administrations, les commergants que des grands comptes
nationaux.

Dun simple clic, virifiez la disponibiliti et protigez-vous en .COM .EU
auprhs de notre iquipe de spicialistes.

Dans lattente dun prochain contact, veuillez accepter nos sinchres
salutations.

Marie-thi Robin
Responsable Diveloppement

http://www.nom-domaine.fr

Offre riservie exclusivement aux entreprises.

Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel
du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et
d'opposition aux donnies personnelles vous concernant. Pour ne plus
recevoir d'informations de notre part, Cliquez ici

Re: Problems in my wireless card

[Andreas Maus]

On 12/18/06, Eduardo Jorge [EMAIL PROTECTED] wrote:
Hi.


This is my dmesg

OpenBSD 4.0 (NEIN) #0: Sun Dec 17 05:20:14 BRST 2006

^
At first. Before you post make sure you use a GENERIC kernel
(because we can only guess what option your kernel uses).


vendor Atheros, unknown product 0x001a (class network subclass ethernet, rev 
0x01) at pci1 dev 5 function 0 not configured

As you can see your card vendor is recognized but not the card itself.
It is not supported by OpenBSD.

Andreas.

--
Hobbes : Shouldn't we read the instructions?
Calvin : Do I look like a sissy?

Re: package update trouble

[Darren Spruell]

On 12/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


  Fair enough.  I tried it and I got a list of available
 packages.  It is a little confusing because the output is
 carping about the candidate being ambiguous -not what version
 the candidate should be updated to.  Anyways, it still
 gives me:
 
  Cannot find updates for unarj-2.43 unrar-3.54p0
 Quote:

 Both unarj and unrar are dependencies of ClamAV, but they are
 not licensed
 for binary download. They must be built from ports.

 See FAQ 15.4.3.

 So, build it, then install it.


I updated my ports but unarj and unrar have not changed.  I guess I cannot
update clamav until that happens.


pkg_add(1) describes some options for forcing installations using '-F'. Read.

You're assuming here that the ports tree / package system has left you
crippled, but unlike other OSes' package systems, OpenBSD doesn't.
Unless you hit big problems tracking -current, I doubt anyone will
ever see that happen.

--
Darren Spruell
[EMAIL PROTECTED]

CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in phase

[klemen]

On a fresh new scsi disk (Fujitsu), adaptec on board scsi adapter 
(Compaq server) when boot to install os (OpenBSD) I got an error:



CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in 
phase. SEQUADDR (0X73) SCDIRATE (0xc2)
CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in 
phase. SEQUADDR (0X73) SCDIRATE (0xc2)
CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in 
phase. SEQUADDR (0X73) SCDIRATE (0xc2)

..

Disk have and ID:0

What is wrong?

thanks

Re: OpenBSD -Current and WINE

[Joachim Schipper]

On Sun, Dec 17, 2006 at 10:09:15PM -0600, Sam Fourman Jr. wrote:
 Would you happen to have a link where the WINEdevlopers state that? it
 would be a interesting read.There is still much more I must learn
 about the differences between FreeBSD and OpenBSD.

I'd suggest
http://www.winehq.org/site/docs/wine-faq/index#UNDER-WHAT-PLATFORMS-WILL-WINE-RUN.
 Their mailing lists are likely to contain some more information.

qemu provides an alternative, albeit a very slow one.

Joachim

Re: dspam on OpenBSD 4.0

[Joachim Schipper]

On Sun, Dec 17, 2006 at 09:18:45PM -0600, Vijay Sankar wrote:
 Yes, /var/dspam/data was already there after I installed the package (I
 am not using -current, just OpenBSD 4.0 from the CD and packages from
 mirror.arcticnet.ca.

 In case there is a better way than doing chmod 2771, please do let me
 know. Here is the output from ls -laR /var/dspam. The reason
 why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because
 I couldn't get the system statistics and quarantine information from the
 dspam.cgi program without opening that up.

Having permissions 2771 on /var/dspam/something is fine; I was
referring to having 2755 on /usr/bin/dspam, as you posted before
(http://marc.theaimsgroup.com/?l=openbsd-miscm=116632875008340w=2).
However, this seems to be by design; while I'd still argue it is a bad
idea, I thought you had tried to do that just to get stuff working, and
that's not a very good idea.

(In other words, time for me to do some actual research before replying.
Sorry!)

 Also, there is still one final problem. If user vsankar (unprivileged
 account) uses the dspam.cgi program and decides to reclassify a message
 already classified as spam by dspam, I get the following error
 in /var/log/maillog
 
 Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code
 1: /usr/libexec/mail.local -d vsankar
 Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser

Ah, sendmail. I'm afraid I can't help you there; I've been using postfix
for as long as I know what a MTA is.

You could try using something like plain sendmail, or procmail, or
maildrop, although I don't know what would be considered the proper way
to do this.

