mp setperf splipi

[giovanni]

I was very curious about the implementation so I've read it.
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/i386/mp_setperf.c?rev=1.2content-type=text/x-cvsweb-markup

well I was wondering why is it necessary the splipi when before we are
at IPL_HIGH?

...
s = splipi();
ul_setperf(mp_setperflevel);
splx(s);
...

tkanks,

--
giovanni

named lookup failures through pf fw

[scorch]

i seem to be having a dns/fw issues that i can't figure out.

basically, wifi clients can't lookup dns successfully unless the entry 
is already cached on the openbsd 4.0 box first.

this has just started after introducing a new firewall config but i have 
_no_ idea what the difference between a fresh vs cached lookup should be 
from the client side! this is surely a misunderstanding on my part. can 
you see what i'm missing?

what's there:
openbsd 4.0 dns servers 10.0.0.11  12
openbsd 4.1 firewall
sis2internet, 121.73.27.x
sis1/2  bridged 10.0.0.11  12 via crossover
ath0wifi 172.16.x.x dhcp for clients

dhcp side:
the clients (macos, windows, whatever) receive a dhcp address  can
access services such as email on the 10.x network, and anything on the
internet via IP address.

but when a name lookup is done from 172. to the 10. dns servers, the
request goes through to the 10. dns server just fine - which then
replies with a 'not found' type error. running the same lookup again on
the 10. dns server directly works. then re-running the same query from
the client side retrieves the new cached version correctly.

presumably the fw rules are ok as traffic is passing each time. but what 
am i missing?

i've not changed the dns servers since 3.9, but there is a new pfSense
firewall in between.

pf.conf  named.conf follow the dns trace.

en1: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500
 tunnel inet  --
 inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255
 ether 00:19:e3:0f:1a:6b
 media: autoselect status: active
 supported media: autoselect
 vlan: 0 parent interface: none
 bond interfaces: none


non-cached from client:
  May 17 07:19:52.391667 172.16.0.10.49319  10.0.0.11.53: [udp sum ok] 
21247+ A? www.novell.com. (32) (ttl 63, id 17885, len 60)

return to client:
May 17 07:19:52.392233 10.0.0.11.53  172.16.0.10.49319: 21247- 0/13/13 
(451) (ttl 64, id 20192, len 479)

non-cached from dns server:
May 17 07:20:08.675725 10.0.0.2.40578  203.96.152.4.53: [udp sum ok] 
13112+ [1au] A? www.novell.com. (43) (ttl 64, id 6400, len 71)

reply from dns forwarder:
May 17 07:20:08.686623 203.96.152.4.53  10.0.0.2.40578: 13112 1/3/3 
www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190)

cached from client:
May 17 07:20:13.695183 172.16.0.10.49320  10.0.0.11.53: [udp sum ok] 
50027+ A? www.novell.com. (32) (ttl 63, id 17961, len 60)

cached reply from dns server:
May 17 07:20:13.695563 10.0.0.11.53  172.16.0.10.49320: 50027- 1/3/2 
www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179)


pf.conf
===
#   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.


# macro definitions

# interfaces

ext_if  = sis2
wii_if  = ath0
dmz_if  = { sis0 sis1 bridge0 }
int_if  = { sis0 sis1 bridge0 ath0 }

# networks
ext_nw = { 121.73.27.0/24 }
wii_nw = { 172.16.0.0/24 }
dmz_nw = { 10.0.0.0/24 }
int_nw = { 10.0.0.0/24 172.16.0.0/24 }

# dmz hosts
dmz_web  = 10.0.0.20
dmz_mail = 10.0.0.21
dmz_ssh  = 10.0.0.31

# port groups
mail_ports  = { imap, imaps, smtp }
web_ports   = { http, https }

# tables


table spamd-white persist
table internal_net persist {10.0.0.0/24, 172.16.0.0/24}


