ROOTBACKUP=1 corruption problems on amd64 (OPENBSD_4_0)

[Didier Wiroth]

Hello,
I'm using ROOTBACKUP=1 to have daily backups on several boxes running
amd64 OPENBSD_4_0.
Actually I noticed that on 1 box (the hardware is +/- 3 month old), the
partition is *always* corrupted after the backup.
The corruption happens every day. 

Does anyone have an idea what could be the problem?

I'm using a LSI Megaraid controller (see dmesg below), here is the
output.
#bioctl ami0
Volume  Status   Size Device
 ami0 0 Online   10485760 sd0 RAID5
  0 Online   400083124224 0:0.0   noencl ST3400620NS
3.AE
  1 Online   400083124224 0:1.0   noencl ST3400620NS
3.AE
  2 Online   400083124224 0:2.0   noencl ST3400620NS
3.AE
  3 Online   400083124224 0:3.0   noencl ST3400620NS
3.AE
  4 Online   400083124224 0:4.0   noencl ST3400620NS
3.AE
 ami0 1 Online2097152 sd1 RAID0
  0 Online   400083124224 0:0.0   noencl ST3400620NS
3.AE
  1 Online   400083124224 0:1.0   noencl ST3400620NS
3.AE
  2 Online   400083124224 0:2.0   noencl ST3400620NS
3.AE
  3 Online   400083124224 0:3.0   noencl ST3400620NS
3.AE
  4 Online   400083124224 0:4.0   noencl ST3400620NS
3.AE
 ami0 2 Online   73924608 sd2 RAID5
  0 Online   400083124224 0:0.0   noencl ST3400620NS
3.AE
  1 Online   400083124224 0:1.0   noencl ST3400620NS
3.AE
  2 Online   400083124224 0:2.0   noencl ST3400620NS
3.AE
  3 Online   400083124224 0:3.0   noencl ST3400620NS
3.AE
  4 Online   400083124224 0:4.0   noencl ST3400620NS
3.AE
 ami0 3 Online   739451600896 sd3 RAID5
  0 Online   400083124224 0:0.0   noencl ST3400620NS
3.AE
  1 Online   400083124224 0:1.0   noencl ST3400620NS
3.AE
  2 Online   400083124224 0:2.0   noencl ST3400620NS
3.AE
  3 Online   400083124224 0:3.0   noencl ST3400620NS
3.AE
  4 Online   400083124224 0:4.0   noencl ST3400620NS
3.AE
 ami0 4 Hot spare400083124224 0:5.0   noencl ST3400620NS
3.AE

Here is the daily mail report I get:
Backing up root filesystem:

copying /dev/rsd0a to /dev/rsd0h
262139+1 records in
262139+1 records out
2147443200 bytes transferred in 548.279 secs (3916696 bytes/sec)
** /dev/rsd0h
** Last Mounted on /
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=103073  OWNER=root MODE=100555
SIZE=282672 MTIME=Feb 13 08:58 2007
CLEAR? yes

UNREF FILE I=103086  OWNER=root MODE=100555
SIZE=106928 MTIME=Feb 13 08:58 2007
CLEAR? yes

UNREF FILE I=103113  OWNER=root MODE=100500
SIZE=255536 MTIME=Feb 13 08:58 2007
CLEAR? yes

** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? yes

SUMMARY INFORMATION BAD
SALVAGE? yes

BLK(S) MISSING IN BIT MAPS
SALVAGE? yes

3116 files, 24391 used, 1007208 free (280 frags, 125866 blocks, 0.0%
fragmentation)

MARK FILE SYSTEM CLEAN? yes
 end snip --

Here is the dmesg:
OpenBSD 4.0-stable (GENERIC.MP) #0: Mon Jan  8 12:54:22 CET 2007
 
[EMAIL PROTECTED]:/home/sources/src/sys/arch/amd64/compile/G
ENERIC.MP
real mem = 2146562048 (2096252K)
avail mem = 1834729472 (1791728K)
using 22937 buffers containing 214863872 bytes (209828K) of memory
mainbus0 (root)
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0690 (74 entries)
bios0: stem manufacturer P5WDG2 WS PRO
mainbus0: Intel MP Specification (Version 1.4) (INTELPRO )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2404.44 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 267MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2404.11 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,LONG
cpu1: 4MB 64b/line 16-way L2 cache
mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 5 is type PCI
mpbios: bus 6 is type ISA
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xfec1, version 20, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x277c
rev 0xc0
ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x277d rev
0xc0
pci1 at ppb0 bus 5
vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x0163
rev 0xa1
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 5 is type PCI
mpbios: bus 6 is type ISA
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xfec1, version 

Re: ntpd not synching

[Otto Moerbeek]

On Wed, 28 Mar 2007, [EMAIL PROTECTED] wrote:

 hi,
 
 On Tue, Mar 27, 2007 at 01:49:16PM +0200, Otto Moerbeek wrote:
  
  It looks like your clock drifts more that ntpd can compensate. Please
  share some details on your setup, like the dmesg.  Also, if you remove
  the drift file, you must reboot, since otherwise the existing
  frequency compensations stays in effect. 
 
 ok, i cleared the drift-file and rebooted. as near as i can
 figure (i had to boot multiple times, and unclean at that) this
 is what happend slightly bfore/during/after the last boot (the times 
 are so screwed i can't really make it out).

Yep, this configrms it. Your clock is drifting so much that ntpd can't
keep up. I'm afraid there's not a lot I can do about that.

-Otto

 
 Mar 28 20:12:46  ntpd[6515]: adjusting local clock by 950.304366s
 Mar 28 20:17:11  ntpd[6515]: adjusting local clock by 954.223055s
 Mar 28 22:53:00  ntpd[18691]: ntp engine ready
 Mar 28 20:49:13  ntpd[14539]: set local clock to Wed Mar 28 20:49:13 CEST 
 2007 (offset -7427.749161s)
 Mar 28 20:49:13  ntpd[18691]: reply from 213.246.63.72: negative delay 
 -7427.686509s, next query 3068s
 Mar 28 20:49:13  ntpd[18691]: reply from 62.220.226.2: negative delay 
 -7427.684053s, next query 3199s
 Mar 28 20:49:13  ntpd[18691]: reply from 149.156.70.5: negative delay 
 -7427.676747s, next query 3149s
 Mar 28 20:49:13  ntpd[18691]: reply from 193.11.184.180: negative delay 
 -7427.676303s, next query 3136s
 Mar 28 20:49:13  ntpd[18691]: reply from 194.215.7.39: not synced, next query 
 3052s
 Mar 28 20:49:13  ntpd[18691]: reply from 128.241.238.31: negative delay 
 -7427.633371s, next query 3083s
 Mar 28 20:49:13  savecore: no core dump
 Mar 28 20:58:54  ntpd[3522]: peer 80.240.210.253 now valid
 [peers snipped]
 Mar 28 20:59:57  ntpd[31863]: adjusting local clock by 2.284285s
 Mar 28 21:02:37  ntpd[18773]: ntp engine ready
 Mar 28 21:02:37  ntpd[18773]: reply from 194.215.7.39: not synced, next query 
 3110s
 Mar 28 21:02:37  savecore: no core dump
 Mar 28 21:02:52  ntpd[18773]: peer 217.150.242.8 now valid
 Mar 28 21:02:59  ntpd[18773]: peer 213.246.63.72 now valid
 Mar 28 21:02:59  ntpd[18773]: peer 193.11.184.180 now valid
 Mar 28 21:02:59  ntpd[18773]: peer 128.241.238.31 now valid
 Mar 28 21:03:00  ntpd[18773]: peer 149.156.70.5 now valid
 Mar 28 21:03:03  ntpd[18773]: peer 62.220.226.2 now valid
 Mar 28 21:03:57  ntpd[2354]: adjusting local clock by 6.573991s
 Mar 28 21:06:04  ntpd[2354]: adjusting local clock by 3.905197s
 Mar 28 21:08:37  ntpd[2354]: adjusting local clock by 8.475628s
 Mar 28 21:08:37  ntpd[18773]: clock is now synced
 Mar 28 21:10:49  ntpd[2354]: adjusting local clock by 8.951453s
 Mar 28 21:10:49  ntpd[18773]: clock is now unsynced
 Mar 28 21:15:06  ntpd[2354]: adjusting local clock by 12.813542s
 Mar 28 21:15:06  ntpd[18773]: clock is now synced
 Mar 28 21:19:15  ntpd[2354]: adjusting local clock by 15.447946s
 Mar 28 21:19:15  ntpd[18773]: clock is now unsynced
 Mar 28 21:23:05  ntpd[2354]: adjusting local clock by 15.624800s
 Mar 28 21:23:10  ntpd[18773]: peer 213.246.63.72 now invalid
 Mar 28 21:25:45  ntpd[2354]: adjusting local clock by 16.648412s
 Mar 28 21:27:49  ntpd[2354]: adjusting local clock by 20.718507s
 Mar 28 21:31:04  ntpd[2354]: adjusting local clock by 16.498430s
 Mar 28 21:33:13  ntpd[2354]: adjusting local clock by 20.223130s
 Mar 28 21:35:57  ntpd[2354]: adjusting local clock by 20.095667s
 
 as i write this, the local clock is already 29 seconds behind
 what 'rdate -p pool.ntp.org' reports.
 
 dmesg :
 
 OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.51 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3
 cpu0: RNG AES AES-CTR SHA1 SHA256 RSA
 real mem  = 468152320 (457180K)
 avail mem = 418967552 (409148K)
 using 4256 buffers containing 23511040 bytes (22960K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(d9) BIOS, date 09/15/06, BIOS32 rev. 0 @ 0xfa960, 
 SMBIOS rev. 2.3 @ 0xf (33 entries)
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 apm0: flags 70102 dobusy 1 doidle 1
 pcibios0 at bios0: rev 2.1 @ 0xf/0xcce4
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcc20/192 (10 entries)
 pcibios0: bad IRQ table checksum
 pcibios0: PCI BIOS has 10 Interrupt Routing table entries
 pcibios0: PCI Exclusive IRQs: 5 10 11 15
 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00)
 pcibios0: PCI bus #1 is the last bus
 bios0: ROM list: 0xc/0xfc00 0xd/0x1000 0xd1000/0x1000 0xd2000/0x5000!
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00
 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00
 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00
 pchb3 at pci0 dev 0 function 3 

Re: ipsec between openbsd 4.0 and checkpoint

[Claer]

On Thu, Mar 29 2007 at 44:08, Sebastian Reitenbach wrote:
 Hi list,
Hi,

 I have a problem to setup an ipsec tunnel between my openbsd box and a
 checkpoint firewall.
[...]
 I had no problem to get a tunnel working between two openbsd 4.0 hosts with
 the above configuration file, so I think my problem can only be the timings 
 of the renegotiations. What are the default renegotiation timings, and where 
 should i configure these?

The default SA lifetime are described in the man page of isakmpd.conf :

   [General]
   Default-phase-1-lifetime=   3600,60:86400
   Default-phase-2-lifetime=   1200,60:86400

OpenBSD will accept lifetimes between 60 and 86400 seconds with a
default of 1 hour for phase 1 and 20 minutes for phase 2.
As you wrote, default Checkpoint lifetime are 1440 min for phase 1
(86400 seconds) and 3600 seconds for phase 2. I doubt it's a lifetime
problem. 

The configuration should work, at least it works here between Checkpoint
R61 and OpenBSD 4.0.
Could you provide us some error messages pleas? Messages from the Checkpoint 
side
would help too :)

Claer

prioritize internet browse than download

[kintaro oe]

Hi Guys,

Is it possible to prioritize Internet browsing than downloading a file like 
downloading installers or iso files? It eats up our network bandwidth. Any 
advice? Thanks!


cheers,

kintaro Oe
 
-
Sucker-punch spam with award-winning protection.
 Try the free Yahoo! Mail Beta.

Re: ROOTBACKUP=1 corruption problems on amd64 (OPENBSD_4_0)

[Otto Moerbeek]

On Thu, 29 Mar 2007, Didier Wiroth wrote:

 Hello,
 I'm using ROOTBACKUP=1 to have daily backups on several boxes running
 amd64 OPENBSD_4_0.
 Actually I noticed that on 1 box (the hardware is +/- 3 month old), the
 partition is *always* corrupted after the backup.
 The corruption happens every day. 
 
 Does anyone have an idea what could be the problem?

You're copying a life filessytem. Inconsitencies are to be expected.
It's the reason why fsck is run.

