Re: dhcpd question
On Sat, Dec 16, 2006 at 04:55:45PM +0800, Lars Hansson wrote: | On Saturday 16 December 2006 06:47, Craig Skinner wrote: | Don't do that. DJB junk is not in ports for good reasons. | | And the reason has nothing to do with the quality of DJB's stuff. Even though many would argue that it sucks. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: wifi signal triangulation
On Sun, Dec 17, 2006 at 12:09:12PM -0600, Jacob Yocom-Piatt wrote: only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? yes but it needs some heavy math ;). you can get some results by using the signal strength, but it is probably better if you also use the round trip time and some low level information. once we implemented it with hostapd, a sql patch (to allow the central hostapd sensor to log into a postgresql database), some gps coordinates, and a hacked psql script to directly query the triangulated results from the database. a guy from the ccc implemented a php frontend to draw the station coodinates on an area map, but i would prefer an implementation using svg and firefox without the need of a server-side scripting language now ;). unfortunately, our code got lost after the experiment, but i may still find the hostapdsql diff. reyk
Journal des cadeaux d'entreprise : Editorial Décembre
Newsletter n012 Editorial Dicembre 2006 Cette fois nous y sommes, au coeur de la remise des cadeaux de fin d'annie. Pour les retardataires, nous avons silectionni quelques cadeaux d'affaires tout ` fait siduisants, mais dij` les collections 2007 pointent le bout de leur nez et nous n'avons pas pu nous empjcher d'y piocher quelques trisors. Pour tout savoir sur un cadeau d'affaire qui vous siduit, cliquez sur le visuel correspondant. Bonne lecture ` vous, Michelle Walter Ridaction du Journal des Cadeaux d'Entreprise Actualiti produit [IMAGE] Tourne-disque, le retour... (lundi 11 dicembre 2006) Un profil ritro pour ce magnifique tourne-disque Hifi avec radio et lecteur CD semi-automatique. Lire la suite...[IMAGE] Ecriture et visibiliti... (lundi 11 dicembre 2006) Exceptionnel, ce set de 3 marqueurs a l'immense avantage de prisenter une grande surface de marquage sur son socle : 60 x 25 mm. Lire la suite...[IMAGE] Textile iquitable et incontournable (lundi 11 dicembre 2006) Issue du commerce iquitable, une toute jeune marque de polos et t-shirts en coton 100% biologique se fait remarquer. Lire la suite...[IMAGE] L'actualiti du cadeau d'entreprise [IMAGE] Offre riservie exclusivement aux entreprises. Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et d'opposition aux donnies personnelles vous concernant. Pour ne plus recevoir d'informations de notre part, Cliq uez ici
OpenBSD and antispam - question
I have lan ( 50 computers ) and router OpenBSD 4.0 / Pf I also have mail server ( external isp ) mailserver -internet-router-lan a need antispam gateway for my lan but i dont know who i can use with pf ( spamassisin / spamd pop3 proxy ? )
Re: wifi signal triangulation
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reyk Floeter Sent: Monday, December 18, 2006 11:22 AM To: Jacob Yocom-Piatt Cc: misc@openbsd.org Subject: Re: wifi signal triangulation On Sun, Dec 17, 2006 at 12:09:12PM -0600, Jacob Yocom-Piatt wrote: only today have i tried out hostapd, it is quite neat. while adding a 2nd AP to my network a thought occurred to me: if you had 3 APs that were sufficiently spread out and had tightly synced clocks you could likely triangulate the source of a wifi signal with a fair deal of accuracy. is this doable? yes but it needs some heavy math ;). you can get some results by using the signal strength, but it is probably better if you also use the round trip time and some low level information. I'm curious about this, especially about the final triangulation resolution. The wifi signal propagates at the speed of light, 300k km/s, so to get a (relatively poor) distance resolution of 1 km, one would need to be able to reliably clock times smaller than (1 km) / (300k km/s) = 3 * 10^-6 s, or in other words, less than three microseconds. GSM does something similar - since GSM is using TDMA, the signal from a mobile terminal have to reach the base station during a specific timeframe slot. On the mobile terminal there is a parameter called TA (for Timing Advance) that shows the timing correction factor because of the distance to the BTS, and if I recall correctly, it is possible to get a 250m resolution out of TA. But GSM hardware is probably more suitable for this than regular PC hardware. once we implemented it with hostapd, a sql patch (to allow the central hostapd sensor to log into a postgresql database), some gps coordinates, and a hacked psql script to directly query the triangulated results from the database. a guy from the ccc implemented a php frontend to draw the station coodinates on an area map, but i would prefer an implementation using svg and firefox without the need of a server-side scripting language now ;). Do you happen to have a screen capture of the result? unfortunately, our code got lost after the experiment, but i may still find the hostapdsql diff. reyk Mitja