# options


set skip on lo
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set loginterface ath0


# normalisation


scrub in all
scrub out all


# translation  redirection


nat on $ext_if inet proto {icmp, tcp, udp} \
from !($ext_if) - ($ext_if:0)
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $web_ports - $dmz_web
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $mail_ports - $dmz_mail
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port ssh - $dmz_ssh


# filtering


block in all
block out log all

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# block 

Re: named lookup failures through pf fw

[Mats O Jansson]

On Thu, 17 May 2007 [EMAIL PROTECTED] wrote:

 i seem to be having a dns/fw issues that i can't figure out.
 
 basically, wifi clients can't lookup dns successfully unless the entry 
 is already cached on the openbsd 4.0 box first.

I guess you have to add the wifi network in the acl clients list in
named.conf.

-moj
 
 this has just started after introducing a new firewall config but i have 
 _no_ idea what the difference between a fresh vs cached lookup should be 
 from the client side! this is surely a misunderstanding on my part. can 
 you see what i'm missing?
 
 what's there:
 openbsd 4.0 dns servers 10.0.0.11  12
 openbsd 4.1 firewall
   sis2internet, 121.73.27.x
   sis1/2  bridged 10.0.0.11  12 via crossover
   ath0wifi 172.16.x.x dhcp for clients
 
 dhcp side:
 the clients (macos, windows, whatever) receive a dhcp address  can
 access services such as email on the 10.x network, and anything on the
 internet via IP address.
 
 but when a name lookup is done from 172. to the 10. dns servers, the
 request goes through to the 10. dns server just fine - which then
 replies with a 'not found' type error. running the same lookup again on
 the 10. dns server directly works. then re-running the same query from
 the client side retrieves the new cached version correctly.
 
 presumably the fw rules are ok as traffic is passing each time. but what 
 am i missing?
 
 i've not changed the dns servers since 3.9, but there is a new pfSense
 firewall in between.
 
 pf.conf  named.conf follow the dns trace.
 
 en1: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500
  tunnel inet  --
  inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255
  ether 00:19:e3:0f:1a:6b
  media: autoselect status: active
  supported media: autoselect
  vlan: 0 parent interface: none
  bond interfaces: none
 
 
 non-cached from client:
   May 17 07:19:52.391667 172.16.0.10.49319  10.0.0.11.53: [udp sum ok] 
 21247+ A? www.novell.com. (32) (ttl 63, id 17885, len 60)
 
 return to client:
 May 17 07:19:52.392233 10.0.0.11.53  172.16.0.10.49319: 21247- 0/13/13 
 (451) (ttl 64, id 20192, len 479)
 
 non-cached from dns server:
 May 17 07:20:08.675725 10.0.0.2.40578  203.96.152.4.53: [udp sum ok] 
 13112+ [1au] A? www.novell.com. (43) (ttl 64, id 6400, len 71)
 
 reply from dns forwarder:
 May 17 07:20:08.686623 203.96.152.4.53  10.0.0.2.40578: 13112 1/3/3 
 www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190)
 
 cached from client:
 May 17 07:20:13.695183 172.16.0.10.49320  10.0.0.11.53: [udp sum ok] 
 50027+ A? www.novell.com. (32) (ttl 63, id 17961, len 60)
 
 cached reply from dns server:
 May 17 07:20:13.695563 10.0.0.11.53  172.16.0.10.49320: 50027- 1/3/2 
 www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179)
 
 
 pf.conf
 ===
 # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
 #
 # See pf.conf(5) and /usr/share/pf for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
 
 
 # macro definitions
 
 # interfaces
 
 ext_if= sis2
 wii_if= ath0
 dmz_if= { sis0 sis1 bridge0 }
 int_if= { sis0 sis1 bridge0 ath0 }
 
 # networks
 ext_nw = { 121.73.27.0/24 }
 wii_nw = { 172.16.0.0/24 }
 dmz_nw = { 10.0.0.0/24 }
 int_nw = { 10.0.0.0/24 172.16.0.0/24 }
 