-Otto

 
 I'm using a LSI Megaraid controller (see dmesg below), here is the
 output.
 #bioctl ami0
 Volume  Status   Size Device
  ami0 0 Online   10485760 sd0 RAID5
   0 Online   400083124224 0:0.0   noencl ST3400620NS
 3.AE
   1 Online   400083124224 0:1.0   noencl ST3400620NS
 3.AE
   2 Online   400083124224 0:2.0   noencl ST3400620NS
 3.AE
   3 Online   400083124224 0:3.0   noencl ST3400620NS
 3.AE
   4 Online   400083124224 0:4.0   noencl ST3400620NS
 3.AE
  ami0 1 Online2097152 sd1 RAID0
   0 Online   400083124224 0:0.0   noencl ST3400620NS
 3.AE
   1 Online   400083124224 0:1.0   noencl ST3400620NS
 3.AE
   2 Online   400083124224 0:2.0   noencl ST3400620NS
 3.AE
   3 Online   400083124224 0:3.0   noencl ST3400620NS
 3.AE
   4 Online   400083124224 0:4.0   noencl ST3400620NS
 3.AE
  ami0 2 Online   73924608 sd2 RAID5
   0 Online   400083124224 0:0.0   noencl ST3400620NS
 3.AE
   1 Online   400083124224 0:1.0   noencl ST3400620NS
 3.AE
   2 Online   400083124224 0:2.0   noencl ST3400620NS
 3.AE
   3 Online   400083124224 0:3.0   noencl ST3400620NS
 3.AE
   4 Online   400083124224 0:4.0   noencl ST3400620NS
 3.AE
  ami0 3 Online   739451600896 sd3 RAID5
   0 Online   400083124224 0:0.0   noencl ST3400620NS
 3.AE
   1 Online   400083124224 0:1.0   noencl ST3400620NS
 3.AE
   2 Online   400083124224 0:2.0   noencl ST3400620NS
 3.AE
   3 Online   400083124224 0:3.0   noencl ST3400620NS
 3.AE
   4 Online   400083124224 0:4.0   noencl ST3400620NS
 3.AE
  ami0 4 Hot spare400083124224 0:5.0   noencl ST3400620NS
 3.AE
 
 Here is the daily mail report I get:
 Backing up root filesystem:
 
 copying /dev/rsd0a to /dev/rsd0h
 262139+1 records in
 262139+1 records out
 2147443200 bytes transferred in 548.279 secs (3916696 bytes/sec)
 ** /dev/rsd0h
 ** Last Mounted on /
 ** Phase 1 - Check Blocks and Sizes
 ** Phase 2 - Check Pathnames
 ** Phase 3 - Check Connectivity
 ** Phase 4 - Check Reference Counts
 UNREF FILE I=103073  OWNER=root MODE=100555
 SIZE=282672 MTIME=Feb 13 08:58 2007
 CLEAR? yes
 
 UNREF FILE I=103086  OWNER=root MODE=100555
 SIZE=106928 MTIME=Feb 13 08:58 2007
 CLEAR? yes
 
 UNREF FILE I=103113  OWNER=root MODE=100500
 SIZE=255536 MTIME=Feb 13 08:58 2007
 CLEAR? yes
 
 ** Phase 5 - Check Cyl groups
 FREE BLK COUNT(S) WRONG IN SUPERBLK
 SALVAGE? yes
 
 SUMMARY INFORMATION BAD
 SALVAGE? yes
 
 BLK(S) MISSING IN BIT MAPS
 SALVAGE? yes
 
 3116 files, 24391 used, 1007208 free (280 frags, 125866 blocks, 0.0%
 fragmentation)
 
 MARK FILE SYSTEM CLEAN? yes
  end snip --
 
 Here is the dmesg:
 OpenBSD 4.0-stable (GENERIC.MP) #0: Mon Jan  8 12:54:22 CET 2007
  
 [EMAIL PROTECTED]:/home/sources/src/sys/arch/amd64/compile/G
 ENERIC.MP
 real mem = 2146562048 (2096252K)
 avail mem = 1834729472 (1791728K)
 using 22937 buffers containing 214863872 bytes (209828K) of memory
 mainbus0 (root)
 bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0690 (74 entries)
 bios0: stem manufacturer P5WDG2 WS PRO
 mainbus0: Intel MP Specification (Version 1.4) (INTELPRO )
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2404.44 MHz
 cpu0:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
 CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,LONG
 cpu0: 4MB 64b/line 16-way L2 cache
 cpu0: apic clock running at 267MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2404.11 MHz
 cpu1:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
 CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,LONG
 cpu1: 4MB 64b/line 16-way L2 cache
 mpbios: bus 0 is type PCI
 mpbios: bus 1 is type PCI
 mpbios: bus 2 is type PCI
 mpbios: bus 3 is type PCI
 mpbios: bus 4 is type PCI
 mpbios: bus 5 is type PCI
 mpbios: bus 6 is type ISA
 ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
 ioapic1 at mainbus0 apid 3 pa 0xfec1, version 20, 24 pins
 pci0 at mainbus0 bus 0: configuration mode 1
 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x277c
 rev 0xc0
 ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x277d rev
 0xc0
 

Re: prioritize internet browse than download

[Kamil Monticolo]

On Thu, 29 Mar 2007 01:25:26 -0700 (PDT)
kintaro oe [EMAIL PROTECTED] wrote:

 Hi Guys,
 
 Is it possible to prioritize Internet browsing than downloading a file like 
 downloading installers or iso files? It eats up our network bandwidth. Any 
 advice? Thanks!

man pf.conf
/QUEUE

Re: prioritize internet browse than download

[Siju George]

On 3/29/07, Kamil Monticolo [EMAIL PROTECTED] wrote:

On Thu, 29 Mar 2007 01:25:26 -0700 (PDT)
kintaro oe [EMAIL PROTECTED] wrote:

 Hi Guys,

 Is it possible to prioritize Internet browsing than downloading a file like 
downloading installers or iso files? It eats up our network bandwidth. Any advice? 
Thanks!

man pf.conf
/QUEUE



this is good for limiting bandwidth based on ( source and destination
) domain names, IP address, port numbers, protocols, IP versions etc.

but PF cannot process URLs and filter/queue using file types like
*.iso, *.msi, *.exe, *.wmv, *.mpe etc.

kind Regards

Siju

Siju

Re: prioritize internet browse than download

[stefan hoffmann]

hi,

kintaro oe wrote:

Is it possible to prioritize Internet browsing than downloading a file like 
downloading installers or iso files? It eats up our network bandwidth. Any 
advice? Thanks!

Take a look at squid and its delay pools. That should do it.


mfG
-- stefan --

Re: Not getting much bandwidth through the firewall

[Claudio Jeker]

On Thu, Mar 29, 2007 at 02:18:30AM -0400, Kyle George wrote:
 On Wed, 28 Mar 2007, Watson Crick wrote:
 
 I've got OpenBSD 4.0 (release) on a laptop setup up as a router between 
 2 subnets, and providing internet access through a 3rd nic to a DSL 
 modem. The problem is the bandwidth between the two subnets.  I'm only 
 getting a maximum of about 500 KB/s between two 100mbit cards. Top shows 
 ~70% interrupt (~29% idle) while these transfers are going on. I don't 
 know what the bottleneck is in the system.  Are the Linksys PCMCIA nics 
 crappy? Did I screw something else up?
 
 Try http://www.openbsd.org/faq/faq6.html#Tuning.
 
 Increase net.inet.tcp.{send,recv}space.
 
 Try this before worrying about your hardware.
 

The send and receive socket buffer space has nothing to do with forwarding
performance. This will only affect connections from and to the box itself.

I think the bigger problem are the PCMCIA nics. PCMCIA is a slow bus
comparable to ISA and most PCMCIA cards are evil old clones of already
terrible MAC chips. Also check the duplex mode -- autonegotiation can
fail with older cards.

-- 
:wq Claudio

Re: Long WEP key

[Sunnz]

I am curious about this too, so if anyone got the link it would be
great to post it, thanks.

So VPN is the way to go if you really want to secure your wireless network?

2007/3/29, Nick ! [EMAIL PROTECTED]:

On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:
 Maxime DERCHE wrote:
  IMHO you should think to configure your AP to provide a WAP-based
  encryption...

 WAP-based encryption? Do you mean WPA?

And to answer the original question: because OpenBSD doesn't support
WPA, and Theo has claimed somewhere that I can never find the link to
that WPA gives a false sense of security anyway.

-Nick





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Long WEP key

[Lars Hansson]

Sunnz wrote:

So VPN is the way to go if you really want to secure your wireless network?


VPN only secures traffic to and from the gateway, not *among* machines 
connected to the AP. If your AP is OpenBSD then VPN would work but most 
off-the-shelf AP's cant act as VPN endpoints and for those WEP and WPA 
are the only ways to secure your all your wireless traffic.


---
Lars Hansson

Re: Long WEP key

[Sunnz]

Then is it possible/practical to connect to a VPN machine on your LAN
and use the VPN's machines connection?

For a simplistic example, say I've got a wireless router gateway, with
a cable connected OpenBSD server, and I connect to the server 's VPN
via the router wirelessly from my laptop.

2007/3/29, Lars Hansson [EMAIL PROTECTED]:

Sunnz wrote:
 So VPN is the way to go if you really want to secure your wireless network?

VPN only secures traffic to and from the gateway, not *among* machines
connected to the AP. If your AP is OpenBSD then VPN would work but most
off-the-shelf AP's cant act as VPN endpoints and for those WEP and WPA
are the only ways to secure your all your wireless traffic.

---
Lars Hansson





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Long WEP key

[Stuart Henderson]

On 2007/03/29 21:44, Sunnz wrote:
 I am curious about this too, so if anyone got the link it would be
 great to post it, thanks.
 
 So VPN is the way to go if you really want to secure your wireless network?

VPN is good at adding privacy and authentication protection to
transmitted data. I'm not sure you can really use 'really secure'
when you're talking about 802.11 DSSS, though.

One point to note is that the network management frames are
unprotected (even with WPA).

Re: prioritize internet browse than download

[Kamil Monticolo]

On Thu, 29 Mar 2007 16:12:07 +0530
Siju George [EMAIL PROTECTED] wrote:

 On 3/29/07, Kamil Monticolo [EMAIL PROTECTED] wrote:
  On Thu, 29 Mar 2007 01:25:26 -0700 (PDT)
  kintaro oe [EMAIL PROTECTED] wrote:
 
   Hi Guys,
  
   Is it possible to prioritize Internet browsing than downloading a file 
   like downloading installers or iso files? It eats up our network 
   bandwidth. Any advice? Thanks!
 
  man pf.conf
  /QUEUE
 
 
 this is good for limiting bandwidth based on ( source and destination
 ) domain names, IP address, port numbers, protocols, IP versions etc.
 
 but PF cannot process URLs and filter/queue using file types like
 *.iso, *.msi, *.exe, *.wmv, *.mpe etc.
 
 kind Regards
 
 Siju
 
 Siju
 
Sorry, You are right. I misunderstanding that a bit.
Kamil Monticolo

The move Closing party

[the move]

The move (100m voor sotto's)
Buke 182 /// 9620 ZOTTEGEM

Vrijdag 30 maart '07   'Closing party'

The move is overgenomen door nieuwe eigenaars (hun bedoeling is nog niet
bekend).  Nu vrijdag is 'the move' de laatste maal open met resident dj
benny.
Wij danken iedereen die 'the move' bezocht heeft en hopen dat jullie er nu
vrijdag voor de laatste maal nog eens zullen bij zijn.

Alle dranken gratis en a volonti: INKOM 10
Dj Benny

Greetz The Move crew

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
sluiting movekl.JPG]

Re: Long WEP key

[Nick !]

On 3/29/07, Sunnz [EMAIL PROTECTED] wrote:

2007/3/29, Nick ! [EMAIL PROTECTED]:
 On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:
  Maxime DERCHE wrote:
   IMHO you should think to configure your AP to provide a WAP-based
   encryption...
 
  WAP-based encryption? Do you mean WPA?

 And to answer the original question: because OpenBSD doesn't support
 WPA, and Theo has claimed somewhere that I can never find the link to
 that WPA gives a false sense of security anyway.

I am curious about this too, so if anyone got the link it would be
great to post it, thanks.


Here you go:

-- Forwarded message --
From: Jon Radel [EMAIL PROTECTED]
Date: Mar 29, 2007 1:17 AM
Subject: Re: Long WEP key
To: Nick ! [EMAIL PROTECTED]



Nick ! wrote:

Theo has claimed somewhere that I can never find the link to


http://www.tjrforum.com/archive/index.php/t-2513.html gives a quote but
I can't find the original source.

e-mail

[Valeriy Mamayev]

Good afternoon, COMCAST.NET,

I ask to make working entering and outcoming mail Outlook Express to authorize.

My name: brandglobe
The password: topbrand2005
Independently to make mail working could not.
Many thanks to you.
All kindest.

My e-mail: [EMAIL PROTECTED]

Valeriy Mamayev

Re: ROOTBACKUP=1 corruption problems on amd64 (OPENBSD_4_0)

[Darrin Chandler]

On Thu, Mar 29, 2007 at 09:11:36AM +0200, Didier Wiroth wrote:
 Hello,
 I'm using ROOTBACKUP=1 to have daily backups on several boxes running
 amd64 OPENBSD_4_0.
 Actually I noticed that on 1 box (the hardware is +/- 3 month old), the
 partition is *always* corrupted after the backup.
 The corruption happens every day. 
 