Re: wifi signal triangulation
On Mon, Dec 18, 2006 at 05:15:08AM -0600, Sam Fourman Jr. wrote: I would be interested in trying the hostapdsql diff ok, i need to clean it up and bring it in sync with the current hostapd first. reyk
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
* Dag Richards [EMAIL PROTECTED] [2006-12-18 06:10]: I block all inbound traffic to my networks not required for operations. (most of) icmp qualifies as required for operations. especially including echo-request and -reply. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Protection NDD
Bonjour, Ce courrier dinformation vous est envoyi devant labus et le trop grand nombre dentreprises, qui sont victimes du diptt de leurs raisons sociales par des tiers sur Internet. Vous avez probablement riservi votre nom de domaine en .FR, Mais lavez-vous igalement protigi dans les autres extensions, avec ou sans tiret ? Tous les jours, nous conseillons sur la protection des noms de domaine aussi bien les administrations, les commergants que des grands comptes nationaux. Dun simple clic, virifiez la disponibiliti et protigez-vous en .COM .EU auprhs de notre iquipe de spicialistes. Dans lattente dun prochain contact, veuillez accepter nos sinchres salutations. Marie-thi Robin Responsable Diveloppement http://www.nom-domaine.fr Offre riservie exclusivement aux entreprises. Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et d'opposition aux donnies personnelles vous concernant. Pour ne plus recevoir d'informations de notre part, Cliquez ici
Re: Problems in my wireless card
On 12/18/06, Eduardo Jorge [EMAIL PROTECTED] wrote: Hi. This is my dmesg OpenBSD 4.0 (NEIN) #0: Sun Dec 17 05:20:14 BRST 2006 ^ At first. Before you post make sure you use a GENERIC kernel (because we can only guess what option your kernel uses). vendor Atheros, unknown product 0x001a (class network subclass ethernet, rev 0x01) at pci1 dev 5 function 0 not configured As you can see your card vendor is recognized but not the card itself. It is not supported by OpenBSD. Andreas. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: package update trouble
On 12/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Fair enough. I tried it and I got a list of available packages. It is a little confusing because the output is carping about the candidate being ambiguous -not what version the candidate should be updated to. Anyways, it still gives me: Cannot find updates for unarj-2.43 unrar-3.54p0 Quote: Both unarj and unrar are dependencies of ClamAV, but they are not licensed for binary download. They must be built from ports. See FAQ 15.4.3. So, build it, then install it. I updated my ports but unarj and unrar have not changed. I guess I cannot update clamav until that happens. pkg_add(1) describes some options for forcing installations using '-F'. Read. You're assuming here that the ports tree / package system has left you crippled, but unlike other OSes' package systems, OpenBSD doesn't. Unless you hit big problems tracking -current, I doubt anyone will ever see that happen. -- Darren Spruell [EMAIL PROTECTED]
CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in phase
On a fresh new scsi disk (Fujitsu), adaptec on board scsi adapter (Compaq server) when boot to install os (OpenBSD) I got an error: CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in phase. SEQUADDR (0X73) SCDIRATE (0xc2) CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in phase. SEQUADDR (0X73) SCDIRATE (0xc2) CRC Value Mismatch sd0(ahc0:0:0): parity error deteched in Dtata-in phase. SEQUADDR (0X73) SCDIRATE (0xc2) .. Disk have and ID:0 What is wrong? thanks
Re: OpenBSD -Current and WINE
On Sun, Dec 17, 2006 at 10:09:15PM -0600, Sam Fourman Jr. wrote: Would you happen to have a link where the WINEdevlopers state that? it would be a interesting read.There is still much more I must learn about the differences between FreeBSD and OpenBSD. I'd suggest http://www.winehq.org/site/docs/wine-faq/index#UNDER-WHAT-PLATFORMS-WILL-WINE-RUN. Their mailing lists are likely to contain some more information. qemu provides an alternative, albeit a very slow one. Joachim