 # dmz hosts
 dmz_web= 10.0.0.20
 dmz_mail = 10.0.0.21
 dmz_ssh  = 10.0.0.31
 
 # port groups
 mail_ports= { imap, imaps, smtp }
 web_ports = { http, https }
 
 # tables
 
 
 table spamd-white persist
 table internal_net persist {10.0.0.0/24, 172.16.0.0/24}
 
 
 # options
 
 
 set skip on lo
 set require-order yes
 set block-policy drop
 set optimization normal
 set loginterface none
 set loginterface ath0
 
 
 # normalisation
 
 
 scrub in all
 scrub out all
 
 
 # translation  redirection
 
 
 nat on $ext_if inet proto {icmp, tcp, udp} \
   from !($ext_if) - ($ext_if:0)
 rdr pass on $ext_if inet proto tcp \
   from any to $ext_nw port $web_ports - $dmz_web
 rdr pass on $ext_if inet proto tcp \
   from any to $ext_nw port $mail_ports - $dmz_mail
 rdr pass on $ext_if inet proto tcp \
   from any to $ext_nw port ssh - $dmz_ssh
 
 

Re: named lookup failures through pf fw [RESOLVED]

[scorch]

On Thu, May 17, 2007 at 10:42:46AM +0200, Mats O Jansson wrote:
 On Thu, 17 May 2007 [EMAIL PROTECTED] wrote:
 
  i seem to be having a dns/fw issues that i can't figure out.
  
  basically, wifi clients can't lookup dns successfully unless the entry 
  is already cached on the openbsd 4.0 box first.
 
 I guess you have to add the wifi network in the acl clients list in
 named.conf.
 
 -moj
thanks Mats,

sorted!

a+
scorch

Re: openBSD as a 802.11b/g AP

[Michael]

Hi,

Darrin Chandler schrieb:
 I've done hostap with ath in b mode with no problems. One thing you
 might try is specifying explicity instead of using autoselect. I *might*
 have done that when I set it up, but I'm not at all sure...

This worked for me with the old ath card:

inet 192.168.180.1 255.255.255.192 NONE \
media autoselect mode 11b mediaopt hostap \
nwid wrap chan 7 -nwflag hidenwid \
nwkey 0xXX \
up


Btw, my CM9 ath card replaced an old 11b wi card and gave an old
notebook 11g mode too as client. =)


Michael

FAQ - Why good firewalls lose in the market

[Siju George]

http://www.schneier.com/crypto-gram-0705.html#1

Kind regards

Siju

Re: Failing to get [EMAIL PROTECTED] in X

[Joerg Zinke]

On Sat, 12 May 2007 12:59:09 -0700
Michael Oliver [EMAIL PROTECTED] wrote:

 On 5/12/07, Alex Holst [EMAIL PROTECTED] wrote:
 
  Quoting Tobias Weingartner [EMAIL PROTECTED]:
   xdpyinfo | grep dim
 
  tori$ xdpyinfo | grep dim
dimensions:1680x1050 pixels (474x303 millimeters)
 
  And my current xorg.conf with what I believe are correct HorizSync
  and VertRefresh:
  http://a.mongers.org/x/xorg.conf
 
  This config outputs [EMAIL PROTECTED]
 
  --
  I prefer the dark of the night, after midnight and before
  four-thirty, when it's more bare, more hollow.
  http://a.mongers.org
 
 
 
 I had a similar problem a few weeks back. It turned out that the 'nv'
 driver didn't support wide screen resolutions. However, I installed
 the 'nvidia' drivers and it worked out just fine. Perhaps this
 problem is similar.


you installed the nvidia driver on openbsd, how? i assume you talk about
a linux distribution or some other BSD which supports nvidia binaries.