 Does anyone have an idea what could be the problem?

Here's a guess: you updated your system, but haven't rebooted since
building userland. If that's the case, reboot and I bet the next backup
is a *lot* cleaner.

If that's not the case, then what Otto said. ;)

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Long WEP key

[Sunnz]

Hmmm had Theo ever talked about this on the list?

I think many people are/will find this to be very strange... WPA is
considered as broken and insecure, which is understandable for a
OS that focuses on security... but it _does_ provide WEP, a even more
broken, insecure solution?

2007/3/29, Nick ! [EMAIL PROTECTED]:

On 3/29/07, Sunnz [EMAIL PROTECTED] wrote:
 2007/3/29, Nick ! [EMAIL PROTECTED]:
  On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:
   Maxime DERCHE wrote:
IMHO you should think to configure your AP to provide a WAP-based
encryption...
  
   WAP-based encryption? Do you mean WPA?
 
  And to answer the original question: because OpenBSD doesn't support
  WPA, and Theo has claimed somewhere that I can never find the link to
  that WPA gives a false sense of security anyway.
 
 I am curious about this too, so if anyone got the link it would be
 great to post it, thanks.

Here you go:

-- Forwarded message --
From: Jon Radel [EMAIL PROTECTED]
Date: Mar 29, 2007 1:17 AM
Subject: Re: Long WEP key
To: Nick ! [EMAIL PROTECTED]


 Nick ! wrote:

 Theo has claimed somewhere that I can never find the link to

http://www.tjrforum.com/archive/index.php/t-2513.html gives a quote but
I can't find the original source.





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Notre dossier spécial informatique et télécom. Recevez votre devis en 48H.

[Votre conseiller du Guide des Prestataires]

Ce message est au format HTML. Si vous ne parvenez pas ` le lire, cliquez
ici.

[IMAGE]

GESTION D'ENTREPRISE

MARKETING ET COMMUNICATION

NOUVELLES TECHNOLOGIES

GESTION DU PERSONNEL

LOGISTIQUE ET EQUIPEMENT

VEHICULES ET UTILITAIRES

BOUTIQUE EN LIGNE

[IMAGE]

Informatique, Tilicom, Tiliphonie,
Vidio Surveillance, Giolocalisation, Infogirence.

Autant de nouveaux domaines et de nouvelles technologies qui peuvent
booster votre activiti, vous aider ` amiliorer votre productiviti ` une
seule et mjme condition : Travailler avec le bon prestataire !

Travaillez-vous aujourd'hui avec le bon prestataire ?

Consultez la liste de prestataires que nous vous conseillons sur cet
e- mail.

Trouvez le bon prestataire en quelques clics !

Ne perdez plus de temps ` rechercher et comparer vos prestataires !

Sur chacune de nos fiches prestataires, vous verrez en temps riel la
notation du prestataire par les clients l'ayant dhj` pratiqui et le
nombre de connexion sur sa page. Aprhs, il ne vous reste plus qu'` faire
une ou plusieurs demandes gratuites de devis et on s'occupe de vous !

Nos conseillers sont ` votre disposition toute la semaine de 09h00 `
18h00 pour vous renseigner et vous guider dans le choix de vos
prestataires
PLUS DE 200 PRESTATAIRES SUR 55 SERVICES 24H/24 - 7J/7

www.guidedesprestataires.com



Silectionnez parmi nos prestataires labellisis en cochant dans les
annonces ci-dessous



Vous disirez accider aux donnies de votre entreprise de n'importe oy?
C'est possible avec nos solutions NOMADE !
Etes-vous contraint de rester au bureau pour accider aux donnies de votre
entreprise? Pas du tout ! Que vous soyez en diplacement, chez vous ou en
dimonstration chez un client vous pouvez accider aux donnies de
l'entreprise 24 h/24 et 7j/7 en toute sicuriti.

Dicouvrez les solutions IC CENTREX d\'IC TELECOM
Trouvez les meilleures solutions pour vos installations tiliphoniques.
Dicouvrez de nouvelles technologies avec IC CENTREX, votre tiliphonie par
voie IP.

AMPTECH couvre l\'ensemble des services informatique de votre entreprise.
Du dipannage rapide ` la prestaation spicialisie.
AMPTECH couvre lensemble des besoins informatique d'une entreprise. Les
spicialitis de ce prestataire est tout d'abord le dipannage informatique,
l'assistance a distance, les sauvegardes en lignes pour une meilleure
sicuriti, l'hibergement de site Internet. AMPTECH vous offre un mois sur
votre contrat d'assistance !

La tili-assistance pour une meilleure gestion de votre parc informatique
Avec la multiplication des virus, des problhmes de messagerie, de Spam et
autres, vous jtes tous les jours confrontis ` divers problhmes
informatiques. La tili-assistance permet de prendre le contrtle de votre
parc informatique et de risoudre votre problhme en moins de 5 MN !

Tiliphonie mobile pour professionnels. Dicouvrez les illimitis de
Bouygues Tilicom
Des forfaits illimitis en tiliphonie mobile, adaptis a toutes les
entreprises de la plus petite ` la plus grande.Profitez des offres et
tiliphonie mobile ` partir de 59  ht par mois.Avec ALTER TELCOM
dicouvrez la mobiliti sur PDA(ordinateur de poche)avec des forfait ` 19
ht / mois !

MA VISION : Le spicialiste de la vidio IP
Gardez un oeil sur votre activiti avec la Vidio sur IP

Dopez vos ventes en communiquant par fax
Envoyez vos tilicopies depuis n'importe quels logiciels en quelques
clics...

VISIBLESITE: Les solutions de Rifirencement!
Amiliorez votre visibiliti sur les principaux moteurs de recherche!

Simplifiez votre messagerie avec MICROSOFT EXCHANGE!
Au bureau ou en diplacement, consultez votre messagerie MICROSOFT
EXCHANGE. Pas d'installation, pas de serveur, pas de soucis!

BSI conseil 100% impression!
Dicouvrez des tilicopieurs professionnels: Le tout en un!

ACPL France: Opirateur en tilicommunication et en infogirance
Confiez la gestion et le diveloppement de votre informatique ` des
spicialistes

Trouvez des solutions pour financer votre parc informatique!
FIPARC: votre solution locative informatique et tilicom.



LES INCONTOURNABLES
Silectionnez parmi nos prestataires labellisis en cochant dans les
annonces ci-dessous



Assurance: Payez-vous le meilleur prix ?
AUDIT CHORUS CONSEIL est un bureau d'itude spicialisi en audit des
risques des assurances. Que vous soyez ` la recherche de Mutuelle, d'une
assurance privoyance ou simplement pour l'assurance des bris de machines,
AUDIT CHORUS est le prestataire qu'il vous faut.

Une iquipe soudie, en parfait accord!
Dicouvrez toutes les formations nicessaires ` la gestion de votre
personnel. Que vous soyez dirigeant, cadre ou manager trouvez la solution
grbce aux formations sur mesure de KEY CONCEPT.

Gio-localiser pour mieux girer!
OCEAN, la mithode de 

Re: Not getting much bandwidth through the firewall

[Siju George]

On 3/29/07, Kyle George [EMAIL PROTECTED] wrote:

On Wed, 28 Mar 2007, Watson Crick wrote:

 I've got OpenBSD 4.0 (release) on a laptop setup up as a router between
 2 subnets, and providing internet access through a 3rd nic to a DSL
 modem. The problem is the bandwidth between the two subnets.  I'm only
 getting a maximum of about 500 KB/s between two 100mbit cards. Top shows
 ~70% interrupt (~29% idle) while these transfers are going on. I don't
 know what the bottleneck is in the system.  Are the Linksys PCMCIA nics
 crappy? Did I screw something else up?

Try http://www.openbsd.org/faq/faq6.html#Tuning.

Increase net.inet.tcp.{send,recv}space.



It says

 You would normally use this to allow for routing or connection
problems. Of course, for it to be most effective, both sides of the
connection need to use similar values.

If you have an ISP that gives you IP aadrees ( using PPPOE ) it there
a way to measure or detect the valuse on the ISP's side?

The main problem being the support personnel mostly doesnot know these
things :-(

Thankyou so much

kind regards

Siju

Apple hardware support?

[David Given]

Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
the Macbook?

I can't imagine it would be particularly hard; there'd need to be a way of
loading and running a kernel via EFI, and then tweaking the hardware
detection.

The reason why I ask is that I've been eyeing the new Apple TV with a certain
amount of interest. For only 150 UKP, you get a rather nice little box with
very low power requirements and some decent hardware, which would be ideal as
a home server. And I know the hardware is very similar to the Macbook. And,
of
course, the best server software is OpenBSD.

--
bbb o=o=o o=o=o=o=o=
o=o=oo=o=o=
 bbb
http://www.cowlark.com
bbbbbbbbbbbbbbbbbbb
b Thou who might be our Father, who perhaps may be in Heaven, hallowed be
b Thy Name, if Name Thou hast and any desire to see it hallowed... ---
b _Creatures of Light and Darkness_

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Apple hardware support?

[Greg Thomas]

On 3/29/07, David Given [EMAIL PROTECTED] wrote:

Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
the Macbook?



Scan the freakin' email archives.  There are several recent notes
about the laptops, nothing about the AppleTV yet that I've noticed.

Greg

Re: Not getting much bandwidth through the firewall

[Stuart Henderson]

On 2007/03/29 22:55, Siju George wrote:
 On 3/29/07, Kyle George [EMAIL PROTECTED] wrote:
 On Wed, 28 Mar 2007, Watson Crick wrote:
 
  I've got OpenBSD 4.0 (release) on a laptop setup up as a router between
  2 subnets, and providing internet access through a 3rd nic to a DSL
  modem. The problem is the bandwidth between the two subnets.  I'm only
  getting a maximum of about 500 KB/s between two 100mbit cards. Top shows
  ~70% interrupt (~29% idle) while these transfers are going on. I don't
  know what the bottleneck is in the system.  Are the Linksys PCMCIA nics
  crappy? Did I screw something else up?
 
 Try http://www.openbsd.org/faq/faq6.html#Tuning.
 
 Increase net.inet.tcp.{send,recv}space.
 
 
 It says
 
  You would normally use this to allow for routing or connection
 problems. Of course, for it to be most effective, both sides of the
 connection need to use similar values.
 
 If you have an ISP that gives you IP aadrees ( using PPPOE ) it there
 a way to measure or detect the valuse on the ISP's side?

The ISP don't normally have anything to do with this (excepting any
connections to their servers) (but see below about proxies). The relevant
settings are those on the endpoints of the TCP connection.

You might want to increase {send,recv}space if you have a connection
which has high bandwidth *and* high latency (i.e. ping times). But
it will only make a difference when you connect to servers which also
have high window sizes configured; often busy servers don't since it
increases the memory requirements.

If you're interested to see how altering this looks from the
perspective of network packets, run tcpdump(8) and watch how the
values in TCP SYN packets change as you vary the sysctl values
and make connections.

If there is a proxy in the path between you and the real
endpoint, the TCP endpoints are then your machine and that proxy.
In those cases, the ISP (or whoever) does have control over these
tuning parameters.

Re: Apple hardware support?

[Tasmanian Devil]

Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
the Macbook?


The i386 GENERIC.MP kernel runs fine on Intel Macs. You just need to
enable ACPI with config -ef bsd.mp (or on the boot prompt).


I can't imagine it would be particularly hard; there'd need to be a way of
loading and running a kernel via EFI, and then tweaking the hardware
detection.


EFI emulates a normal PC BIOS if there's no Mac OS X on the harddisk.
OpenBSD boots fine (though it doesn't feel like booting if no monitor
is attached, but you can emulate one easily with a dongle, and
automatic restart on power failure needs a little software trick).


And, of course, the best server software is OpenBSD.


That's true! :-)

Tas.

Re: Apple hardware support?

[Tasmanian Devil]

Scan the freakin' email archives.  There are several recent notes
about the laptops, nothing about the AppleTV yet that I've noticed.


I just searched a bit about this Apple TV: It might be necessary to
remove the harddisk to copy OpenBSD on it, but otherwise it could work
(as a server, not as a multimedia device).

An interesting link I found:
http://www.roughlydrafted.com/RD/RDM.Tech.Q1.07/E1D8A057-6FBB-4269-A348-27AF9010FB19.html

Tas.

Re: Apple hardware support?

[Otto Moerbeek]

On Thu, 29 Mar 2007, David Given wrote:

 Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
 the Macbook?
 
 I can't imagine it would be particularly hard; there'd need to be a way of
 loading and running a kernel via EFI, and then tweaking the hardware
 detection.

Work on your imagination and don't jump to conclusions.

Apple managed to make i386 hardware that is slightly different than
other PC hardware and with it own set of quircks/bugs. Some progress
has been made, but depending on the model and processor (e.g. Core Duo
vs Core Duo 2) the Apple Intels either works mostly or don't work
(yet). 