Re: dspam on OpenBSD 4.0
On Sun, Dec 17, 2006 at 09:18:45PM -0600, Vijay Sankar wrote: Yes, /var/dspam/data was already there after I installed the package (I am not using -current, just OpenBSD 4.0 from the CD and packages from mirror.arcticnet.ca. In case there is a better way than doing chmod 2771, please do let me know. Here is the output from ls -laR /var/dspam. The reason why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because I couldn't get the system statistics and quarantine information from the dspam.cgi program without opening that up. Having permissions 2771 on /var/dspam/something is fine; I was referring to having 2755 on /usr/bin/dspam, as you posted before (http://marc.theaimsgroup.com/?l=openbsd-miscm=116632875008340w=2). However, this seems to be by design; while I'd still argue it is a bad idea, I thought you had tried to do that just to get stuff working, and that's not a very good idea. (In other words, time for me to do some actual research before replying. Sorry!) Also, there is still one final problem. If user vsankar (unprivileged account) uses the dspam.cgi program and decides to reclassify a message already classified as spam by dspam, I get the following error in /var/log/maillog Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code 1: /usr/libexec/mail.local -d vsankar Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser Ah, sendmail. I'm afraid I can't help you there; I've been using postfix for as long as I know what a MTA is. You could try using something like plain sendmail, or procmail, or maildrop, although I don't know what would be considered the proper way to do this. For now, I am thinking of avoiding using the dspam.cgi altogether and just moving the vsankar.mbox quarantine file into /home/vsankar/mail and accessing it through my webmail client if I ever want to reclassify email. But it would be nice to be able to do a Deliver Checked from the dspam.cgi interface. I'll admit to being out of my depth here; I've looked at the dspam documentation, but I've never actually installed it, and my e-mail architecture is quite a little different from yours anyway (for one, dspam should reinject mail into postfix... so I never get to mess with local delivery agents, and it's far more likely I can get away with non-suid dspam). mx1# ls -laR /var/dspam total 104 4 drwxrws--x 3 _dspam _dspam512 Dec 16 19:18 . 4 drwxr-xr-x 27 rootwheel 512 Dec 16 14:33 .. 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 data 88 -rwxrwxrwx 1 _dspam _dspam 43199 Dec 17 20:45 system.log /var/dspam/data: total 28 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 . 4 drwxrws--x 3 _dspam _dspam 512 Dec 16 19:18 .. 4 drwxrws--x 2 _dspam _dspam 512 Dec 16 16:06 root 4 drwxrwsrwx 2 _dspam _dspam 512 Dec 17 09:55 vsankar /var/dspam/data/root: total 60 4 drwxrws--x 2 _dspam _dspam512 Dec 16 16:06 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 36 -rwxrws--x 1 _dspam _dspam 17276 Dec 17 01:30 root.log 12 -rwxrws--x 1 _dspam _dspam 4130 Dec 16 16:22 root.mbox 4 -rwxrws--x 1 _dspam _dspam 13 Dec 17 01:30 root.stats Why the 'x' permission? /var/dspam/data/vsankar: total 208 4 drwxrwsrwx 2 _dspam _dspam512 Dec 17 09:55 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 24 -rwxrwxrwx 1 _dspam _dspam 11881 Dec 17 20:45 vsankar.log 160 -rwxrwxrwx 1 _dspam _dspam 81766 Dec 17 20:45 vsankar.mbox 4 -rw-r--r-- 1 www _dspam 5 Dec 17 09:54 vsankar.mbox.size 0 -rw-rw 1 www _dspam 0 Dec 17 09:54 vsankar.mbox.stamp 4 -rw-r--r-- 1 www _dspam228 Dec 17 09:38 vsankar.retrain.log 4 -rw-r--r-- 1 www _dspam 10 Dec 17 09:38 vsankar.rstats 4 -rwxrwxrwx 1 _dspam _dspam 14 Dec 17 20:45 vsankar.stats Again, no need for execute permission. Also, just as an FYI, this is what I get with dspam_stats vsankar: TP True Positives: 47 TN True Negatives: 2 FP False Positives: 5 FN False Negatives:16 SC Spam Corpusfed: 0 NC Nonspam Corpusfed: 0 TL Training Left:2493 SHR Spam Hit Rate 74.60% HSR Ham Strike Rate: 71.43% OCA Overall Accuracy: 70.00% The 5 false positives were due to me not feeding dspam any notspam messages. What happened was I forwarded (as root) the Welcome to OpenBSD 4.0 message to vsankar five times and they all got classified as spam. After retraining, I am able to send that message through from root to vsankar. Since this is a test machine (MX preference 30 compared to 10 on the real mail servers) I only get spam on this machine, so I still have some ways to go to understand how this all works in a real-life scenario.