Sheldeez Commercials

[Sheldeez Hair Products and Salons Inc.]

Many of you are aware that Sheldeez has done an
extensive television advertising campaign all over
the United States.nbsp; Many of you have also
asked for copies of the commercials to forward to
friends and family.nbsp; In the interest of
bandwidth and e-mail storage space we have opened
a page with buzznet to post our commercials,
photos of styles, photos of stylists etc..nbsp;
This site is for our salon and on-line customers
alike.nbsp; Please visit, check out the videos,
drop us a line, whatever you'd like.nbsp; We look
forward to hearing from and or seeing you
soon.nbsp; Please share with anyone who may find
it
useful.http://sheldeez.buzznet.com/user/video/play/Check
back to see updates of photos, blogs, and how to
videos.Sheldeez
Managementhttps://webcart.net/securehost/sheldeez.com/webcart11/nl_unsubscribe.php?ln=enEMAIL=misc%40openbsd.orgSRC=aah2Click
here to unsubscribe

GRE or gif keepalive

[Alex Berdan]

Hey Everybody,

Do you know if GRE or gif is having a keepalive option? I searched
with google and the archives and I didn't find anything like that.
The problem that I have is as I run GRE over IPSec and I would like to
know when the IPSec tunnel is down with the help of GRE interface
which it should go down if there is sort of of a keepalive mechanism.

--

Alex

Re: Monitoring with labels

[Diana Eichert]

On Wed, 16 May 2007, Darren Spruell wrote:


I suppose that the collector would also need to support sflow?

DS


if you wanted to collect sflow data :-)

diana

Past hissy-fits are a predictor of future hissy-fits.
Diana Eichert(12 May 2007)

Re: GRE or gif keepalive

[Stuart Henderson]

On 2007/05/17 13:46, Alex Berdan wrote:
 Do you know if GRE or gif is having a keepalive option?

Not directly, but you can add one using ospfd(8) or ifstated(8).

Re: new openbsd 4.0 server, panic on ufsdirhash

[Josh Grosse]

On Wed, May 16, 2007 at 07:44:14PM -0700, John Mendenhall wrote:
 Well, I posted the dmesg at the beginning of this thread.

Sorry, I'd forgotten it was in your first post. :(

  Use UKC (boot -c), and the verbose command.  See boot_config(8).
 
 Is this supported when booting from cd?  I can only boot from the
 cd right now.  Once it starts copying data, it crashes in the comp
 set.

Yes, you can use this technique when booting from CD.  On i386, at the
boot prompt, type in -c and press the Enter key.  The kernel will
load, but before doing any hardware discovery will issue a UKC prompt.
If you type verbose and press Enter, then type quit and press Enter,
you will get more detailed kernel probe output.   

Re: Chaos Computer Camp 2007. Anyone going?

[Jacek Artymiak]

Felix kept on twisting my arm so hard about it that he finally managed
to convince me to go. I have always wanted to go there anyway. I'll
stock up on my meds and if I'm in good enough shape, I'll join the
merry gang. Look for me somewhere in the BSD village.

--
Jacek Artymiak
devGuide.net

ac97: codec not read on Dell Latitude LS (4.1)

[Jan Stary]

Hello,

I am running 4.1 on a  Dell Latitude LS laptop (full dmesg at bottom).
The machine uses the (undocumented, man neo) Neomagic MagicMedia 256AV
audio chip:

neo0 at pci1 dev 0 function 1 Neomagic MagicMedia 256AV rev 0x20
1:0:1 10c8:8005 pin B clink 0x01 irq 10 stage 0  WARNING: preserving irq 10
pci_intr_route_link: route PIRQ 0x01 - IRQ 10 preserved BIOS setting
: irq 10
ac97: codec id not read
audio0 at neo0

I can't seem to get the audio chip working. The /dev/audio et al.
are there, but I can't play anything. Doing

cat file.au  /dev/audio

takes forever with even a small au file, and while running,
does not respond to ^C (only dies like minute after that).