 The reason why I ask is that I've been eyeing the new Apple TV with a certain
 amount of interest. For only 150 UKP, you get a rather nice little box with
 very low power requirements and some decent hardware, which would be ideal as
 a home server. And I know the hardware is very similar to the Macbook. And,
 of
 course, the best server software is OpenBSD.

Similar hardware is not enough to know. The devil is in the details.
Sending an Apple TV to an interested developer might speed things up. 

-Otto

Re: Apple hardware support?

[Otto Moerbeek]

On Thu, 29 Mar 2007, Tasmanian Devil wrote:

  Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
  the Macbook?
 
 The i386 GENERIC.MP kernel runs fine on Intel Macs. You just need to
 enable ACPI with config -ef bsd.mp (or on the boot prompt).

This is not true. At least it has been reported that the MacBook Pro
with Core Due 2 processor does not run.
 
  I can't imagine it would be particularly hard; there'd need to be a way of
  loading and running a kernel via EFI, and then tweaking the hardware
  detection.
 
 EFI emulates a normal PC BIOS if there's no Mac OS X on the harddisk.
 OpenBSD boots fine (though it doesn't feel like booting if no monitor
 is attached, but you can emulate one easily with a dongle, and
 automatic restart on power failure needs a little software trick).

BTW, you can install OpenBSD on a BootCamp partition. After creating
the Bootcamp partition using the wizard, boot using the OpenBSD CD,
and in the fdisk step in the installer, set the partition type to A6,
make it active and update the MBR. 

-Otto

Re: Not getting much bandwidth through the firewall

[Bryan Irvine]

The send and receive socket buffer space has nothing to do with forwarding
performance. This will only affect connections from and to the box itself.


but don't routed packets go to and from the box itself?

My download speeds on my mythtv/ubuntu system jumped from 1.5Mb/s to
12Mb/s after increasing those on my firewall.


I think the bigger problem are the PCMCIA nics. PCMCIA is a slow bus
comparable to ISA and most PCMCIA cards are evil old clones of already
terrible MAC chips. Also check the duplex mode -- autonegotiation can
fail with older cards.


I tend to agree that the problem is likely here.  Laptops tend to not
have superfast bus speeds.

I also wonder if he actually meant that capital B.  500KB isn't too
shabby (what's that 4Mb?) while 500Kb isn't so good.  If he's actually
pushing 4Mb through his laptops crappy old pcmcia that may be as good
as it gets.

--Bryan

Re: Apple hardware support?

[Tasmanian Devil]

  Is there anyone working on porting OpenBSD to Intel Apple hardware? Such as
  the Macbook?

 The i386 GENERIC.MP kernel runs fine on Intel Macs. You just need to
 enable ACPI with config -ef bsd.mp (or on the boot prompt).

This is not true. At least it has been reported that the MacBook Pro
with Core Due 2 processor does not run.


Oh, sorry, I didn't know that. Thank you for correcting me!

Tas.

Re: Not getting much bandwidth through the firewall

[Henning Brauer]

* Bryan Irvine [EMAIL PROTECTED] [2007-03-29 21:11]:
 The send and receive socket buffer space has nothing to do with forwarding
 performance. This will only affect connections from and to the box itself.
 
 but don't routed packets go to and from the box itself?

they don't go to or thru the socket buffers you increased.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Long WEP key

[smith]

I'd be more scared of the hacker that can bypass wep,

than the average joe without wep.

The hacker knows how to exploit your wep-decrypted network traffic,

the average joe doesn't even if it were plain-text data.

Re: Long WEP key

[Jeremy Huiskamp]

On 29-Mar-07, at 9:59 AM, Nick ! wrote:



Nick ! wrote:

Theo has claimed somewhere that I can never find the link to


http://www.tjrforum.com/archive/index.php/t-2513.html gives a quote  
but

I can't find the original source.


I'd like to hear an actual developer position on that statement.  I  
read it as a criticism of the way WPA is used more than of the  
protocol itself.  As in, it's of little value to encrypt the traffic  
if you allow anybody to access it.  If Theo was saying that it sucks  
even when you're using some sufficient form of authentication (other  
than that it's maybe too complicated), I'd love to have it explained.


Jeremy

Re: Long WEP key

[Siegbert Marschall]

Well,

 I'd be more scared of the hacker that can bypass wep,

 than the average joe without wep.

 The hacker knows how to exploit your wep-decrypted network traffic,

 the average joe doesn't even if it were plain-text data.

it's not always about sniffing something, sometimes it's about
access only.
If somebody does something bad with my unencrypted access-point
using my internet-access, here in germany I am liable.
If I configure feeble WEP64/40 I am not since there is at least
some protection to be illegaly bypassed before the network can
be used.

Same with your car, leave the door open and the key in the lock for
everybody even minor to drive and the accident will be your problem
since the car hasn't been stolen. Lock the car and not matter if you
can short and open the thing with your fingers only it's a different
story since the car is stolen.

So even though WEP is trash, from certain points of view it's a usefull
as a cheap padlock on the garden hood so the next neighbours children
don't kill themself with the axe or whatever is in there. If they
break the window and get in there, it's their problem. Not that this
is a lot more difficult then cracking WEP. /pun Cracking windows just
makes more noise.

Of course this is all a bit simplified but maybe some of the people
here declaring that WEP is trash and shouldn't be used wake up and
see that even trashy protection has it's use as long as it offers
some protection.

-sm

Re: Long WEP key

[Siegbert Marschall]

Hi,

 I'd like to hear an actual developer position on that statement.  I
 read it as a criticism of the way WPA is used more than of the
 protocol itself.  As in, it's of little value to encrypt the traffic
 if you allow anybody to access it.  If Theo was saying that it sucks
 even when you're using some sufficient form of authentication (other
 than that it's maybe too complicated), I'd love to have it explained.

not in the mood to search for it, but I've seen people demonstrating
that WPA is as useless as WEP, just different approach and different
software. WPA2 is a bit better but there are still a few underlying
design flaws which make the whole stuff on it's own rather insecure.
can't recall though that anybody had WPA2 exploited at the time but
that's more then a year in the past so I wouldn't trust it.

however, google should find the stuff somewhere, it was demonstrated
on a few events, docs should be on the net, no need to bother theo
with this.

-sm

Re: Not getting much bandwidth through the firewall

[Ted Unangst]

On 3/29/07, Siju George [EMAIL PROTECTED] wrote:

On 3/29/07, Kyle George [EMAIL PROTECTED] wrote:
 On Wed, 28 Mar 2007, Watson Crick wrote:

  I've got OpenBSD 4.0 (release) on a laptop setup up as a router between
  2 subnets, and providing internet access through a 3rd nic to a DSL
  modem. The problem is the bandwidth between the two subnets.  I'm only
  getting a maximum of about 500 KB/s between two 100mbit cards. Top



If you have an ISP that gives you IP aadrees ( using PPPOE ) it there
a way to measure or detect the valuse on the ISP's side?


why the hell does the isp matter routing when between two local subnets?

Re: login_ldap

[Joachim Schipper]

On Wed, Mar 28, 2007 at 12:45:04PM -0400, Mike Erdely wrote:
 What I've decided to do since I can't make this work ('cause I'm an 
 idiot) and pserver is insecure and sucks, I'm going to set local 
 passwords for users that require pserver that are different from their 
 LDAP password.  That way, their LDAP password won't go in the clear.
 
Just another thought I had 1/2 a second after hitting 'send'...

Maybe SSH tunneling and/or authpf is useful here? You could get fancy
with a full VPN - IPsec is well-supported by OpenBSD, and can be made to
work on other systems, and OpenVPN is easy to install - but forwarding
2401/tcp most likely suffices.

Joachim

Re: login_ldap

[Joachim Schipper]

On Wed, Mar 28, 2007 at 12:45:04PM -0400, Mike Erdely wrote:
 Joachim Schipper wrote:
 On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote:
 I'm trying to get login_ldap to work with cvs pserver (run out of inetd).
 I think you are misunderstanding some things, or doing something that
 doesn't work; however, since I've never tried to set up a pserver, you'd
 best check what I'm going to say next.
 
 I tried to give as much info as I could...
 
 First, read login.conf(5), and note that just adding the above isn't
 going to help any. You must define a new login class, at least, and
 change master.passwd(5) to make sure the appropriate user has your newly
 defined login class (the value of 'appropriate' depends on whether or
 not the stuff below is correct...).
 
 I did read login.conf(5) and I must have missed something.  But, I think 
 you're not understanding how this stuff works:

Quite possibly, hence the above caveat.

 1. I installed the login_ldap package.
 2. I added a ldap section to login.conf
 3. I configured my users to be part of the ldap class (using vipw). 
 Users have no local password set.
 4. I tested using CVS over SSH and it works as expected.
 5. I tried using pserver and cannot authenticate.
 6. I set a local password that is different from my ldap password (ssh 
 still uses ldap.  sudo still uses ldap).
 7. I tried pserver and was able to authenticate with the local password 
 but not ldap's password.
 
 I had previously had a similar problem with ftp until I made this change 
 to login.conf:
 - auth-ftp-defaults:auth-ftp=password:
 + auth-ftp-defaults:auth-ftp=-ldap:
 
 Then, you should have whatever daemon your users use to connect with the
 usual BSD login mechanism (which might be called bsdauth, or whatever).
 I don't believe GNU CVS does that, and OpenCVS doesn't do authentication
 at all. Your best bet is probably setting up ssh; sshd uses the BSD
 authentication routines by default.
 
 You would think that the daemon would use the usual BSD login 
 mechanism but ftpd doesn't.  And pserver running out of inetd doesn't 
 either.  I don't know if the fact that I'm using inetd for pserver has 
 any bearing on this issue, but I thought giving all information would be 
 helpful.

Actually, ftpd does. inetd doesn't do authentication at all, and
pserver... well, see below.

 I know my best bet is using ssh.  I'd much rather use ssh.  But you 
 can't always do what you want.  Some of my 50 developers are using COTS 
 development tools that ONLY know pserver.  They don't like it either, 
 but it's required for the project they're working on.  So, while pserver 
 sucks, it's necessary in this case.
 
 However, unless I am sorely mistaken, by this point, there's no need to
 set up inetd and what you have is a CVS repository, but *not* a pserver.
 
 What I've decided to do since I can't make this work ('cause I'm an 
 idiot) and pserver is insecure and sucks, I'm going to set local 
 passwords for users that require pserver that are different from their 
 LDAP password.  That way, their LDAP password won't go in the clear.

That is a good solution. The problem is, in fact, rather simple: pserver
does, in fact, not use bsd authentication. This is documented in
http://ximbiot.com/cvs/manual/cvs-1.12.13/cvs_2.html#SEC31 and
elsewhere; however, that page also suggests that you could create a
custom password file. Maybe a small script is in order (get 'cvspass'
from LDAP, format text file, mv it over the old one, repeat every x
minutes)?

Anyway, good luck, and let us know if you have any more problems.

Joachim

Re: May I have a cluestick, please?

[Joachim Schipper]

On Wed, Mar 28, 2007 at 03:52:44PM -0400, STeve Andre' wrote:
I have a -current system thats working just fine as a web
 server. Everything is working as it should, save for updating
 the wtmp for logins.
 
The last entry in the wtmp was the reboot for going live--
 since then logins work as expected but there is no record
 of them.
 
Suggestions as to what to look for, to fix this?  File perms
 aren't a problem, and nothing seems unusual to me.  This
 is a -current system compiled on March 14th.

Not that I have any particular idea, but what constitutes a 'login'?

Joachim

Re: Long WEP key

[Joachim Schipper]

On Thu, Mar 29, 2007 at 10:22:36PM +1000, Sunnz wrote:
 Then is it possible/practical to connect to a VPN machine on your LAN
 and use the VPN's machines connection?
 
 For a simplistic example, say I've got a wireless router gateway, with
 a cable connected OpenBSD server, and I connect to the server 's VPN
 via the router wirelessly from my laptop.

Yes, this would work. There are still some issues [1], but it would work.

Joachim

[1] For one, it doesn't prevent someone from just flooding the AP...

Re: ntpd not synching

[Joachim Schipper]

On Thu, Mar 29, 2007 at 09:13:56AM +0200, Otto Moerbeek wrote:
 On Wed, 28 Mar 2007, [EMAIL PROTECTED] wrote:
 
  hi,
  
  On Tue, Mar 27, 2007 at 01:49:16PM +0200, Otto Moerbeek wrote:
   
   It looks like your clock drifts more that ntpd can compensate. Please
   share some details on your setup, like the dmesg.  Also, if you remove
   the drift file, you must reboot, since otherwise the existing
   frequency compensations stays in effect. 
  
  ok, i cleared the drift-file and rebooted. as near as i can
  figure (i had to boot multiple times, and unclean at that) this
  is what happend slightly bfore/during/after the last boot (the times 
  are so screwed i can't really make it out).
 