mapping promise product name to chip-id
hi i just spend quite some time looking around to determin which disc-controller from promise is using which chipset. depending on the model your looking for you'll find someting on a mailing list. it's then up to you to believe the information found. 1. does anyone know where to find a reliable mapping table? 2. how do i have to interpret the following: in the FAQ: Supported hardware i don't see support for PDC40718. grepping the source let me assume there is. cheers llx
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
smith wrote: Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. Buda says : Amen... obey RFC 1122. RFC compliance is almost always a good reason to do something. So I have learned something I apparently should already have known. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. We let users send out pretty much any traffic they want from their network, this debate was for me about what to allow _in_ to the dmz. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Yup, too true. Not trying to stop confidential info flow. Just trying to make illicit shell shipping harder. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted. Thats what I do ;)
Re: IPSec trouble
On 17/12/06, viq [EMAIL PROTECTED] wrote: On 17/12/06, Mathieu Sauve-Frankel [EMAIL PROTECTED] wrote: On Sun, Dec 17, 2006 at 02:16:48PM +0100, viq wrote: Yes, again... I am trying to set up VPN using IPSec, right now very basic setup, and it doesn't work as expected. Hosts being involved are keibi that acts as server, and trying to connect to it laptop sentan. there's an error in ipsecctl in -current which breaks ipsecctl unless you are loading your rules with the verbose flag ( ie. ipsecctl -vf ipsec.conf ) I found it today and am just waiting for an okay to commit the fix, could you try out this diff in the meantime ? I didn't try the diff yet, only loading with -v flag... And something funny happens. I have IPv6 working as well in my network, and with those very basic rules I have posted, esp traffic travels over IPv4, yet only IPv6 traffic gets encapsulated... snip patch Fun. Both boxes now are: OpenBSD 4.0-current (GENERIC) #1278: Sun Dec 17 19:52:22 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC And esp runs around on IPv4, and IPv4 traffic gets nicely encapsulated, but IPv6 doesn't get encapsulated, with the exact same rules as posted before. (No, I don't remember whether with that patch v6 worked) -- Mathieu Sauve-Frankel -- viq -- viq
Re: dspam on OpenBSD 4.0
I am going to try and stop top posting -- my replies are embedded below. On Mon, 2006-18-12 at 18:29 +0100, Joachim Schipper wrote: On Sun, Dec 17, 2006 at 09:18:45PM -0600, Vijay Sankar wrote: Yes, /var/dspam/data was already there after I installed the package (I am not using -current, just OpenBSD 4.0 from the CD and packages from mirror.arcticnet.ca. In case there is a better way than doing chmod 2771, please do let me know. Here is the output from ls -laR /var/dspam. The reason why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because I couldn't get the system statistics and quarantine information from the dspam.cgi program without opening that up. Having permissions 2771 on /var/dspam/something is fine; I was referring to having 2755 on /usr/bin/dspam, as you posted before (http://marc.theaimsgroup.com/?l=openbsd-miscm=116632875008340w=2). However, this seems to be by design; while I'd still argue it is a bad idea, I thought you had tried to do that just to get stuff working, and that's not a very good idea. (In other words, time for me to do some actual research before replying. Sorry!) Thanks very much for that clarification. I am still trying to reduce the permissions and tried making /var/dspam and subdirectories 755 as you suggested but it did not work. Without at least 775 on /var/dspam/data, the stats file and log file don't get updated. So I am going back to 2771 for the data directories. Also, there is still one final problem. If user vsankar (unprivileged account) uses the dspam.cgi program and decides to reclassify a message already classified as spam by dspam, I get the following error in /var/log/maillog Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code 1: /usr/libexec/mail.local -d vsankar Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser Ah, sendmail. I'm afraid I can't help you there; I've been using postfix for as long as I know what a MTA is. You could try using something like plain sendmail, or procmail, or maildrop, although I don't know what would be considered the proper way to do this. I tried procmail but that introduces other problems as far as dpsam.cgi is concerned. So I went back to mail.local as the LDA. For now, I am thinking of avoiding using the dspam.cgi altogether and just moving the vsankar.mbox quarantine file into /home/vsankar/mail and accessing it through my webmail client if I ever want to reclassify email. But it would be nice to be able to do a Deliver Checked from the dspam.cgi interface. I'll admit to being out of my depth here; I've looked at the dspam documentation, but I've never actually installed it, and my e-mail architecture is quite a little different from yours anyway (for one, dspam should reinject mail into postfix... so I never get to mess with local delivery agents, and it's far more likely I can get away with non-suid dspam). mx1# ls -laR /var/dspam total 104 4 drwxrws--x 3 _dspam _dspam512 Dec 16 19:18 . 4 drwxr-xr-x 27 rootwheel 512 Dec 16 14:33 .. 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 data 88 -rwxrwxrwx 1 _dspam _dspam 43199 Dec 17 20:45 system.log /var/dspam/data: total 28 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 . 4 drwxrws--x 3 _dspam _dspam 512 Dec 16 19:18 .. 4 drwxrws--x 2 _dspam _dspam 512 Dec 16 16:06 root 4 drwxrwsrwx 2 _dspam _dspam 512 Dec 17 09:55 vsankar /var/dspam/data/root: total 60 4 drwxrws--x 2 _dspam _dspam512 Dec 16 16:06 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 36 -rwxrws--x 1 _dspam _dspam 17276 Dec 17 01:30 root.log 12 -rwxrws--x 1 _dspam _dspam 4130 Dec 16 16:22 root.mbox 4 -rwxrws--x 1 _dspam _dspam 13 Dec 17 01:30 root.stats Why the 'x' permission? I am really not sure. If I don't do a chmod -R 2771 on /var/dspam a variety of things break. I tried 660 and got the permissions problem when retraining, with 770 dspam.cgi did not provide stats and history information, with 771 email doesn't get quarantined in vsankar.mbox. chmod -R 2771 solves all these problems, possibly by introducing new problems that I am not aware of :( Anyways, can't figure out why x is needed. I even tried mounting /var/dspam with no nosuid in /etc/fstab. It did not make a difference. /var/dspam/data/vsankar: total 208 4 drwxrwsrwx 2 _dspam _dspam512 Dec 17 09:55 . 4 drwxrws--x 7 _dspam _dspam512 Dec 16 16:49 .. 24 -rwxrwxrwx 1 _dspam _dspam 11881 Dec 17 20:45 vsankar.log 160 -rwxrwxrwx 1 _dspam _dspam 81766 Dec 17 20:45 vsankar.mbox 4 -rw-r--r-- 1 www _dspam 5 Dec 17 09:54 vsankar.mbox.size 0 -rw-rw 1 www _dspam 0 Dec 17 09:54 vsankar.mbox.stamp 4 -rw-r--r-- 1 www _dspam228 Dec 17 09:38 vsankar.retrain.log 4 -rw-r--r-- 1 www _dspam 10 Dec 17 09:38 vsankar.rstats 4 -rwxrwxrwx 1
Message (Your message dated Mon, 18 Dec 2006 20:53:22...)