What exactly is the WARNING about?
What does ac97: codec id not read mean?
Are these two related?

Thanks a lot

Jan


This is the full dmesg. The 'LATITUDE' config (I know)
is GENERIC with *VERBOSE added.


OpenBSD 4.1-stable (LATITUDE) #4: Tue May  8 11:59:14 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/LATITUDE
cpu0: Intel Pentium III (GenuineIntel 686-class) 399 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
real mem  = 133722112 (130588K)
avail mem = 118636544 (115856K)
using 1663 buffers containing 6811648 bytes (6652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 03/17/00, BIOS32 rev. 0 @ 0xfd7b0, SMBIOS 
rev. 2.3 @ 0xdc010 (23 entries)
bios0: Dell Computer Inc. Atlas
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850
pcibios0: config mechanism [1][x], special cycles [x][x], last bus 1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
PIR Entry 0:
Bus: 0  Device: 7
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x62 bitmap 0xdef8
INTD: link 0x63 bitmap 0xdef8
PIR Entry 1:
Bus: 1  Device: 0
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x62 bitmap 0xdef8
INTD: link 0x63 bitmap 0xdef8
PIR Entry 2:
Bus: 0  Device: 1
INTA: link 0x00 bitmap 0xdef8
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 3:
Bus: 1  Device: 0
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x61 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 4:
Bus: 0  Device: 10
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 5:
Bus: 0  Device: 13
INTA: link 0x60 bitmap 0xdef8
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
PIR Entry 6:
Bus: 0  Device: 16
INTA: link 0x62 bitmap 0xdef8
INTB: link 0x00 bitmap 0xdef8
INTC: link 0x00 bitmap 0xdef8
INTD: link 0x00 bitmap 0xdef8
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
pciintr_link_fixup: PIRQ 0x00 is already connected to IRQ 10
pciintr_link_fixup: PIRQ 0x01 is already connected to IRQ 10
pciintr_link_fixup: PIRQ 0x02 is already connected to IRQ 3
pciintr_link_fixup: PIRQ 0x03 is already connected to IRQ 10
pciintr_link_fixup: piirq 0x0408
000:10:0 104c:ac1e
Incorrect secondary bus: primary 0, secondary 0, subordinate 0
PCI bus renumbering needed
PCI bridge 0: primary 0, secondary 1, subordinate 1
PCI bridge 1: primary 0, secondary 2, subordinate 2
pcibios0: PCI bus #2 is the last bus
[System BIOS Setting]---
  device vendor product
  register space addresssize

000:00:0 8086:7190
10h mem  0xf800 0x0400
[OK]
000:01:0 8086:7191
[OK]
000:07:0 8086:7110
[OK]
000:07:1 8086:7111
20h port 0xfcd0 0x0010
[OK]
000:07:2 8086:7112
20h port 0xfce0 0x0020
[OK]
000:07:3 8086:7113
[OK]
000:10:0 104c:ac1e
10h mem  0x 0x1000
[OK]
000:13:0 10b7:9200
10h port 0xfc00 0x0080
14h mem  0xfedfec00 0x0080
[OK]
000:16:0 11c1:0448
10h mem  0xfedfe800 0x0100
14h port 0xfcc8 0x0008
18h port 0xf800 0x0100
[OK]
001:00:0 10c8:0005
10h mem  0xf600 0x0100
14h mem  0xfe40 0x0040
18h mem  0xfeb0 0x0010
[OK]
001:00:1 10c8:8005

Re: GRE or gif keepalive

[Alex Berdan]

Thanks Stuart,

I heard about this command. I ain't using OSPF for the link state I use BGP.
My GRE interface never goes down when the IPsec goes down.

Is this normal? Cosmetic bug?

Thanks,
Rgds, Alex

On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote:

On 2007/05/17 13:46, Alex Berdan wrote:
 Do you know if GRE or gif is having a keepalive option?