 Yep, this configrms it. Your clock is drifting so much that ntpd can't
 keep up. I'm afraid there's not a lot I can do about that.

Unless I'm very confused, though, repeated use of something like
rdate(8) will work, or, rather, 'work'...

Joachim

Re: SMP causing uvm_fault

[Jon Steel]

Hi

Ive finally got the current version running and the problem below has
disappeared. I was wondering however if the problem has actually been
solved.

The line of code that Im crashing on is line 3005 of pmap.c in version 4.0:

3005if (pve-pv_ptp  (PDE(pve-pv_pmap,
3006 pdei(pve-pv_va))  PG_FRAME) !=
3007 VM_PAGE_TO_PHYS(pve-pv_ptp)) {

Specifically its crashing on PDE(pve-pv_pmap, pdei(pve-pv_val) because
of a page fault. This code has disappeared in -current, but does anybody
who was working on this section of code now why I was having this
problem or if its been fixed?

Thank you

Jonathan  Steel


Jon Steel wrote:
 Hi

 Im having a very similar problem as the one reported in Bug Query 5374.
 Im trying to solve the problem but Im finding it very hard to even get
 started. Is there somewhere besides the code that I can start to try and
 understand how SMP is being handled?

 http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5374

 I can usually duplicate the crash by running the follwing script several
 times concurrently.

 #!/usr/bin/perl

 system(tcpdump -i em1 -w /var/crashTest1.pcap);
 system(tcpdump -i em1 -w /var/crashTest2.pcap);
 system(tcpdump -i em1 -w /var/crashTest3.pcap);
 system(tcpdump -i em1 -w /var/crashTest4.pcap);
 system(tcpdump -i em1 -w /var/crashTest5.pcap);
 system(tcpdump -i em1 -w /var/crashTest6.pcap);
 system(tcpdump -i em1 -w /var/crashTest7.pcap);

 while (1) {
 system(nmap 192.168.66.90);
 }

 Then after about an hour, when you try and reboot, I get an error:

 uvm_fault(0x..., 0x..., 0, 1) - e
 kernel: page fault trap, code = 0
 stopped at pmap_page_remove_86+0x114:
 0(%eax, %edx, 4), %eax

 The trace output is:

 pmap_page_remove_86(d0d31420,c0,e9b57e2c,d04adeb9,e99f) at 
 pmap_page_remove_86+0x114
 uvm_vnp_terminate(d8034e04,0,0,0,0,14,0,d7e95004) at uvm_vnpterminate+0x31f
 uvm_attach(d8034e04,0,2,0,d7f38378) at uvn_attach+0x2b5
 uvm_unmap_detach(d7e959a4,0,d7f3841c,1) at uvm_unmap_detach+-x62
 uvmspace_free(d7f38378,6,d08120e0) at uvmspace_free+0xfd
 uvm_exit(d7fbb868,14,8,286) at uvm_exit+0x19
 reaper(d80df430) at reaper+0x90
 Bad frame pointer: 0xd0913eb8


 A couple times the error has also occured on its own without saying
 'reboot' when running a ton of nmaps and tcpdumps at the same time.

 This trace is remarkably similar to the one in Bug Query 5374.
 Additionally I am using the same processor as he is. There is an unkown
 core statement in my dmesg but both cores seem to be working correctly.
 Here is my dmesg:

 OpenBSD 4.0 (GENERIC.MP) #936: Sat Sep 16 19:27:28 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 real mem  = 2145869824 (2095576K)
 avail mem = 1949290496 (1903604K)
 using 4256 buffers containing 107397120 bytes (104880K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(e6) BIOS, date 10/30/06, BIOS32 rev. 0 @
 0xfd470, SMB IOS rev. 2.51 @ 0x7feea000 (33 entries)
 bios0: Supermicro PDSMi
 pcibios0 at bios0: rev 2.1 @ 0xfd470/0xb90
 pcibios0: PCI BIOS has 20 Interrupt Routing table entries
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
 pcibios0: PCI bus #15 is the last bus
 bios0: ROM list: 0xc/0xb000 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x1000
 ipmi at mainbus0 not configured
 mainbus0: Intel MP Specification (Version 1.4) (INTELMUKILTEO)
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: unknown Core FSB_FREQ value 0 (0x4208)
 cpu0: apic clock running at 266 MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 mainbus0: bus 0 is type PCI
 mainbus0: bus 9 is type PCI
 mainbus0: bus 10 is type PCI
 mainbus0: bus 13 is type PCI
 mainbus0: bus 14 is type PCI
 mainbus0: bus 15 is type PCI
 mainbus0: bus 16 is type ISA
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
 pci2 at ppb1 bus 9
 ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09
 pci3 at ppb2 bus 10
 em0 at pci3 dev 1 function 0 Intel PRO/1000GT (82541GI) rev 0x05: apic
 3 int 0  (irq 11), address 00:0e:0c:b6:80:9e
 Intel IOxAPIC rev 0x09 at pci2 dev 0 function 1 not configured
 ppb3 at pci0 dev 28 function 4 Intel 82801G PCIE rev 

GENERIC config failed in current

[Jon Steel]

Hi

When I installed the current version of the source, my computer froze
when starting up after the message mtrr: Pentium Pro MTRR support.
When I used the GENERIC config file that came with 4.0, everything
worked fine. Just wanted to let the developers know in case there is an
issue. My dmesg is included below.

Thanks

Jonathan Steel


OpenBSD 4.0 (GENERIC.MP) #936: Sat Sep 16 19:27:28 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 real mem  = 2145869824 (2095576K)
 avail mem = 1949290496 (1903604K)
 using 4256 buffers containing 107397120 bytes (104880K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(e6) BIOS, date 10/30/06, BIOS32 rev. 0 @
 0xfd470, SMB IOS rev. 2.51 @ 0x7feea000 (33 entries)
 bios0: Supermicro PDSMi
 pcibios0 at bios0: rev 2.1 @ 0xfd470/0xb90
 pcibios0: PCI BIOS has 20 Interrupt Routing table entries
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
 pcibios0: PCI bus #15 is the last bus
 bios0: ROM list: 0xc/0xb000 0xcb000/0x1000 0xcc000/0x1000
0xcd000/0x1000
 ipmi at mainbus0 not configured
 mainbus0: Intel MP Specification (Version 1.4) (INTELMUKILTEO)
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: unknown Core FSB_FREQ value 0 (0x4208)
 cpu0: apic clock running at 266 MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 mainbus0: bus 0 is type PCI
 mainbus0: bus 9 is type PCI
 mainbus0: bus 10 is type PCI
 mainbus0: bus 13 is type PCI
 mainbus0: bus 14 is type PCI
 mainbus0: bus 15 is type PCI
 mainbus0: bus 16 is type ISA
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
 pci2 at ppb1 bus 9
 ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09
 pci3 at ppb2 bus 10
 em0 at pci3 dev 1 function 0 Intel PRO/1000GT (82541GI) rev 0x05: apic
 3 int 0  (irq 11), address 00:0e:0c:b6:80:9e
 Intel IOxAPIC rev 0x09 at pci2 dev 0 function 1 not configured
 ppb3 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
 pci4 at ppb3 bus 13
 em1 at pci4 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: apic
 2 int 16  (irq 11), address 00:30:48:8a:ca:f8
 ppb4 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
 pci5 at ppb4 bus 14
 em2 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic
 2 int 17  (irq 11), address 00:30:48:8a:ca:f9
 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int
 23 (irq  10)
 usb0 at uhci0: USB revision 1.0
 uhub0 at usb0
 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
 uhub0: 2 ports with 2 removable, self powered
 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int
 19 (irq  11)
 usb1 at uhci1: USB revision 1.0
 uhub1 at usb1
 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
 uhub1: 2 ports with 2 removable, self powered
 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int
 18 (irq  5)
 usb2 at uhci2: USB revision 1.0
 uhub2 at usb2
 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
 uhub2: 2 ports with 2 removable, self powered
 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 2 int
 16 (irq  11)
 usb3 at uhci3: USB revision 1.0
 uhub3 at usb3
 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
 uhub3: 2 ports with 2 removable, self powered
 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 2 int
 23 (irq  10)
 usb4 at ehci0: USB revision 2.0
 uhub4 at usb4
 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
 uhub4: 8 ports with 8 removable, self powered
 ppb5 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
 pci6 at ppb5 bus 15
 vga1 at pci6 dev 0 function 0 ATI ES1000 rev 0x02
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM
disabled
 pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA,
 channel 0 c onfigured to compatibility, channel 1 configured to
 compatibility
 atapiscsi0 at pciide0 channel 0 drive 0
 scsibus0 at atapiscsi0: 2 targets
 cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E-N, 1.AA SCSI0 5/cdrom
 removable
 cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
 pciide0: channel 1 disabled (no drives)
 pciide1 at pci0 dev 31 

Re: Not getting much bandwidth through the firewall

[Stefan Kell]

Hi,

 Original-Nachricht 
Datum: Wed, 28 Mar 2007 20:30:39 -0700 (PDT)
Von: Watson Crick [EMAIL PROTECTED]
An: misc@openbsd.org
Betreff: Not getting much bandwidth through the firewall

 Hi,
 
 I've got OpenBSD 4.0 (release) on a laptop setup up as a router between 2
 subnets, and providing internet access through a 3rd nic to a DSL modem.
 The problem is the bandwidth between the two subnets.  I'm only getting a
 maximum of about 500 KB/s between two 100mbit cards.
 Top shows ~70% interrupt (~29% idle) while these transfers are going on.
 I don't know what the bottleneck is in the system.  Are the Linksys PCMCIA
 nics crappy? Did I screw something else up?
 
 As a test I turned off pf and did ftp transfers from the OpenBSD machine
 to/from each subnet, and the bandwidth was still limited to ~500 KB/s, so I
 don't think it's anything in my pf setup.
 
 Thanks  
 

There is a big difference in performance between 16bit and 32bit PCMCIA-Cards. 
From my experience you won't get anything higher as 1000KByte/sec from a 16bit 
card. I don't know the linksys cards but you should test your setup with two 
32bit cards. And this has probably nothing to do with operating systems.

Regards

Stefan Kell

Re: Apple hardware support?

[Mike Erdely]

Otto Moerbeek wrote:

On Thu, 29 Mar 2007, Tasmanian Devil wrote:

The i386 GENERIC.MP kernel runs fine on Intel Macs. You just need to
enable ACPI with config -ef bsd.mp (or on the boot prompt).

This is not true. At least it has been reported that the MacBook Pro
with Core Due 2 processor does not run.


Tas is right.  I have my MacBook Pro Core 2 Duo dual booting with OS X 
and OpenBSD (snap around 3/10).  I _think_ my installation process was 
this (since I didn't do make release with -current):

 1. Install 4.0 from the CD.
 2. Copy an ACPI-enabled bsd.rd to a CDROM, boot to OpenBSD and copy to 
the hard drive.

 3. Reboot and boot to bsd.rd and install the snapshot using FTP.

Note: Wifi did not work.  Video used VESA driver.  I didn't test much 
else.  Next time I get a chance, I'll send a dmesg to [EMAIL PROTECTED]



BTW, you can install OpenBSD on a BootCamp partition. After creating
the Bootcamp partition using the wizard, boot using the OpenBSD CD,
and in the fdisk step in the installer, set the partition type to A6,
make it active and update the MBR. 


I did this.

-ME

Re: SMP causing uvm_fault

[Jon Steel]

I forgot to add:

In the log of pmap.c I found

revision 1.97
date: 2007/02/20 21:15:01;  author: tom;  state: Exp;  lines: +204 -500
Revert PAE pmap for now, until the strange bug is found.  This stops
the freezes many of us are seeing (especially on amd64 machines running
OpenBSD/i386).

Much testing by nick@ (as always - thanks!), hugh@, ian@, kettenis@
and Sam Smith (s (at) msmith (dot) net).

Requested by, input from, and ok deraadt@  ok art@, kettenis@, miod@


What is the strange bug?

Thanks again


Jon Steel wrote:
 Hi

 Ive finally got the current version running and the problem below has
 disappeared. I was wondering however if the problem has actually been
 solved.

 The line of code that Im crashing on is line 3005 of pmap.c in version 4.0:

 3005if (pve-pv_ptp  (PDE(pve-pv_pmap,
 3006 pdei(pve-pv_va))  PG_FRAME) !=
 3007 VM_PAGE_TO_PHYS(pve-pv_ptp)) {

 Specifically its crashing on PDE(pve-pv_pmap, pdei(pve-pv_val) because
 of a page fault. This code has disappeared in -current, but does anybody
 who was working on this section of code now why I was having this
 problem or if its been fixed?

 Thank you

 Jonathan  Steel


 Jon Steel wrote:
   
 Hi

 Im having a very similar problem as the one reported in Bug Query 5374.
 Im trying to solve the problem but Im finding it very hard to even get
 started. Is there somewhere besides the code that I can start to try and
 understand how SMP is being handled?

 http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5374

 I can usually duplicate the crash by running the follwing script several
 times concurrently.