Your message dated Mon, 18 Dec 2006 20:53:22 +0200 with no subject has been submitted to the moderator of the CSICOP-ANNOUNCE list: Barry Karr [EMAIL PROTECTED].
LineWrap Failure in Text-Terminal
Hi. With OpenBSD 4.0, I encounter a wrong line wrapping in the text-terminals. If a line has 80 or more chars there will be extra blank lines. This problem occurs in ksh, more and less, but not in vi and lynx. When I open a file in more, where line 28 has 85 or more chars and I scroll down with the courser keys three lines, I will get only the 80 chars followed by a blank line. When I scroll down another line, there will be the left chars after this blank line. With the repaint command CTRL-R in more, the blank line disappears. When I scroll another 25 lines down, so that line 28 move off the screen, and then scroll back a few lines, there won't be a line 28 at all, until I put the repaint command. This problem first occurred in OpenBSD 4.0 and I recognized it after a clean install. OpenBSD 3.9 on the same computer did a correct line wrapping. So I looked through all the changes and noticed the new jump scroll feature for vt220 introduced in OpenBSD 4.0 and corrected in OpenBSD Current. My computer is a 200MMX with a 2,5GB Harddrive and compiling the complete source will be heavy or impossible. So I cannot check, if this is the problem or if it is already solved, and didn't send a bug-report. In ksh there is a similar wrong behavior. When I type $ ls tab in a directory, containing following directories: $ mkdir aaa b ccc fff ggg jjj and my cursor is already at the bottom of the screen, the last 4 lines will be: BEGINN $ ls tab aaa/ b/ ccc/ / / fff/ ggg/ / / jjj/ $ ls END containing also a blank line at the end, where there shouln't be one. Another tab will print it correctly without the bottom blank line. Again a tab will print it wrong with the blank line. In the following directory it is even worse: $ mkdir aaa cc ddd ff jjj ooo $ touch bbb. . g. . mm.mmm ls tab will print addional 3 blank lines at the bottom of the screen. I thought it was a problem in the terminal and changed in /etc/ttys a virtual terminal from vt220 to vt100 and even dumb. This didn't solve the problem and with dumb, vi didn't work properly anymore. Can anyone help me to make my text-terminal work correctly? And if this is already solved in OpenBSD Current, is there a workaround without recompiling the source? Thanks, Sebastian. I don't think this is a hardware problem, because 3.9 worked correctly. Anyway, here my dmesg output: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 200 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX cpu0: F00F bug workaround installed real mem = 66678784 (65116K) avail mem = 52559872 (51328K) using 839 buffers containing 3436544 bytes (3356K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c6) BIOS, date 10/08/96, BIOS32 rev. 0 @ 0xf8080 pcibios0 at bios0: rev 2.1 @ 0xf/0x67c pcibios0: PCI BIOS has 5 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82439HX rev 0x03 pcib0 at pci0 dev 7 function 0 Intel 82371SB ISA rev 0x01 pciide0 at pci0 dev 7 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST52520A wd0: 16-sector PIO, LBA, 2446MB, 5009760 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HITACHI, CDR-7930, 1023 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 cd0(pciide0:0:1): using PIO mode 0, DMA mode 1 pciide0: channel 1 disabled (no drives) ne3 at pci0 dev 9 function 0 Realtek 8029 rev 0x00: irq 9, address 00:e0:7d:98:4b:5e ne4 at pci0 dev 10 function 0 Realtek 8029 rev 0x00: irq 9, address 00:00:b4:9c:d6:c6 AVM Fritz ISDN rev 0x02 at pci0 dev 11 function 0 not configured vga1 at pci0 dev 12 function 0 S3 ViRGE rev 0x06 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec isapnp0 at isa0 port 0x279: read port 0x203 sb1 at isapnp0 Creative SB16 PnP, CTL0031, , Audio port 0x220/16,0x330/2,0x388/4 irq 5 drq 1,5: dsp v4.13 midi1 at sb1: SB MPU-401 UART audio0 at
Re: Home networking for an amateur
Take the time to upgrade. It's really easy and fast. Don't skip releases though. Upgrade like this: 3.7 - 3.8 - 3.9 - 4.0 Then your box will rock. Erik Wikstrvm wrote: I've get an box laying in my basement running OpenBSD 3.7 (probably should upgrade that some time but I've never taken the time) acting as