 For now, I am thinking of avoiding using the dspam.cgi altogether and
 just moving the vsankar.mbox quarantine file into /home/vsankar/mail and
 accessing it through my webmail client if I ever want to reclassify
 email. But it would be nice to be able to do a Deliver Checked from
 the dspam.cgi interface.

I'll admit to being out of my depth here; I've looked at the dspam
documentation, but I've never actually installed it, and my e-mail
architecture is quite a little different from yours anyway (for one,
dspam should reinject mail into postfix... so I never get to mess with
local delivery agents, and it's far more likely I can get away with
non-suid dspam).

 mx1# ls -laR /var/dspam
 total 104
  4 drwxrws--x   3 _dspam  _dspam512 Dec 16 19:18 .
  4 drwxr-xr-x  27 rootwheel 512 Dec 16 14:33 ..
  4 drwxrws--x   7 _dspam  _dspam512 Dec 16 16:49 data
 88 -rwxrwxrwx   1 _dspam  _dspam  43199 Dec 17 20:45 system.log
 
 /var/dspam/data:
 total 28
 4 drwxrws--x  7 _dspam  _dspam  512 Dec 16 16:49 .
 4 drwxrws--x  3 _dspam  _dspam  512 Dec 16 19:18 ..
 4 drwxrws--x  2 _dspam  _dspam  512 Dec 16 16:06 root
 4 drwxrwsrwx  2 _dspam  _dspam  512 Dec 17 09:55 vsankar
 
 /var/dspam/data/root:
 total 60
  4 drwxrws--x  2 _dspam  _dspam512 Dec 16 16:06 .
  4 drwxrws--x  7 _dspam  _dspam512 Dec 16 16:49 ..
 36 -rwxrws--x  1 _dspam  _dspam  17276 Dec 17 01:30 root.log
 12 -rwxrws--x  1 _dspam  _dspam   4130 Dec 16 16:22 root.mbox
  4 -rwxrws--x  1 _dspam  _dspam 13 Dec 17 01:30 root.stats

Why the 'x' permission?

 /var/dspam/data/vsankar:
 total 208
   4 drwxrwsrwx  2 _dspam  _dspam512 Dec 17 09:55 .
   4 drwxrws--x  7 _dspam  _dspam512 Dec 16 16:49 ..
  24 -rwxrwxrwx  1 _dspam  _dspam  11881 Dec 17 20:45 vsankar.log
 160 -rwxrwxrwx  1 _dspam  _dspam  81766 Dec 17 20:45 vsankar.mbox
   4 -rw-r--r--  1 www _dspam  5 Dec 17 09:54 vsankar.mbox.size
   0 -rw-rw  1 www _dspam  0 Dec 17 09:54 vsankar.mbox.stamp
   4 -rw-r--r--  1 www _dspam228 Dec 17 09:38 vsankar.retrain.log
   4 -rw-r--r--  1 www _dspam 10 Dec 17 09:38 vsankar.rstats
   4 -rwxrwxrwx  1 _dspam  _dspam 14 Dec 17 20:45 vsankar.stats

Again, no need for execute permission. 

 Also, just as an FYI, this is what I get with dspam_stats
 
 vsankar:
 TP True Positives: 47
 TN True Negatives:  2
 FP False Positives: 5
 FN False Negatives:16
 SC Spam Corpusfed:  0
 NC Nonspam Corpusfed:   0
 TL Training Left:2493
 SHR Spam Hit Rate  74.60%
 HSR Ham Strike Rate:   71.43%
 OCA Overall Accuracy:  70.00%
 
 The 5 false positives were due to me not feeding dspam any notspam
 messages. What happened was I forwarded (as root) the Welcome to
 OpenBSD 4.0 message to vsankar five times and they all got classified
 as spam. After retraining, I am able to send that message through from
 root to vsankar. Since this is a test machine (MX preference 30 compared
 to 10 on the real mail servers) I only get spam on this machine, so I
 still have some ways to go to understand how this all works in a
 real-life scenario.

mapping promise product name to chip-id

[llx]

hi

i just spend quite some time looking around to determin which disc-controller 
from promise is using which chipset. depending on the model your looking for
you'll find someting on a mailing list. it's then up to you to believe the 
information found.

1. does anyone know where to find a reliable mapping table?

2. how do i have to interpret the following: in the FAQ: Supported hardware
   i don't see support for PDC40718. grepping the source let me assume there
   is.


cheers 
llx

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Dag Richards]

 smith wrote:



Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.  


Buda says :
Amen... obey RFC 1122. 

RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.



i.e. icmp helps negotiate traffic throughput when two

nodes are communication over networks with various amounts of bandwidth.  If
you have firewall rules that allowed udp/tcp 53 and icmp to your dns server,
you would not violate RFC rules.  For someone to transport traffic through
icmp with these rules means that they would have to root your dns server.  At
that point, icmp isn't your problem.  Let me restate by saying if anyone on
your network tries to send traffic out via icmp, icmp isn't the problem, it's
the security of that computer that's the problem. 