 #!/usr/bin/perl

 system(tcpdump -i em1 -w /var/crashTest1.pcap);
 system(tcpdump -i em1 -w /var/crashTest2.pcap);
 system(tcpdump -i em1 -w /var/crashTest3.pcap);
 system(tcpdump -i em1 -w /var/crashTest4.pcap);
 system(tcpdump -i em1 -w /var/crashTest5.pcap);
 system(tcpdump -i em1 -w /var/crashTest6.pcap);
 system(tcpdump -i em1 -w /var/crashTest7.pcap);

 while (1) {
 system(nmap 192.168.66.90);
 }

 Then after about an hour, when you try and reboot, I get an error:

 uvm_fault(0x..., 0x..., 0, 1) - e
 kernel: page fault trap, code = 0
 stopped at pmap_page_remove_86+0x114:
 0(%eax, %edx, 4), %eax

 The trace output is:

 pmap_page_remove_86(d0d31420,c0,e9b57e2c,d04adeb9,e99f) at 
 pmap_page_remove_86+0x114
 uvm_vnp_terminate(d8034e04,0,0,0,0,14,0,d7e95004) at uvm_vnpterminate+0x31f
 uvm_attach(d8034e04,0,2,0,d7f38378) at uvn_attach+0x2b5
 uvm_unmap_detach(d7e959a4,0,d7f3841c,1) at uvm_unmap_detach+-x62
 uvmspace_free(d7f38378,6,d08120e0) at uvmspace_free+0xfd
 uvm_exit(d7fbb868,14,8,286) at uvm_exit+0x19
 reaper(d80df430) at reaper+0x90
 Bad frame pointer: 0xd0913eb8


 A couple times the error has also occured on its own without saying
 'reboot' when running a ton of nmaps and tcpdumps at the same time.

 This trace is remarkably similar to the one in Bug Query 5374.
 Additionally I am using the same processor as he is. There is an unkown
 core statement in my dmesg but both cores seem to be working correctly.
 Here is my dmesg:

 OpenBSD 4.0 (GENERIC.MP) #936: Sat Sep 16 19:27:28 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 real mem  = 2145869824 (2095576K)
 avail mem = 1949290496 (1903604K)
 using 4256 buffers containing 107397120 bytes (104880K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(e6) BIOS, date 10/30/06, BIOS32 rev. 0 @
 0xfd470, SMB IOS rev. 2.51 @ 0x7feea000 (33 entries)
 bios0: Supermicro PDSMi
 pcibios0 at bios0: rev 2.1 @ 0xfd470/0xb90
 pcibios0: PCI BIOS has 20 Interrupt Routing table entries
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
 pcibios0: PCI bus #15 is the last bus
 bios0: ROM list: 0xc/0xb000 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x1000
 ipmi at mainbus0 not configured
 mainbus0: Intel MP Specification (Version 1.4) (INTELMUKILTEO)
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: unknown Core FSB_FREQ value 0 (0x4208)
 cpu0: apic clock running at 266 MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (GenuineIntel 686-class)
 2.13 GHz
 cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16
 mainbus0: bus 0 is type PCI
 mainbus0: bus 9 is type PCI
 mainbus0: bus 10 is type PCI
 mainbus0: bus 13 is type PCI
 mainbus0: bus 14 is type PCI
 mainbus0: bus 15 is type PCI
 mainbus0: bus 16 is type ISA
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
 pci0 at mainbus0 bus 0: 

[OT] Re: Long WEP key

[Damon McMahon]

From: Nick ! [EMAIL PROTECTED]
Date: 29 March 2007 2:16:31 PM
To: OpenBSD-Misc misc@openbsd.org
Subject: Re: Long WEP key


On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:


Maxime DERCHE wrote:
 IMHO you should think to configure your AP to provide a WAP-based
 encryption...

WAP-based encryption? Do you mean WPA?



And to answer the original question: because OpenBSD doesn't support
WPA, and Theo has claimed somewhere that I can never find the link to
that WPA gives a false sense of security anyway.

-Nick



From most of my reading a few months ago WPA-PSK is considered  
reasonably secure provided the pre-shared key is long enough... for  
some reason I can't find my references, but from memory depending on  
the source a minimum of around 34 to 39 random ASCII characters (50+  
alphanumeric characters) is quoted.


Obviously that's a very long passphrase in anyone's language and  
that's the problem. Most people (understandably) choose a passphrase  
at most one-third that length and in this situation WPA-PSK may be  
considered even less secure than the (deservedly) derided WEP.

Re: Long WEP key

[Henning Brauer]

* Siegbert Marschall [EMAIL PROTECTED] [2007-03-29 22:13]:
 If somebody does something bad with my unencrypted access-point
 using my internet-access, here in germany I am liable.

no, you're not. it's not that easy. (and I just leave mine wide open)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Video choppy with mplayer and vlc under xenocara?

[Travers Buda]

* viq [EMAIL PROTECTED] [2007-03-29 23:10:41]:

 Did anyone experience this? My box was able to play videos fine even
 when compiling under old XF4, and now after switching to xenocara both
 mplayer and vlc don't play videos smoothly...
 dmesg.boot attached, any other info I should provide?

I have a multi-head setup (mga,) and the xvideo extension is now only present 
on screen 0 with the new xenocara. You can check with xvinfo. I have not 
looked into this.

-- 
Travers Buda

Re: Apple hardware support?

[David Given]

Mike Erdely wrote:
[...]
 Tas is right.  I have my MacBook Pro Core 2 Duo dual booting with OS X
 and OpenBSD (snap around 3/10).  I _think_ my installation process was
 this (since I didn't do make release with -current):
  1. Install 4.0 from the CD.
  2. Copy an ACPI-enabled bsd.rd to a CDROM, boot to OpenBSD and copy to
 the hard drive.
  3. Reboot and boot to bsd.rd and install the snapshot using FTP.

 Note: Wifi did not work.  Video used VESA driver.  I didn't test much
 else.  Next time I get a chance, I'll send a dmesg to [EMAIL PROTECTED]

Good to know --- that means there's probably enough there to work, although
there's no guarantee that the Apple TV uses sane hardware with OpenBSD
drivers.

It's also worth pointing out that the Apple EFI implementation is... uh...
basic, and doesn't have things in it like the EFI shell, and until recently
didn't even have the legacy BIOS emulation. Which means there's no guarantee
that the Apple TV has it. Which means I may need a mechanism for booting the
OpenBSD kernel directly from EFI --- I don't suppose anyone has been thinking
about this? Or GPT partition table support?

If I'm really lucky the Apple TV EFI implementation will have a legacy BIOS
that will happily boot an MBR disk if it sees one. Do I really think that'll
happen? Hell no.

I suppose the only thing to do would be to get one and try it.

There only mention of Apple on the website is in relation to the macppc port,
BTW.

--
bbb o=o=o o=o=o=o=o=
o=o=oo=o=o=
 bbb
http://www.cowlark.com
bbbbbbbbbbbbbbbbbbb
b Parents let children ride bicycles on the street. But parents do not
b allow children to hear vulgar words. Therefore we can deduce that cursing
b is more dangerous than being hit by a car. --- Scott Adams

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

dmesg for 29 10/100 Ethernet Ports in one PC

[Sam Fourman Jr.]

hello misc@

I bought a collection of old quad port NICS from Ebay and put them in
a old gateway server, just to see what would happen.

Everything worked great the only trouble I had was *if* the plug and
play os option in bios was set to yes. the GENERIC kernel will panic
on boot up, however with the plug and play os option in bios set to NO
I get the following dmesg.

anyone have any ideas on how to use pf to basically emulate a 10/100
switch (with built in firewall support :) )

any ideas are welcome.

Sam Fourman Jr.

below is a dmesg

OpenBSD 4.1-current (GENERIC) #1445: Thu Mar 22 11:06:59 MDT 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 400 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 402223104 (392796K)
avail mem = 358932480 (350520K)
using 4278 buffers containing 20234240 bytes (19760K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 03/01/99, BIOS32 rev. 0 @
0xfd840, SMBIOS rev. 2.2 @ 0xf2590 (29 entries)
bios0: Gateway ALR 7200
pcibios0 at bios0: rev 2.1 @ 0xfd840/0x7c0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/240 (13 entries)
pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #9 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x5000 0xcd000/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
pci1 at ppb0 bus 1
pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01: irq 11
piixpm0 at pci0 dev 2 function 3 Intel 82371AB Power rev 0x02: SMI
iic0 at piixpm0
fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x05, i82558: irq 9,
address 00:c0:0d:00:85:f4
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
vga1 at pci0 dev 4 function 0 Cirrus Logic CL-GD5430 rev 0x22
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 5 function 0 DEC 21150 PCI-PCI rev 0x04
pci2 at ppb1 bus 2
ahc0 at pci2 dev 1 function 0 Adaptec AIC-7890/1 U2 rev 0x00: irq 9
scsibus0 at ahc0: 16 targets
sd0 at scsibus0 targ 1 lun 0: IBM, DCAS-34330W, S61A SCSI2 0/direct fixed
sd0: 4134MB, 8205 cyl, 6 head, 171 sec, 512 bytes/sec, 8467200 sec total
ppb2 at pci2 dev 4 function 0 DEC 21152 PCI-PCI rev 0x03
pci3 at ppb2 bus 3
dc0 at pci3 dev 4 function 0 DEC 21142/3 rev 0x30: irq 9, address
00:c0:95:e1:03:28
dcphy0 at dc0 phy 31: internal PHY
dc1 at pci3 dev 5 function 0 DEC 21142/3 rev 0x30: irq 9, address
00:c0:95:e1:03:29
dcphy1 at dc1 phy 31: internal PHY
dc2 at pci3 dev 6 function 0 DEC 21142/3 rev 0x30: irq 10, address
00:c0:95:e1:03:2a
dcphy2 at dc2 phy 31: internal PHY
dc3 at pci3 dev 7 function 0 DEC 21142/3 rev 0x30: irq 11, address
00:c0:95:e1:03:2b
dcphy3 at dc3 phy 31: internal PHY
ppb3 at pci2 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03
pci4 at ppb3 bus 4
dc4 at pci4 dev 4 function 0 DEC 21142/3 rev 0x41: irq 9, address
00:c0:95:e2:4f:04
dcphy4 at dc4 phy 31: internal PHY
dc5 at pci4 dev 5 function 0 DEC 21142/3 rev 0x41: irq 10, address
00:c0:95:e2:4f:05
dcphy5 at dc5 phy 31: internal PHY
dc6 at pci4 dev 6 function 0 DEC 21142/3 rev 0x41: irq 11, address
00:c0:95:e2:4f:06
dcphy6 at dc6 phy 31: internal PHY
dc7 at pci4 dev 7 function 0 DEC 21142/3 rev 0x41: irq 9, address
00:c0:95:e2:4f:07
dcphy7 at dc7 phy 31: internal PHY
ppb4 at pci2 dev 6 function 0 DEC 21152 PCI-PCI rev 0x03
pci5 at ppb4 bus 5
dc8 at pci5 dev 4 function 0 DEC 21142/3 rev 0x30: irq 10, address
00:c0:95:e0:bb:40
dcphy8 at dc8 phy 31: internal PHY
dc9 at pci5 dev 5 function 0 DEC 21142/3 rev 0x30: irq 11, address
00:c0:95:e0:bb:41
dcphy9 at dc9 phy 31: internal PHY
dc10 at pci5 dev 6 function 0 DEC 21142/3 rev 0x30: irq 9, address
00:c0:95:e0:bb:42
dcphy10 at dc10 phy 31: internal PHY
dc11 at pci5 dev 7 function 0 DEC 21142/3 rev 0x30: irq 9, address
00:c0:95:e0:bb:43
dcphy11 at dc11 phy 31: internal PHY
ppb5 at pci2 dev 7 function 0 DEC 21152 PCI-PCI rev 0x03
pci6 at ppb5 bus 6
de0 at pci6 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
21140A pass 2.2: irq 11, address 00:00:d1:1f:d0:11
de1 at pci6 dev 5 function 0 DEC 21140 rev 0x22de2 at pci6 dev 6
function 0 DEC 21140 rev 0x22de3 at pci6 dev 7 function 0 DEC
21140 rev 0x22ahc1 at pci2 dev 9 function 0 Adaptec AIC-7890/1 U2
rev 0x00: irq 9
scsibus1 at ahc1: 16 targets
cd0 at scsibus1 targ 5 lun 0: PLEXTOR, CD-ROM PX-32TS, 1.03 SCSI2
5/cdrom removable
ppb6 at pci0 dev 18 function 0 DEC 21152 PCI-PCI rev 0x03
pci7 at ppb6 bus 7
de4 at pci7 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
21140A pass 

Re: Long WEP key

[Adam Hawes]

 Right. As long as we understand that it sucks, it's OK to use? I know
 when I think about securing my data I'm interested in keeping only the
 average joes out.