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Dag Richards wrote: Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted. Thats what I do ;) Dang, I just take the whole server. Don't even have to reload the data that way. By the way, the only little quibble I've had with this discussion is that some of the responses have been remarkably imprecise in the distinction between icmp and icmp echo-requests. I find that such imprecision causes no end of trouble when specifying security policies. I, for example, am not the biggest fan of random people sending me icmp redirects, but don't block many other icmp packets. I'll also point out that opinions differ. For example, the official recommendation of the U.S. NIST (National Institute of Standards and Technology) is: block incoming echo request (ping and Windows traceroute) block outgoing echo replies, time exceeded, and destination unreachable messages except packet too big messages (type 3, code 4). This item assumes that you are willing to forego the legitimate uses of ICMP echo request to block some known malicious uses. (Special Publication 800-41, p. 61.) I suppose it all comes down to such unresolvable matters such as is making it harder for outsiders to map your network merely security through obscurity, which is naturally below the dignity of any right thinking network engineer, or does it have value in today's Internet? :-) --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Slightly OT: DNS force client to use authoritative
Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? UltraDNS and some others have mentioned little features they have, but it hints at the possibility that somewhere in the DNS spec. -krb
Re: Slightly OT: DNS force client to use authoritative
On 12/18/06, Karl R. Balsmeier [EMAIL PROTECTED] wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? Clients can not (or at least, should not) talk directly to authoritative name servers. Clients make their DNS requests with the recursion desired bit set, and should only speak to recursive resolvers. Those recursive resolvers make their requests without the recursion desired bit set and speak to authoritative servers, starting with the root servers. Some DNS servers, such as BIND, can run in both roles simultaneously with a single daemon. Others, such as djbdns, run seperate servers for each type of service (tinydns for authoritative, dnscache for a recursive resolver). -- Jon
Re: ral0: device timeout
Some new findings. Hopefully these means something to someone because I don't really know where to go from here. I noticed that I can't reproduce the 'device timeout' if I turn off the device at the AP. Could the AP be responding with something fishy? I also found out that if I change the ral-cards to explicitly use 'media OFDM54' the 'device timeout' would occur less often, and when they do, I can most often get it to work by bring it down and then #sh /etc/netstart ral0 When I get 'device timeout' I see the following at the AP ral0: received auth from 00:13:f7:1e:a7:86 rssi 119 ral0: sending auth to 00:13:f7:1e:a7:86 on channel 11 ral0: station 00:13:f7:1e:a7:86 newly authenticated (open) I have not yet been able to get a debug print from client ral when it is failing, is there a way to set that in hostname.if? If the device is not failing during boot, it is hard to get it to fail. I have also seen the timeout on the AP once when I rebooted it while the client was up, but it didn't occur repeatedly as it does on the client. == AP hostname.if == # cat /etc/hostname.ral0 inet 192.168.0.2 255.255.255.0 NONE media OFDM54 mode 11g mediaopt hostap chan 11 nwid himmet_wlan == Client hostname.if == # cat /etc/hostname.ral0 dhcp NONE NONE NONE media OFDM54 mode 11g chan 11 nwid himmet_wlan /Markus For some time now I've been trying to get my SMC wireless cardbus[1] with Ralink RT2600 chipset[2] to work on my laptop running OpenBSD 4.0 -stable but I keep getting 'ral0: device timeout'. If I bring the device down and then up (sometimes I have to do this several times) I finally get it to work. After that I don't get any more 'device timeout' until next reboot. This is what ral(4) has to say about that error: ral%d: device timeout A frame dispatched to the hardware for transmission did not complete in time. The driver will reset the hardware. This should not happen. Unfortunately, it does happen. My question is, why? And what can i do to remedy this? I have a SMC pci-card[3] in the AP but I have not seen that problem there. I enclose dmesg and ifconfig ral0 from client and ap.
Re: Slightly OT: DNS force client to use authoritative
On Monday, December 18, 2006, 15:45:19, Karl R. Balsmeier wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? What do you mean by an authoritative name server? There is no single name server which is authoritative for every host in existence. Are you asking about BIND's delegation-only option? -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
How can I view rule numbers under OpenBSD 4.0?
Hi all, first of all, many to everybody helps me to block all ipv6 traffic (security staff accept your option). And now my question: how can I view rule numbers assigned by pf?? Under OpenBSD 3.7 using pfctl -ws display this info ... How can I do with OpenBSD 4.0?? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: How can I view rule numbers under OpenBSD 4.0?