We let users send out pretty much any traffic they want from their 
network, this debate was for me about what to allow _in_ to the dmz.


 Oh and if you're trying to

prevent your users from sending out confidential information to an external
source, let's face it, that's almost impossible. 


Yup, too true. Not trying to stop confidential info flow. Just trying to 
make illicit shell shipping harder.


 Such a user can use http or

better yet https as a transport as well or a floppy, usb hard drive, usb tump
drive, and email (especially with an encrypted attachment so that your filter
can see what it is).  Hell they can print it out and carry it in their
briefcase if they wanted.


Thats what I do ;)

Re: IPSec trouble

[viq]

On 17/12/06, viq [EMAIL PROTECTED] wrote:

On 17/12/06, Mathieu Sauve-Frankel [EMAIL PROTECTED] wrote:
 On Sun, Dec 17, 2006 at 02:16:48PM +0100, viq wrote:
  Yes, again... I am trying to set up VPN using IPSec, right now very
  basic setup, and it doesn't work as expected.
  Hosts being involved are keibi that acts as server, and trying to
  connect to it laptop sentan.

 there's an error in ipsecctl in -current which breaks ipsecctl unless you are
 loading your rules with the verbose flag ( ie. ipsecctl -vf ipsec.conf )

 I found it today and am just waiting for an okay to commit the fix,
 could you try out this diff in the meantime ?

I didn't try the diff yet, only loading with -v flag... And something
funny happens. I have IPv6 working as well in my network, and with
those very basic rules I have posted, esp traffic travels over IPv4,
yet only IPv6 traffic gets encapsulated...

snip patch


Fun. Both boxes now are:
OpenBSD 4.0-current (GENERIC) #1278: Sun Dec 17 19:52:22 MST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

And esp runs around on IPv4, and IPv4 traffic gets nicely
encapsulated, but IPv6 doesn't get encapsulated, with the exact same
rules as posted before.

(No, I don't remember whether with that patch v6 worked)


 --
 Mathieu Sauve-Frankel



--
viq




--
viq

Re: dspam on OpenBSD 4.0

[Vijay Sankar]

I am going to try and stop top posting -- my replies are embedded below.

On Mon, 2006-18-12 at 18:29 +0100, Joachim Schipper wrote:
 On Sun, Dec 17, 2006 at 09:18:45PM -0600, Vijay Sankar wrote:
  Yes, /var/dspam/data was already there after I installed the package (I
  am not using -current, just OpenBSD 4.0 from the CD and packages from
  mirror.arcticnet.ca.
 
  In case there is a better way than doing chmod 2771, please do let me
  know. Here is the output from ls -laR /var/dspam. The reason
  why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because
  I couldn't get the system statistics and quarantine information from the
  dspam.cgi program without opening that up.
 
 Having permissions 2771 on /var/dspam/something is fine; I was
 referring to having 2755 on /usr/bin/dspam, as you posted before
 (http://marc.theaimsgroup.com/?l=openbsd-miscm=116632875008340w=2).
 However, this seems to be by design; while I'd still argue it is a bad
 idea, I thought you had tried to do that just to get stuff working, and
 that's not a very good idea.
 
 (In other words, time for me to do some actual research before replying.
 Sorry!)

Thanks very much for that clarification. I am still trying to reduce the
permissions and tried making /var/dspam and subdirectories 755 as you
suggested but it did not work. Without at least 775 on /var/dspam/data,
the stats file and log file don't get updated. So I am going back to
2771 for the data directories. 
 
  Also, there is still one final problem. If user vsankar (unprivileged
  account) uses the dspam.cgi program and decides to reclassify a message
  already classified as spam by dspam, I get the following error
  in /var/log/maillog
  
  Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code
  1: /usr/libexec/mail.local -d vsankar
  Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser
 
 Ah, sendmail. I'm afraid I can't help you there; I've been using postfix
 for as long as I know what a MTA is.
 
 You could try using something like plain sendmail, or procmail, or
 maildrop, although I don't know what would be considered the proper way
 to do this.

I tried procmail but that introduces other problems as far as dpsam.cgi
is concerned. So I went back to mail.local as the LDA. 

 
  For now, I am thinking of avoiding using the dspam.cgi altogether and
  just moving the vsankar.mbox quarantine file into /home/vsankar/mail and
  accessing it through my webmail client if I ever want to reclassify
  email. But it would be nice to be able to do a Deliver Checked from
  the dspam.cgi interface.
 