I don't know about you, but I use wireless security as an extra layer.
It might suck, but it keeps the next door neighbour's laptop from
authenticating on my network without his (or my) permission. I just
tunnel a VPN over the top and route that through to the wired side.

Safe, secure, and it keeps average joe schmuck from always logging
onto my network then coming and complaining that i am hacking his
laptop when he sees it log onto my network.

WEP/WPA have their uses, just not in security.  If you understand that
you dont' get any security you can add another layer! If you don't
understand it, then you're probably not qualified to be deploying a
wireless network anyway.

 Maybe it's OK to run telnetd so long as it's on port 10023 too?

Not funny: I've seen people advise moving the port number of all
sorts of services for security then recommending turning off
all of the inconvenient security options in the daemon now that it
is securly on another port that nobody will ever think to look at,
and if they do they won't know what server is there anyway.
This was from a supposed IT security expert..

A

Re: dmesg for 29 10/100 Ethernet Ports in one PC

[Stuart Henderson]

On 2007/03/29 18:57, Sam Fourman Jr. wrote:
 anyone have any ideas on how to use pf to basically emulate a 10/100
 switch (with built in firewall support :) )

bridge(4), brconfig(8).

Re: dmesg for 29 10/100 Ethernet Ports in one PC

[Nick Holland]

Sam Fourman Jr. wrote:
 hello misc@
 
 I bought a collection of old quad port NICS from Ebay and put them in
 a old gateway server, just to see what would happen.
 
 Everything worked great the only trouble I had was *if* the plug and
 play os option in bios was set to yes. the GENERIC kernel will panic
 on boot up, however with the plug and play os option in bios set to NO
 I get the following dmesg.
 
 anyone have any ideas on how to use pf to basically emulate a 10/100
 switch (with built in firewall support :) )
 
 any ideas are welcome.
 
 Sam Fourman Jr.

you have me beat there (I've done 20 dc(4) ports, 5xQuads a
few years ago).  Seven PCI slots? (assuming your fxp is on-board.
Took me a while to find #29. :)   Wow.

Bridge 'em all together, you got yourself an unmanaged switch.
Add filtering, you got yourself something that is pretty
sophisticated, but before you get too carried away, keep in mind
you probably will run out of PCI bus bandwidth long before you
saturate more than a few of those NICs...  Plus, those things
generate a fair amount of heat, make sure air is flowing through
there while you are playing with it, hate to have you smoke a bunch
of cards you had plans for while having fun...


I simplified your dmesg a bit, I was having trouble finding a bunch
of the NICs due to odd wrapping problems.

fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x05, i82558: irq 9,
dc0 at pci3 dev 4 function 0 DEC 21142/3 rev 0x30: irq 9, address
dc1 at pci3 dev 5 function 0 DEC 21142/3 rev 0x30: irq 9, address
dc2 at pci3 dev 6 function 0 DEC 21142/3 rev 0x30: irq 10, address
dc3 at pci3 dev 7 function 0 DEC 21142/3 rev 0x30: irq 11, address
dc4 at pci4 dev 4 function 0 DEC 21142/3 rev 0x41: irq 9, address
dc5 at pci4 dev 5 function 0 DEC 21142/3 rev 0x41: irq 10, address
dc6 at pci4 dev 6 function 0 DEC 21142/3 rev 0x41: irq 11, address
dc7 at pci4 dev 7 function 0 DEC 21142/3 rev 0x41: irq 9, address
dc8 at pci5 dev 4 function 0 DEC 21142/3 rev 0x30: irq 10, address
dc9 at pci5 dev 5 function 0 DEC 21142/3 rev 0x30: irq 11, address
dc10 at pci5 dev 6 function 0 DEC 21142/3 rev 0x30: irq 9, address
dc11 at pci5 dev 7 function 0 DEC 21142/3 rev 0x30: irq 9, address
de0 at pci6 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
de1 at pci6 dev 5 function 0 DEC 21140 rev 0x22
de2 at pci6 dev 6 function 0 DEC 21140 rev 0x22
de3 at pci6 dev 7 function 0 DEC 21140 rev 0x22
de4 at pci7 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
de5 at pci7 dev 5 function 0 DEC 21140 rev 0x22
de6 at pci7 dev 6 function 0 DEC 21140 rev 0x22
de7 at pci7 dev 7 function 0 DEC 21140 rev 0x22
de8 at pci8 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
de9 at pci8 dev 5 function 0 DEC 21140 rev 0x22
de10 at pci8 dev 6 function 0 DEC 21140 rev 0x22
de11 at pci8 dev 7 function 0 DEC 21140 rev 0x22
de12 at pci9 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
de13 at pci9 dev 5 function 0 DEC 21140 rev 0x22
de14 at pci9 dev 6 function 0 DEC 21140 rev 0x22
de15 at pci9 dev 7 function 0 DEC 21140 rev 0x22


NICk.

Re: [OT] Re: Long WEP key

[Sunnz]

Actually I always uses a sha1sum of a random file that I have and I
make sure I have that file on all my computers... should be random and
long enough?

2007/3/30, Damon McMahon [EMAIL PROTECTED]:

 From: Nick ! [EMAIL PROTECTED]
 Date: 29 March 2007 2:16:31 PM
 To: OpenBSD-Misc misc@openbsd.org
 Subject: Re: Long WEP key


 On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:

 Maxime DERCHE wrote:
  IMHO you should think to configure your AP to provide a WAP-based
  encryption...

 WAP-based encryption? Do you mean WPA?


 And to answer the original question: because OpenBSD doesn't support
 WPA, and Theo has claimed somewhere that I can never find the link to
 that WPA gives a false sense of security anyway.

 -Nick


 From most of my reading a few months ago WPA-PSK is considered
reasonably secure provided the pre-shared key is long enough... for
some reason I can't find my references, but from memory depending on
the source a minimum of around 34 to 39 random ASCII characters (50+
alphanumeric characters) is quoted.

Obviously that's a very long passphrase in anyone's language and
that's the problem. Most people (understandably) choose a passphrase
at most one-third that length and in this situation WPA-PSK may be
considered even less secure than the (deservedly) derided WEP.





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: [OT] Re: Long WEP key

[Jeremy Huiskamp]

The obvious problem with that is that you're only choosing a limited  
character and we all know it now ;).  Also, what's your definition of  
random file?


Jeremy

On 29-Mar-07, at 9:58 PM, Sunnz wrote:

Actually I always uses a sha1sum of a random file that I have and I
make sure I have that file on all my computers... should be random and
long enough?

2007/3/30, Damon McMahon [EMAIL PROTECTED]:

 From: Nick ! [EMAIL PROTECTED]
 Date: 29 March 2007 2:16:31 PM
 To: OpenBSD-Misc misc@openbsd.org
 Subject: Re: Long WEP key


 On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:

 Maxime DERCHE wrote:
  IMHO you should think to configure your AP to provide a WAP- 
based

  encryption...

 WAP-based encryption? Do you mean WPA?


 And to answer the original question: because OpenBSD doesn't  
support
 WPA, and Theo has claimed somewhere that I can never find the  
link to

 that WPA gives a false sense of security anyway.

 -Nick


 From most of my reading a few months ago WPA-PSK is considered
reasonably secure provided the pre-shared key is long enough... for
some reason I can't find my references, but from memory depending on
the source a minimum of around 34 to 39 random ASCII characters (50+
alphanumeric characters) is quoted.

Obviously that's a very long passphrase in anyone's language and
that's the problem. Most people (understandably) choose a passphrase
at most one-third that length and in this situation WPA-PSK may be
considered even less secure than the (deservedly) derided WEP.





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Long WEP key

[Lars Hansson]

Jeremy Huiskamp wrote:

I'd like to hear an actual developer position on that statement.


Check the archives for Reyk's comments on WPA. It will be in OpenBSD one 
day because, secure or not, it is gaining traction and is/will be 
required by  many AP's (especially enterprise AP's).


---
Lars Hansson

Re: [OT] Re: Long WEP key

[Jeremy Huiskamp]

Um, excuse my poor writing.  I meant .. choosing from a limited  
character set ...


On 29-Mar-07, at 10:35 PM, I wrote:
The obvious problem with that is that you're only choosing a  
limited character and we all know it now ;).  Also, what's your  
definition of random file?


Jeremy

On 29-Mar-07, at 9:58 PM, Sunnz wrote:

Actually I always uses a sha1sum of a random file that I have and I
make sure I have that file on all my computers... should be random  
and

long enough?

2007/3/30, Damon McMahon [EMAIL PROTECTED]:

 From: Nick ! [EMAIL PROTECTED]
 Date: 29 March 2007 2:16:31 PM
 To: OpenBSD-Misc misc@openbsd.org
 Subject: Re: Long WEP key


 On 3/29/07, Lars Hansson [EMAIL PROTECTED] wrote:

 Maxime DERCHE wrote:
  IMHO you should think to configure your AP to provide a WAP- 
based

  encryption...

 WAP-based encryption? Do you mean WPA?


 And to answer the original question: because OpenBSD doesn't  
support
 WPA, and Theo has claimed somewhere that I can never find the  
link to

 that WPA gives a false sense of security anyway.

 -Nick


 From most of my reading a few months ago WPA-PSK is considered
reasonably secure provided the pre-shared key is long enough... for
some reason I can't find my references, but from memory depending on
the source a minimum of around 34 to 39 random ASCII characters (50+
alphanumeric characters) is quoted.

Obviously that's a very long passphrase in anyone's language and
that's the problem. Most people (understandably) choose a passphrase
at most one-third that length and in this situation WPA-PSK may be
considered even less secure than the (deservedly) derided WEP.





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: dmesg for 29 10/100 Ethernet Ports in one PC

[J.C. Roberts]

On Thursday 29 March 2007 16:57, Sam Fourman Jr. wrote:
 Everything worked great the only trouble I had was *if* the plug and
 play os option in bios was set to yes. the GENERIC kernel will panic
 on boot up, however with the plug and play os option in bios set to
 NO I get the following dmesg.

Sam,

You didn't specifically mention model numbers, so I'm unable to check if 
this is even applicable; you might want to try making sure each of the 
cards is running current firmware. Depending on the mfg age (and/or 
firmware revision), this *might* make a difference to plug-n-play. Same 
is true for your system bios firmware.

It's a long shot but worth a try.

Also clearing the system cache of ACPI data in the bios, then adding the 
cards one at a time might help to get past the pnp conflict (i.e. 
conflict is stored).

The largest test I've done was years ago with 20+ ports with various 
brands of NIC's. It works but you need to realize the limitations of 
your PCI buses. If you try to do max bandwidth across all ports, you 
can expect poor performance since you will be saturating the PCI buses.

-jcr

Re: Not getting much bandwidth through the firewall

[Siju George]

On 3/30/07, Ted Unangst [EMAIL PROTECTED] wrote:

On 3/29/07, Siju George [EMAIL PROTECTED] wrote:
 On 3/29/07, Kyle George [EMAIL PROTECTED] wrote:
  On Wed, 28 Mar 2007, Watson Crick wrote:
 
   I've got OpenBSD 4.0 (release) on a laptop setup up as a router between
   2 subnets, and providing internet access through a 3rd nic to a DSL
   modem. The problem is the bandwidth between the two subnets.  I'm only
   getting a maximum of about 500 KB/s between two 100mbit cards. Top

 If you have an ISP that gives you IP aadrees ( using PPPOE ) it there
 a way to measure or detect the valuse on the ISP's side?

why the hell does the isp matter routing when between two local subnets?



:-) I was asking another thing

I have an Internet Connection 1Mbps.
If I connect a Windows XP tp it I get about 800Kbps Speed but on
OpenBSD it never Goes beyond 380Kbps.

I have another ISP with 1 Mbps Speed Connection.
Both Windows XP and OpenBSD shows aroungd 800 Kbps Speed when
Connected Directly to it.

So was just wondering what the cause is :-)
Just wondering if

Increasing net.inet.tcp.{send,recv}space.

would solve the problem.

Thanks tedu for your response :-)

Kind Regards

Siju

Re: dmesg for 29 10/100 Ethernet Ports in one PC

[Reyk Floeter]

On Thu, Mar 29, 2007 at 06:57:17PM -0500, Sam Fourman Jr. wrote:
 hello misc@
 
 I bought a collection of old quad port NICS from Ebay and put them in
 a old gateway server, just to see what would happen.
 
 Everything worked great the only trouble I had was *if* the plug and
 play os option in bios was set to yes. the GENERIC kernel will panic
 on boot up, however with the plug and play os option in bios set to NO
 I get the following dmesg.
 

fun!

 anyone have any ideas on how to use pf to basically emulate a 10/100
 switch (with built in firewall support :) )
 

your backplane will be a bit slow...

 any ideas are welcome.
 