On 12/18/06, carlopmart [EMAIL PROTECTED] wrote: Hi all, first of all, many to everybody helps me to block all ipv6 traffic (security staff accept your option). And now my question: how can I view rule numbers assigned by pf?? Under OpenBSD 3.7 using pfctl -ws display this info ... How can I do with OpenBSD 4.0?? pfctl -vvsr verbose, verbose, show, rules. Refer to pfctl(8). DS
Re: Soekris box crashing... drops to ddb
Thanks for looking at this, I think that you are correct... someone had plugged in the wrong power adapter into this box, and thusly ( 6-8 Volts @ 800ma ) goofed up the CF card... I think that the extra power of the CF disk IO from the find command caused this box to crash every day. Oh well, live an learn, and smack those that plug in the wrong power cord! I'm CCing misc for the archive so that if someone else runs into these issues they may also have a clue as to what may be going on. Igor Sobrado wrote: Hello. It looks like a problem in the CF card. Would it be possible reinstalling the operating system on the Soekris? Does this problem always happen in the same inode? Or, even better, would it be possible trying a new CF card on the Soekris? If you do not have a need for a specific CF card, I would suggest trying a SanDISK CF. These cards are not expensive at all and work fine on the Soekris appliances. Hopefully, it looks like a bad CF card, not a bad Soekris. Cheers, Igor.
Re: CGI Scripts in OpenBSD
Once your scripts are working you could try to copy the files that are need for the CGI script into the chrooted directory. If the cgi script is a pre-compiled binary that has been linked to other library's your can run the following to find out what it needs. ldd /var/www/cgi-bin/your-prog If it's just a cgi script with regular commands, you will have to copy each command into the /var/www directory. So lets say your script runs the banner command- so the following will show what could be done to run the command with-in a chrooted apache server. $ ldd /usr/bin/banner /usr/bin/banner: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/bin/banner 0c54d000 2c57e000 rlib 01 0 /usr/lib/libc.so.39.0 0b67a000 0b67a000 rtld 01 0 /usr/libexec/ld.so So we need libc and ld.so with the same paths in /var/www... so: First- create some of the standard files that many binaries look for- mkdir /var/www/etc grep www /etc/passwd /var/www/etc/passwd grep localhost /etc/hosts /var/www/etc/hosts cp /etc/resolv.conf /var/www/etc Next- we will copy the files in place. mkdir /var/www/usr/bin mkdir /var/www/usr/lib mkdir /var/www/usr/libexec # Do the following as root, or sudo cp -p /usr/bin/banner /var/www/bin cp -p /usr/lib/libc.so.39.0 /var/www/lib cp -p /usr/libexec/ld.so /var/www/libexec # you may or may not need this... cp -p /bin/sh /var/www/bin There are plenty of FAQs on setting up binaries and script to run in a chrooted environment, and I would highly recommend that people start making this stuff work, rather then going for a less secure web server and scripts. It's just a matter of time before apache has a major flaw, or something in a script fails. Have fun! Francisco Valladolid wrote: hi, .. if you are new to OpenBSD, enabling chroot maybe difficult for you, i recommended run apache without chroot. disable it in /etc/rc.conf httpd_flags=-u # the -u option disable chroot then you can run your cgi scripts from /var/www/cgi-bin/ only doing chmod 755 script Regards. On 11/20/06, Hannah Broughton [EMAIL PROTECTED] wrote: Hi, I'm completely new to openBSD and have been trying to configure apache to run some CGI scripts. I have apache working fine, but the CGI scripts are failing with error 500 and the log file reports Premature end of script header. I am very sure that this is not the script that is wrong, I have the content-type header and have read many articles on the net about this error and still can't fix the problem. I have a feeling there may be some config specific to OpenBSD that I may have missed in order to enable the running of CGI scripts? Thanks for any help, Hannah This message has been checked for viruses but the contents of an attachment may still contain software viruses, which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
64-bit Linux Emulation on AMD64?