 I'll admit to being out of my depth here; I've looked at the dspam
 documentation, but I've never actually installed it, and my e-mail
 architecture is quite a little different from yours anyway (for one,
 dspam should reinject mail into postfix... so I never get to mess with
 local delivery agents, and it's far more likely I can get away with
 non-suid dspam).
 
  mx1# ls -laR /var/dspam
  total 104
   4 drwxrws--x   3 _dspam  _dspam512 Dec 16 19:18 .
   4 drwxr-xr-x  27 rootwheel 512 Dec 16 14:33 ..
   4 drwxrws--x   7 _dspam  _dspam512 Dec 16 16:49 data
  88 -rwxrwxrwx   1 _dspam  _dspam  43199 Dec 17 20:45 system.log
  
  /var/dspam/data:
  total 28
  4 drwxrws--x  7 _dspam  _dspam  512 Dec 16 16:49 .
  4 drwxrws--x  3 _dspam  _dspam  512 Dec 16 19:18 ..
  4 drwxrws--x  2 _dspam  _dspam  512 Dec 16 16:06 root
  4 drwxrwsrwx  2 _dspam  _dspam  512 Dec 17 09:55 vsankar
  
  /var/dspam/data/root:
  total 60
   4 drwxrws--x  2 _dspam  _dspam512 Dec 16 16:06 .
   4 drwxrws--x  7 _dspam  _dspam512 Dec 16 16:49 ..
  36 -rwxrws--x  1 _dspam  _dspam  17276 Dec 17 01:30 root.log
  12 -rwxrws--x  1 _dspam  _dspam   4130 Dec 16 16:22 root.mbox
   4 -rwxrws--x  1 _dspam  _dspam 13 Dec 17 01:30 root.stats
 
 Why the 'x' permission?

I am really not sure. If I don't do a chmod -R 2771 on /var/dspam a
variety of things break. I tried 660 and got the permissions problem
when retraining, with 770 dspam.cgi did not provide stats and history
information, with 771 email doesn't get quarantined in vsankar.mbox.
chmod -R 2771 solves all these problems, possibly by introducing new
problems that I am not aware of :( Anyways, can't figure out why x is
needed. I even tried mounting /var/dspam with no nosuid in /etc/fstab.
It did not make a difference.

 
  /var/dspam/data/vsankar:
  total 208
4 drwxrwsrwx  2 _dspam  _dspam512 Dec 17 09:55 .
4 drwxrws--x  7 _dspam  _dspam512 Dec 16 16:49 ..
   24 -rwxrwxrwx  1 _dspam  _dspam  11881 Dec 17 20:45 vsankar.log
  160 -rwxrwxrwx  1 _dspam  _dspam  81766 Dec 17 20:45 vsankar.mbox
4 -rw-r--r--  1 www _dspam  5 Dec 17 09:54 vsankar.mbox.size
0 -rw-rw  1 www _dspam  0 Dec 17 09:54 vsankar.mbox.stamp
4 -rw-r--r--  1 www _dspam228 Dec 17 09:38 vsankar.retrain.log
4 -rw-r--r--  1 www _dspam 10 Dec 17 09:38 vsankar.rstats
4 -rwxrwxrwx  1 

Message (Your message dated Mon, 18 Dec 2006 20:53:22...)

[LISTSERV]

Your message dated Mon, 18 Dec 2006 20:53:22 +0200 with no subject has been
submitted  to  the  moderator  of  the  CSICOP-ANNOUNCE  list:  Barry  Karr
[EMAIL PROTECTED].

LineWrap Failure in Text-Terminal

[Sebastian Neuper]

Hi. With OpenBSD 4.0, I encounter a wrong line wrapping
in the text-terminals. If a line has 80 or more chars
there will be extra blank lines. This problem occurs
in ksh, more and less, but not in vi and lynx.

When I open a file in more, where line 28 has 85 or more 
chars and I scroll down with the courser keys three lines, 
I will get only the 80 chars followed by a blank line. When
I scroll down another line, there will be the left chars after
this blank line. With the repaint command CTRL-R in more, 
the blank line disappears.
When I scroll another 25 lines down, so that line 28 move off
the screen, and then scroll back a few lines, there won't be
a line 28 at all, until I put the repaint command.

This problem first occurred in OpenBSD 4.0 and I recognized it
after a clean install. OpenBSD 3.9 on the same computer did
a correct line wrapping.

So I looked through all the changes and noticed the new jump 
scroll feature for vt220 introduced in OpenBSD 4.0 and corrected
in OpenBSD Current. My computer is a 200MMX with a 2,5GB
Harddrive and compiling the complete source will be heavy or
impossible. So I cannot check, if this is the problem or if it
is already solved, and didn't send a bug-report.

In ksh there is a similar wrong behavior. When I type
$ ls tab
in a directory, containing following directories:
$ mkdir aaa b ccc   fff ggg   jjj
and my cursor is already at the bottom of the screen, the last
4 lines will be:
BEGINN
$ ls tab
aaa/   b/  ccc/  /  /  fff/   ggg/   /   /   jjj/
$ ls

END
containing also a blank line at the end, where there shouln't be one.
Another tab will print it correctly without the bottom blank line.
Again a tab will print it wrong with the blank line.