 Sam Fourman Jr.
 

feedback about tests with the new RSTP bridge code is welcome...
(simply start a bridge, add all ports, enable stp on all ports [rstp
is the new default], and plug in some random ethernet devices, dhcp
servers and whatever).

reyk

 below is a dmesg
 
 OpenBSD 4.1-current (GENERIC) #1445: Thu Mar 22 11:06:59 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 400 MHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
 real mem  = 402223104 (392796K)
 avail mem = 358932480 (350520K)
 using 4278 buffers containing 20234240 bytes (19760K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+ BIOS, date 03/01/99, BIOS32 rev. 0 @
 0xfd840, SMBIOS rev. 2.2 @ 0xf2590 (29 entries)
 bios0: Gateway ALR 7200
 pcibios0 at bios0: rev 2.1 @ 0xfd840/0x7c0
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/240 (13 entries)
 pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00)
 pcibios0: PCI bus #9 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x5000 0xcd000/0x800
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
 pci1 at ppb0 bus 1
 pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02
 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA,
 channel 0 wired to compatibility, channel 1 wired to compatibility
 pciide0: channel 0 disabled (no drives)
 pciide0: channel 1 disabled (no drives)
 uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01: irq 11
 piixpm0 at pci0 dev 2 function 3 Intel 82371AB Power rev 0x02: SMI
 iic0 at piixpm0
 fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x05, i82558: irq 9,
 address 00:c0:0d:00:85:f4
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
 vga1 at pci0 dev 4 function 0 Cirrus Logic CL-GD5430 rev 0x22
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 ppb1 at pci0 dev 5 function 0 DEC 21150 PCI-PCI rev 0x04
 pci2 at ppb1 bus 2
 ahc0 at pci2 dev 1 function 0 Adaptec AIC-7890/1 U2 rev 0x00: irq 9
 scsibus0 at ahc0: 16 targets
 sd0 at scsibus0 targ 1 lun 0: IBM, DCAS-34330W, S61A SCSI2 0/direct fixed
 sd0: 4134MB, 8205 cyl, 6 head, 171 sec, 512 bytes/sec, 8467200 sec total
 ppb2 at pci2 dev 4 function 0 DEC 21152 PCI-PCI rev 0x03
 pci3 at ppb2 bus 3
 dc0 at pci3 dev 4 function 0 DEC 21142/3 rev 0x30: irq 9, address
 00:c0:95:e1:03:28
 dcphy0 at dc0 phy 31: internal PHY
 dc1 at pci3 dev 5 function 0 DEC 21142/3 rev 0x30: irq 9, address
 00:c0:95:e1:03:29
 dcphy1 at dc1 phy 31: internal PHY
 dc2 at pci3 dev 6 function 0 DEC 21142/3 rev 0x30: irq 10, address
 00:c0:95:e1:03:2a
 dcphy2 at dc2 phy 31: internal PHY
 dc3 at pci3 dev 7 function 0 DEC 21142/3 rev 0x30: irq 11, address
 00:c0:95:e1:03:2b
 dcphy3 at dc3 phy 31: internal PHY
 ppb3 at pci2 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03
 pci4 at ppb3 bus 4
 dc4 at pci4 dev 4 function 0 DEC 21142/3 rev 0x41: irq 9, address
 00:c0:95:e2:4f:04
 dcphy4 at dc4 phy 31: internal PHY
 dc5 at pci4 dev 5 function 0 DEC 21142/3 rev 0x41: irq 10, address
 00:c0:95:e2:4f:05
 dcphy5 at dc5 phy 31: internal PHY
 dc6 at pci4 dev 6 function 0 DEC 21142/3 rev 0x41: irq 11, address
 00:c0:95:e2:4f:06
 dcphy6 at dc6 phy 31: internal PHY
 dc7 at pci4 dev 7 function 0 DEC 21142/3 rev 0x41: irq 9, address
 00:c0:95:e2:4f:07
 dcphy7 at dc7 phy 31: internal PHY
 ppb4 at pci2 dev 6 function 0 DEC 21152 PCI-PCI rev 0x03
 pci5 at ppb4 bus 5
 dc8 at pci5 dev 4 function 0 DEC 21142/3 rev 0x30: irq 10, address
 00:c0:95:e0:bb:40
 dcphy8 at dc8 phy 31: internal PHY
 dc9 at pci5 dev 5 function 0 DEC 21142/3 rev 0x30: irq 11, address
 00:c0:95:e0:bb:41
 dcphy9 at dc9 phy 31: internal PHY
 dc10 at pci5 dev 6 function 0 DEC 21142/3 rev 0x30: irq 9, address
 00:c0:95:e0:bb:42
 dcphy10 at dc10 phy 31: internal PHY
 dc11 at pci5 dev 7 function 0 DEC 21142/3 rev 0x30: irq 9, address
 00:c0:95:e0:bb:43
 dcphy11 at dc11 phy 31: internal PHY
 ppb5 at pci2 dev 7 function 0 DEC 21152 PCI-PCI rev 0x03
 pci6 at ppb5 bus 6
 de0 at pci6 dev 4 function 0 DEC 21140 rev 0x22, Cogent EM440TX
 21140A pass 2.2: irq 11, address 00:00:d1:1f:d0:11
 de1 at pci6 dev 5 function 

Re: dmesg for 29 10/100 Ethernet Ports in one PC

[J.C. Roberts]

On Thursday 29 March 2007 21:06, J.C. Roberts wrote:
 On Thursday 29 March 2007 16:57, Sam Fourman Jr. wrote:
  Everything worked great the only trouble I had was *if* the plug
  and play os option in bios was set to yes. the GENERIC kernel will
  panic on boot up, however with the plug and play os option in bios
  set to NO I get the following dmesg.

 Sam,

 You didn't specifically mention model numbers, so I'm unable to check
 if this is even applicable; you might want to try making sure each of
 the cards is running current firmware. Depending on the mfg age
 (and/or firmware revision), this *might* make a difference to
 plug-n-play. Same is true for your system bios firmware.

 It's a long shot but worth a try.

 Also clearing the system cache of ACPI data in the bios, then adding
 the cards one at a time might help to get past the pnp conflict (i.e.
 conflict is stored).

 The largest test I've done was years ago with 20+ ports with various
 brands of NIC's. It works but you need to realize the limitations of
 your PCI buses. If you try to do max bandwidth across all ports, you
 can expect poor performance since you will be saturating the PCI
 buses.

 -jcr

crap! s/ACPI/ESCD

The problematic configuration data can be cached/stored in the Extended 
System Configuration Data (ECSD) not the ACPI. Sorry for the brain 
fade.

jcr

Re: encrypted svnd and disk throughput

[Tobias Weingartner]

In article [EMAIL PROTECTED], Jacob Yocom-Piatt wrote:
  MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  
  databank.x 300M 18877  91 22440  71 11985  77 20317  75 30745  68 

--

You have a 150MB (roughly) machine?

  processor and 1 GB of 400 MHz DDR2 RAM on i386 4.0-release.

Oh, nope.

  if there is anything further that i can do to up the write and read 
  speeds of these drives besides what i've mentioned above, please let me 
  know.

Use a larger test case to test your hypothesis.

  using 4256 buffers containing 53764096 bytes (52504K) of memory

So, out of your 300MB test, 52MB was likely cached in various ways.


That being said, svnd/vnd devices have not really been optimized for
speed.  They are there and work, but could likely stand to be changed
and developed significantly.

-- 
 [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax

Re: Long WEP key

[Simon Effenberg]

On Fri, Mar 30, 2007 at 01:03:32AM +0200, Henning Brauer wrote:
 * Siegbert Marschall [EMAIL PROTECTED] [2007-03-29 22:13]:
  If somebody does something bad with my unencrypted access-point
  using my internet-access, here in germany I am liable.
 
 no, you're not. it's not that easy. (and I just leave mine wide open)

How do you know that?

http://www.ifross.de/ifross_html/art28.pdf (sorry all in german)

The last chapter.

I thought about it like Siegbert does. But I'm not sure all about.

-- 
GnuPG: 5755FB64

Per aspera ad astra.

Re: Long WEP key

[Eric Dillenseger]

On Fri, Mar 30, 2007 at 10:51:23AM +0800, Lars Hansson wrote:
 Jeremy Huiskamp wrote:
 I'd like to hear an actual developer position on that statement.
 
 Check the archives for Reyk's comments on WPA. It will be in OpenBSD one 
 day because, secure or not, it is gaining traction and is/will be 
 required by  many AP's (especially enterprise AP's).
 
 ---
 Lars Hansson
 

Why bother adding WPA when you can turn many wlan cards into AP-mode and
have an OpenBSD box serve wireless computers with IPsec capabilities.
You then have an AP with many more capabilities than any
linksys/netgear/whatever AP.

And btw, as I can't control radio waves, I consider it inherently
insecure. Therefore I don't leave sensitive data traveling in the air.

-- 
Linux is for Windows(c) haters while BSD is for UNIX lovers.
http://teardrop.free.fr/

Re: Apple hardware support?

[Otto Moerbeek]

On Thu, 29 Mar 2007, Mike Erdely wrote:

 Otto Moerbeek wrote:
  On Thu, 29 Mar 2007, Tasmanian Devil wrote:
   The i386 GENERIC.MP kernel runs fine on Intel Macs. You just need to
   enable ACPI with config -ef bsd.mp (or on the boot prompt).
  This is not true. At least it has been reported that the MacBook Pro
  with Core Due 2 processor does not run.
 
 Tas is right.  I have my MacBook Pro Core 2 Duo dual booting with OS X and
 OpenBSD (snap around 3/10).  I _think_ my installation process was this (since
 I didn't do make release with -current):
  1. Install 4.0 from the CD.
  2. Copy an ACPI-enabled bsd.rd to a CDROM, boot to OpenBSD and copy to the
 hard drive.
  3. Reboot and boot to bsd.rd and install the snapshot using FTP.

That's different than the report fom Jason Dixon. He was trying
current bsd.rd. Anyway, as you mention some problems remain. To me the
most annyoing is the UKC prompt not working, which means you can't
enable ACPI on a stock bsd.rd and you have to compile a bsd.rd with
ACPI enabled.

Other than that my MacBook (with Core Duo (no 2)) works quite ok,
apart from the sound and wireless, which do not work.  Even X works,
but you'll have to use the 915 resolution port to get native
resolution. 

-Otto

 
 Note: Wifi did not work.  Video used VESA driver.  I didn't test much else.
 Next time I get a chance, I'll send a dmesg to [EMAIL PROTECTED]
 
  BTW, you can install OpenBSD on a BootCamp partition. After creating
  the Bootcamp partition using the wizard, boot using the OpenBSD CD,
  and in the fdisk step in the installer, set the partition type to A6,
  make it active and update the MBR. 
 
 I did this.
 
 -ME

Re: encrypted svnd and disk throughput

[Tasmanian Devil]

have done a bit of testing with bonnie++ on encrypted svnd devices


Very interesting devices, I made first tests with them, too.


if anyone else has gotten similar performance results i'd like to see them.


Yes, I had similar results. I had a MySQL database running on an
encrypted SVND, and though I didn't measured it precisely, I had
roughly 15 seconds for a query with the database files on the
encrypted device and roughly 5 seconds for the same query with the
files directly on the harddisk.

But it all depends on what you want to do with it. If you have static
files, e.g. for a download page on a webserver, you can copy them to a
RAM disk (mfs) before starting the webserver (add a GB RAM if
necessary), and you won't care about the svnd speed anymore as it's
get read only once at startup.

In my case, which will most probably be a MySQL database, I'll
experiment also with a RAM disk soon: I'll create the RAM disk with
the database files from the encrypted disk and start MySQL with the
files in RAM (which should be quite fast as long as there's enough
RAM) and copy them back with a script after shutting down MySQL.
Additionally I'll run a second MySQL server as a slave, probably as a
first test even on the same machine, for database replication directly
to the encrypted disk. Performance is quite unimportant for the
replication server in my case and it doesn't affect the master at all,
it just reads the master's log files (from the RAM disk) and keeps a
database copy for the case of power failure.

I'm quite sure there are more workarounds depending of what you want
to do with your encrypted data, but if you want want to use
encryption, it will always be slower on the same hardware. That's the
price for encryption, at least that's how I see it.

Tas.

Re: [OT] Long WEP key

[Adam Hawes]

  no, you're not. it's not that easy. (and I just leave mine
 wide open)

As far as I know, if you leave it open you're not liable because
you cannot prove who would have strolled by.  If you put any
sort of security at all to prevent outsiders it can be reasonably
assumed that you were the person who did whatever you did...

Now, I am not a lawyer but I have had interesting discussions with
legal types about it.  There is mixed views and there was no precedent
last we discussed it.

A

AVG 7.0 für Lotus Notes fand einen Virus im Anhang:

[F1EDVLOTUSSRV/GRAZ/PEWAG]

Von: misc@openbsd.org
An: [EMAIL PROTECTED]
Eingangsdatum: 29.03.2007 07:28:37
Betreff: [SPAM detected by Phion] Returned mail: Data format error
Virus Virus identifiziert: I-Worm/Mydoom.O erkannt im Anhang pewag.com.zip