Hello, I've got a fresh new 4.0/AMD64 system installed, and after sitting down to add Linux binary compatibility, I see that it apparently doesn't exist on this platform. After some archive digging, it doesn't appear that the idea has been thoroughly discussed, especially since adding 32-bit Linux binary support would be difficult at best (http://marc.theaimsgroup.com/?l=openbsd-miscm=109036873227847w=2). Since I'm not exactly familiar with what exactly makes Linux compatibility work behind the scenes, I apologize if this is a dumb question...but would it be feasible to add support for Linux/AMD64 binaries on OpenBSD/AMD64? It seems like this would eliminate the problem of 32-to-64 bit conversions/wackiness, though I wouldn't be surprised if other nasty problems were lurking under the hood. If this is within the realm of possibility, I'd be interested in working to make it a reality. Given my lack of experience, I could probably be more helpful as a tester for someone else who was attempting to implement this...but if there's no one out there interested in working on a project like this, I'd be willing to take a stab at it myself, especially if whoever is responsible for i386 Linux compatibility was willing to speak with me regarding at least the basics of what would be necessary. Alex Kirk
Re: nagios check_carp for OpenBSD carp(4)
On 12/15/06, Brian A. Seklecki [EMAIL PROTECTED] wrote: Thoughts? Strategies? Ideas? --- Ask the machine directly? Ask an adjacent machine? Joel Knight just released an updated OpenBSD SNMP MIB that supports reading data from the sensors framework. Perhaps he could be persuaded to add support for CARP state detection? :) Chris
Re: LineWrap Failure in Text-Terminal
On Mon, 18 Dec 2006, Sebastian Neuper wrote: Hi. With OpenBSD 4.0, I encounter a wrong line wrapping in the text-terminals. If a line has 80 or more chars there will be extra blank lines. This problem occurs in ksh, more and less, but not in vi and lynx. When I open a file in more, where line 28 has 85 or more chars and I scroll down with the courser keys three lines, I will get only the 80 chars followed by a blank line. When I scroll down another line, there will be the left chars after this blank line. With the repaint command CTRL-R in more, the blank line disappears. When I scroll another 25 lines down, so that line 28 move off the screen, and then scroll back a few lines, there won't be a line 28 at all, until I put the repaint command. This problem first occurred in OpenBSD 4.0 and I recognized it after a clean install. OpenBSD 3.9 on the same computer did a correct line wrapping. So I looked through all the changes and noticed the new jump scroll feature for vt220 introduced in OpenBSD 4.0 and corrected in OpenBSD Current. My computer is a 200MMX with a 2,5GB Harddrive and compiling the complete source will be heavy or impossible. So I cannot check, if this is the problem or if it is already solved, and didn't send a bug-report. Try running a snapshot kernel. It's likely (but not guaranteed) a snapshot bsd will work nicely with a 4.0 userland. Download bsd and put it in your /, named bsd.snap and boot that on the boot prompt. -Otto In ksh there is a similar wrong behavior. When I type $ ls tab in a directory, containing following directories: $ mkdir aaa b ccc fff ggg jjj and my cursor is already at the bottom of the screen, the last 4 lines will be: BEGINN $ ls tab aaa/ b/ ccc/ / / fff/ ggg/ / / jjj/ $ ls END containing also a blank line at the end, where there shouln't be one. Another tab will print it correctly without the bottom blank line. Again a tab will print it wrong with the blank line. In the following directory it is even worse: $ mkdir aaa cc ddd ff jjj ooo $ touch bbb. . g. . mm.mmm ls tab will print addional 3 blank lines at the bottom of the screen. I thought it was a problem in the terminal and changed in /etc/ttys a virtual terminal from vt220 to vt100 and even dumb. This didn't solve the problem and with dumb, vi didn't work properly anymore. Can anyone help me to make my text-terminal work correctly? And if this is already solved in OpenBSD Current, is there a workaround without recompiling the source? Thanks, Sebastian. I don't think this is a hardware problem, because 3.9 worked correctly. Anyway, here my dmesg output: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 200 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX cpu0: F00F bug workaround installed real mem = 66678784 (65116K) avail mem = 52559872 (51328K) using 839 buffers containing 3436544 bytes (3356K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c6) BIOS, date 10/08/96, BIOS32 rev. 0 @ 0xf8080 pcibios0 at bios0: rev 2.1 @ 0xf/0x67c pcibios0: PCI BIOS has 5 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82439HX rev 0x03 pcib0 at pci0 dev 7 function 0 Intel 82371SB ISA rev 0x01 pciide0 at pci0 dev 7 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST52520A wd0: 16-sector PIO, LBA, 2446MB, 5009760 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HITACHI, CDR-7930, 1023 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 cd0(pciide0:0:1): using PIO mode 0, DMA mode 1 pciide0: channel 1 disabled (no drives) ne3 at pci0 dev 9 function 0 Realtek 8029 rev 0x00: irq 9, address 00:e0:7d:98:4b:5e ne4 at pci0 dev 10 function 0 Realtek 8029 rev 0x00: irq 9, address 00:00:b4:9c:d6:c6 AVM Fritz ISDN rev 0x02 at pci0 dev 11 function 0 not configured vga1 at pci0 dev 12 function 0 S3 ViRGE rev 0x06 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0
revision control system for system administration
Not directly OpenBSD related but I thought I'd ask. I'd like to use a revision control system to manage files on 25-30 servers but I'm not sure whether I'd use a centralized repository or have a separate revision control system on each box. It would also be good to know how much leverage can a revision control system can give over a make-backup-before-change policy in the long run and also what files and directories should I add to it. Anything else anyone would like to add from experience would be much appreciated. Thanks.