In the following directory it is even worse: 
$ mkdir aaa cc ddd ff  jjj    ooo
$ touch bbb. . g. . mm.mmm 
ls tab will print addional 3 blank lines at the bottom of the
screen.

I thought it was a problem in the terminal and changed in /etc/ttys
a virtual terminal from vt220 to vt100 and even dumb. This didn't
solve the problem and with dumb, vi didn't work properly anymore.

Can anyone help me to make my text-terminal work correctly? And
if this is already solved in OpenBSD Current, is there a workaround
without recompiling the source? 

Thanks, 
Sebastian.

I don't think this is a hardware problem, because 3.9 worked correctly.
Anyway, here my dmesg output:

OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 200 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
cpu0: F00F bug workaround installed
real mem  = 66678784 (65116K)
avail mem = 52559872 (51328K)
using 839 buffers containing 3436544 bytes (3356K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c6) BIOS, date 10/08/96, BIOS32 rev. 0 @ 0xf8080
pcibios0 at bios0: rev 2.1 @ 0xf/0x67c
pcibios0: PCI BIOS has 5 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82439HX rev 0x03
pcib0 at pci0 dev 7 function 0 Intel 82371SB ISA rev 0x01
pciide0 at pci0 dev 7 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: ST52520A
wd0: 16-sector PIO, LBA, 2446MB, 5009760 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HITACHI, CDR-7930, 1023 SCSI0 5/cdrom removable
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0, DMA mode 1
pciide0: channel 1 disabled (no drives)
ne3 at pci0 dev 9 function 0 Realtek 8029 rev 0x00: irq 9, address 
00:e0:7d:98:4b:5e
ne4 at pci0 dev 10 function 0 Realtek 8029 rev 0x00: irq 9, address 
00:00:b4:9c:d6:c6
AVM Fritz ISDN rev 0x02 at pci0 dev 11 function 0 not configured
vga1 at pci0 dev 12 function 0 S3 ViRGE rev 0x06
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
sb1 at isapnp0 Creative SB16 PnP, CTL0031, , Audio port 
0x220/16,0x330/2,0x388/4 irq 5 drq 1,5: dsp v4.13
midi1 at sb1: SB MPU-401 UART
audio0 at 

Re: Home networking for an amateur

[Joe]

Take the time to upgrade. It's really easy and fast.

Don't skip releases though.

Upgrade like this: 3.7 - 3.8 - 3.9 - 4.0

Then your box will rock.




Erik Wikstrvm wrote:
I've get an box laying in my basement running OpenBSD 3.7 (probably 
should upgrade that some time but I've never taken the time) acting as 

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Jon Radel]

Dag Richards wrote:

  Such a user can use http or
 better yet https as a transport as well or a floppy, usb hard drive,
 usb tump
 drive, and email (especially with an encrypted attachment so that your
 filter
 can see what it is).  Hell they can print it out and carry it in their
 briefcase if they wanted.
 
 Thats what I do ;)
 

Dang, I just take the whole server.  Don't even have to reload the data
that way.

By the way, the only little quibble I've had with this discussion is
that some of the responses have been remarkably imprecise in the
distinction between icmp and icmp echo-requests.  I find that such
imprecision causes no end of trouble when specifying security policies.
 I, for example, am not the biggest fan of random people sending me icmp
redirects, but don't block many other icmp packets.

I'll also point out that opinions differ.  For example, the official
recommendation of the U.S. NIST (National Institute of Standards and
Technology) is:

block incoming echo request (ping and Windows traceroute)

block outgoing echo replies, time exceeded, and destination unreachable
messages except packet too big messages (type 3, code 4).
This item assumes that you are willing to forego the legitimate uses of
ICMP echo request to block some known malicious uses.

(Special Publication 800-41, p. 61.)

I suppose it all comes down to such unresolvable matters such as is
making it harder for outsiders to map your network merely security
through obscurity, which is naturally below the dignity of any right
thinking network engineer, or does it have value in today's Internet?

:-)

--Jon Radel

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Slightly OT: DNS force client to use authoritative

[Karl R. Balsmeier]

Is there a specific way to set a name server so that clients are always 
*forced* to use an autoritative name server?

UltraDNS and some others have mentioned little features they have, but it hints 
at the possibility that somewhere in the DNS spec.

-krb

Re: Slightly OT: DNS force client to use authoritative

[Jon Simola]

On 12/18/06, Karl R. Balsmeier [EMAIL PROTECTED] wrote:

Is there a specific way to set a name server so that clients are always 
*forced* to use an autoritative name server?


Clients can not (or at least, should not) talk directly to
authoritative name servers. Clients make their DNS requests with the
recursion desired bit set, and should only speak to recursive
resolvers. Those recursive resolvers make their requests without the
recursion desired bit set and speak to authoritative servers, starting
with the root servers.

Some DNS servers, such as BIND, can run in both roles simultaneously
with a single daemon. Others, such as djbdns, run seperate servers for
each type of service (tinydns for authoritative,  dnscache for a
recursive resolver).

--
Jon

Re: ral0: device timeout

[Markus Bergkvist]

Some new findings. Hopefully these means something to someone because I
don't really know where to go from here.

I noticed that I can't reproduce the 'device timeout' if I turn off the 
device at the AP. Could the AP be responding with something fishy?


I also found out that if I change the ral-cards to
explicitly use 'media OFDM54' the 'device timeout' would occur less
often, and when they do, I can most often get it to work by bring it
down and then
#sh /etc/netstart ral0

When I get 'device timeout' I see the following at the AP
ral0: received auth from 00:13:f7:1e:a7:86 rssi 119
ral0: sending auth to 00:13:f7:1e:a7:86 on channel 11
ral0: station 00:13:f7:1e:a7:86 newly authenticated (open)

I have not yet been able to get a debug print from client ral when it is 
failing, is there a way to set that in hostname.if? If the device is not 
failing during boot, it is hard to get it to fail.


I have also seen the timeout on the AP once when I rebooted it while the 
client was up, but it didn't occur repeatedly as it does on the client.


== AP hostname.if ==
# cat /etc/hostname.ral0
inet 192.168.0.2 255.255.255.0 NONE media OFDM54 mode 11g mediaopt
hostap chan 11 nwid himmet_wlan


== Client hostname.if ==
# cat /etc/hostname.ral0
dhcp NONE NONE NONE media OFDM54 mode 11g chan 11 nwid himmet_wlan


/Markus



For some time now I've been trying to get my SMC wireless cardbus[1] with 
Ralink RT2600 chipset[2] to work on my laptop running OpenBSD 4.0 -stable but I 
keep getting 'ral0: device timeout'.
If I bring the device down and then up (sometimes I have to do this several 
times) I finally get it to work. After that I don't get any more 'device 
timeout' until next reboot.

This is what ral(4) has to say about that error:
ral%d: device timeout  A frame dispatched to the hardware for transmission 
did not complete in time.  The driver will reset the hardware.  This should not 
happen.

Unfortunately, it does happen. My question is, why? And what can i do to remedy 
this?

I have a SMC pci-card[3] in the AP but I have not seen that problem there.

I enclose dmesg and ifconfig ral0 from client and ap.

Re: Slightly OT: DNS force client to use authoritative

[Rod Dorman]

On Monday, December 18, 2006, 15:45:19, Karl R. Balsmeier wrote:
 Is there a specific way to set a name server so that clients are
 always *forced* to use an autoritative name server?

What  do  you mean by an authoritative name server? There is no single
name server which is authoritative for every host in existence.

Are you asking about BIND's delegation-only option?

-- 
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote. - Ambassador Kosh

How can I view rule numbers under OpenBSD 4.0?

[carlopmart]

Hi all,

 first of all, many to everybody helps me to block all ipv6 traffic (security
staff accept your option).

 And now my question: how can I view rule numbers assigned by pf?? Under OpenBSD
3.7 using pfctl -ws display this info ... How can I do with OpenBSD 4.0??

Many thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Re: How can I view rule numbers under OpenBSD 4.0?

[Darren Spruell]

On 12/18/06, carlopmart [EMAIL PROTECTED] wrote:

Hi all,

 first of all, many to everybody helps me to block all ipv6 traffic (security
staff accept your option).

 And now my question: how can I view rule numbers assigned by pf?? Under OpenBSD
3.7 using pfctl -ws display this info ... How can I do with OpenBSD 4.0??


pfctl -vvsr

verbose, verbose, show, rules.  Refer to pfctl(8).

DS

Re: Soekris box crashing... drops to ddb

[David Bryan]

Thanks for looking at this, I think that you are correct... someone had 
plugged in the wrong power adapter into this box, and thusly ( 6-8 Volts 
@ 800ma ) goofed up the CF card... I think that the extra power of the 
CF disk IO from the find command caused this box to crash every day.  Oh 
well, live an learn, and smack those that plug in the wrong power cord!


I'm CCing misc for the archive so that if someone else runs into these 
issues they may also have a clue as to what may be going on.


Igor Sobrado wrote:

Hello.

It looks like a problem in the CF card.  Would it be possible reinstalling
the operating system on the Soekris?  Does this problem always happen in
the same inode?  Or, even better, would it be possible trying a new CF
card on the Soekris?  If you do not have a need for a specific CF card,
I would suggest trying a SanDISK CF.  These cards are not expensive at
all and work fine on the Soekris appliances.

Hopefully, it looks like a bad CF card, not a bad Soekris.

Cheers,
Igor.

Re: CGI Scripts in OpenBSD

[David Bryan]

Once your scripts are working you could try to copy the files that are 
need for the CGI script into the chrooted directory.


If the cgi script is a pre-compiled binary that has been linked to other 
library's your can run the following to find out what it needs.


ldd /var/www/cgi-bin/your-prog

If it's just a cgi script with regular commands, you will have to copy 
each command into the /var/www directory. 

So lets say your script runs the banner command- so the following will 
show what could be done to run the command with-in a chrooted apache server.


$ ldd /usr/bin/banner
/usr/bin/banner:
   StartEnd  Type Open Ref GrpRef Name
     exe  10   0  /usr/bin/banner
   0c54d000 2c57e000 rlib 01   0  /usr/lib/libc.so.39.0
   0b67a000 0b67a000 rtld 01   0  /usr/libexec/ld.so

So we need libc and ld.so with the same paths in /var/www... so:

First- create some of the standard files that many binaries look for-
mkdir /var/www/etc
grep www /etc/passwd  /var/www/etc/passwd
grep localhost /etc/hosts  /var/www/etc/hosts
cp /etc/resolv.conf /var/www/etc

Next- we will copy the files in place.
mkdir /var/www/usr/bin
mkdir /var/www/usr/lib
mkdir /var/www/usr/libexec
# Do the following as root, or sudo
cp -p /usr/bin/banner /var/www/bin
cp -p /usr/lib/libc.so.39.0 /var/www/lib
cp -p /usr/libexec/ld.so /var/www/libexec
# you may or may not need this...
cp -p /bin/sh /var/www/bin

There are plenty of FAQs on setting up binaries and script to run in a 
chrooted environment, and I would highly recommend that people start 
making this stuff work, rather then going for a less secure web server 
and scripts.  It's just a matter of time before apache has a major flaw, 
or something in a script fails.


Have fun! 


Francisco Valladolid wrote:

hi, .. if you are new to OpenBSD, enabling chroot maybe difficult for you, i
recommended run apache without chroot.

disable it in /etc/rc.conf

httpd_flags=-u  # the -u option disable chroot

then you can run your cgi scripts from /var/www/cgi-bin/  only doing chmod
755 script

Regards.


On 11/20/06, Hannah Broughton [EMAIL PROTECTED] wrote:
  

Hi,

I'm completely new to openBSD and have been trying to configure apache
to run some CGI scripts.
I have apache working fine, but the CGI scripts are failing with error
500 and the log file reports Premature end of script header.

I am very sure that this is not the script that is wrong, I have the
content-type header and have read many articles on the net about this
error and still can't fix the problem.

I have a feeling there may be some config specific to OpenBSD that I may
have missed in order to enable the running of CGI scripts?

Thanks for any help,
Hannah

This message has been checked for viruses but the contents of an
attachment
may still contain software viruses, which could damage your computer
system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.

64-bit Linux Emulation on AMD64?

[alex]

Hello,

I've got a fresh new 4.0/AMD64 system installed, and after sitting down 
to add Linux binary compatibility, I see that it apparently doesn't 
exist on this platform. After some archive digging, it doesn't appear 
that the idea has been thoroughly discussed, especially since adding 
32-bit Linux binary support would be difficult at best 
(http://marc.theaimsgroup.com/?l=openbsd-miscm=109036873227847w=2).


Since I'm not exactly familiar with what exactly makes Linux 
compatibility work behind the scenes, I apologize if this is a dumb 
question...but would it be feasible to add support for Linux/AMD64 
binaries on OpenBSD/AMD64? It seems like this would eliminate the 
problem of 32-to-64 bit conversions/wackiness, though I wouldn't be 
surprised if other nasty problems were lurking under the hood.


If this is within the realm of possibility, I'd be interested in 
working to make it a reality. Given my lack of experience, I could 
probably be more helpful as a tester for someone else who was 
attempting to implement this...but if there's no one out there 
interested in working on a project like this, I'd be willing to take a 
stab at it myself, especially if whoever is responsible for i386 Linux 
compatibility was willing to speak with me regarding at least the 
basics of what would be necessary.


Alex Kirk

Re: nagios check_carp for OpenBSD carp(4)

[Christopher Snell]

On 12/15/06, Brian A. Seklecki [EMAIL PROTECTED] wrote:

Thoughts? Strategies? Ideas?
---

Ask the machine directly? Ask an adjacent machine?


Joel Knight just released an updated OpenBSD SNMP MIB that supports
reading data from the sensors framework.  Perhaps he could be
persuaded to add support for CARP state detection?  :)

Chris

Re: LineWrap Failure in Text-Terminal

[Otto Moerbeek]

On Mon, 18 Dec 2006, Sebastian Neuper wrote:

 Hi. With OpenBSD 4.0, I encounter a wrong line wrapping
 in the text-terminals. If a line has 80 or more chars
 there will be extra blank lines. This problem occurs
 in ksh, more and less, but not in vi and lynx.
 
 When I open a file in more, where line 28 has 85 or more 
 chars and I scroll down with the courser keys three lines, 
 I will get only the 80 chars followed by a blank line. When
 I scroll down another line, there will be the left chars after
 this blank line. With the repaint command CTRL-R in more, 
 the blank line disappears.
 When I scroll another 25 lines down, so that line 28 move off
 the screen, and then scroll back a few lines, there won't be
 a line 28 at all, until I put the repaint command.
 
 This problem first occurred in OpenBSD 4.0 and I recognized it
 after a clean install. OpenBSD 3.9 on the same computer did
 a correct line wrapping.
 
 So I looked through all the changes and noticed the new jump 
 scroll feature for vt220 introduced in OpenBSD 4.0 and corrected
 in OpenBSD Current. My computer is a 200MMX with a 2,5GB
 Harddrive and compiling the complete source will be heavy or
 impossible. So I cannot check, if this is the problem or if it
 is already solved, and didn't send a bug-report.

Try running a snapshot kernel. It's likely (but not guaranteed) a
snapshot bsd will work nicely with a 4.0 userland. Download bsd and
put it in your /, named bsd.snap and boot that on the boot prompt. 

-Otto

 
 In ksh there is a similar wrong behavior. When I type
 $ ls tab
 in a directory, containing following directories:
 $ mkdir aaa b ccc   fff ggg   jjj
 and my cursor is already at the bottom of the screen, the last
 4 lines will be:
 BEGINN
 $ ls tab
 aaa/   b/  ccc/  /  /  fff/   ggg/   /   /   jjj/
 $ ls
 
 END
 containing also a blank line at the end, where there shouln't be one.
 Another tab will print it correctly without the bottom blank line.
 Again a tab will print it wrong with the blank line.
 
 In the following directory it is even worse: 
 $ mkdir aaa cc ddd ff  jjj    ooo
 $ touch bbb. . g. . mm.mmm 
 ls tab will print addional 3 blank lines at the bottom of the
 screen.
 
 I thought it was a problem in the terminal and changed in /etc/ttys
 a virtual terminal from vt220 to vt100 and even dumb. This didn't
 solve the problem and with dumb, vi didn't work properly anymore.
 
 Can anyone help me to make my text-terminal work correctly? And
 if this is already solved in OpenBSD Current, is there a workaround
 without recompiling the source? 
 
 Thanks, 
 Sebastian.
 
 I don't think this is a hardware problem, because 3.9 worked correctly.
 Anyway, here my dmesg output:
 
 OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 200 MHz
 cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
 cpu0: F00F bug workaround installed
 real mem  = 66678784 (65116K)
 avail mem = 52559872 (51328K)
 using 839 buffers containing 3436544 bytes (3356K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(c6) BIOS, date 10/08/96, BIOS32 rev. 0 @ 0xf8080
 pcibios0 at bios0: rev 2.1 @ 0xf/0x67c
 pcibios0: PCI BIOS has 5 Interrupt Routing table entries
 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00)
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xc/0x8000
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82439HX rev 0x03
 pcib0 at pci0 dev 7 function 0 Intel 82371SB ISA rev 0x01
 pciide0 at pci0 dev 7 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 
 wired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: ST52520A
 wd0: 16-sector PIO, LBA, 2446MB, 5009760 sectors
 atapiscsi0 at pciide0 channel 0 drive 1
 scsibus0 at atapiscsi0: 2 targets
 cd0 at scsibus0 targ 0 lun 0: HITACHI, CDR-7930, 1023 SCSI0 5/cdrom 
 removable
 wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
 cd0(pciide0:0:1): using PIO mode 0, DMA mode 1
 pciide0: channel 1 disabled (no drives)
 ne3 at pci0 dev 9 function 0 Realtek 8029 rev 0x00: irq 9, address 
 00:e0:7d:98:4b:5e
 ne4 at pci0 dev 10 function 0 Realtek 8029 rev 0x00: irq 9, address 
 00:00:b4:9c:d6:c6
 AVM Fritz ISDN rev 0x02 at pci0 dev 11 function 0 not configured
 vga1 at pci0 dev 12 function 0 S3 ViRGE rev 0x06
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 isa0 at pcib0
 isadma0 at isa0
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 pcppi0 at isa0 port 0x61
 midi0 at pcppi0: PC speaker
 spkr0 at pcppi0
 lpt0 at isa0 port 0x378/4 irq 7
 npx0 at isa0 port 0xf0/16: using exception 16
 pccom0 at isa0 

revision control system for system administration

[atstake atstake]

Not directly OpenBSD related but I thought I'd ask. I'd like to use
a revision control system to manage files on 25-30
servers but I'm not sure whether I'd use a centralized repository or
have a separate revision control system on each box. It would also be good
to know how much leverage can a revision control system can give
over a make-backup-before-change policy in the long run and also
what files and directories should I add to it. Anything else anyone
would like to add from experience would be much appreciated.

Thanks.