Not directly, but you can add one using ospfd(8) or ifstated(8).





--

Alex

ImageMagick and chroot

[Marcos Laufer]

Hello ,

Has anyone had luck in making ImageMagick work into the www chroot
environment?
Some web applications need to use the 'convert' system command, so i
included it
into the /var/www/bin/ directory and also every file that gets mentioned
when you
run : ldd convert , into it's corresponding directory.

system:/var/www/bin{4}# ldd convert
convert:
StartEnd  Type Open Ref GrpRef Name
  exe  10   0  convert
04d59000 24d68000 rlib 01   0
/usr/local/lib/libWand.so.10.1
0d077000 2d147000 rlib 02   0
/usr/local/lib/libMagick.so.10.1
05d92000 25dc5000 rlib 03   0  /usr/local/lib/libxml2.so.9.0
00d9 20e6c000 rlib 04   0
/usr/local/lib/libiconv.so.4.0
0b4b9000 2b4c1000 rlib 04   0  /usr/lib/libz.so.4.1
02e0c000 22e1 rlib 03   0  /usr/local/lib/libbz2.so.10.3
0c23c000 2c243000 rlib 03   0  /usr/local/lib/libpng.so.4.2
06a32000 26a38000 rlib 03   0
/usr/local/lib/libjpeg.so.62.0
04b0b000 24b1b000 rlib 03   0
/usr/local/lib/libjasper.so.1.0
032e1000 232e8000 rlib 05   0  /usr/lib/libm.so.2.1
060fb000 2611f000 rlib 03   0
/usr/local/lib/libtiff.so.37.3
0ee7e000 2ee89000 rlib 03   0
/usr/local/lib/liblcms.so.1.12
054f3000 254f9000 rlib 03   0  /usr/local/lib/libjbig.so.2.0
04183000 241b4000 rlib 01   0  /usr/lib/libc.so.39.0
0a2a3000 0a2a3000 rtld 01   0  /usr/libexec/ld.so
system:/var/www/bin{5}#

But it still doesn't work. What am i missing?
Any suggestions or ideas are welcome.

Marcos

Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I m quite new to OpenBSD but i m familiar with *nix systems.
I m currently looking at using OpenBSD to build a nas appliance,
however after looking into the packages list i havent found a Volume
Manager, anyone able to point me in the right direction?
Much appreciated.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGTGOC8B8RxF4jfhQRAhQiAJ9hklDMq3XgdeZ+Qq1ROmybiDye6gCePEUx
FdA79EEmYfe4BNmVvYFjHZE=
=arOW
-END PGP SIGNATURE-

Re: ImageMagick and chroot

[James Turner]

On Thu, May 17, 2007 at 12:19:42PM -0300, Marcos Laufer wrote:
 Hello ,
 
 Has anyone had luck in making ImageMagick work into the www chroot
 environment?
 Some web applications need to use the 'convert' system command, so i
 included it
 into the /var/www/bin/ directory and also every file that gets mentioned
 when you
 run : ldd convert , into it's corresponding directory.
 
 system:/var/www/bin{4}# ldd convert
 convert:
 StartEnd  Type Open Ref GrpRef Name
   exe  10   0  convert
 04d59000 24d68000 rlib 01   0
 /usr/local/lib/libWand.so.10.1
 0d077000 2d147000 rlib 02   0
 /usr/local/lib/libMagick.so.10.1
 05d92000 25dc5000 rlib 03   0  /usr/local/lib/libxml2.so.9.0
 00d9 20e6c000 rlib 04   0
 /usr/local/lib/libiconv.so.4.0
 0b4b9000 2b4c1000 rlib 04   0  /usr/lib/libz.so.4.1
 02e0c000 22e1 rlib 03   0  /usr/local/lib/libbz2.so.10.3
 0c23c000 2c243000 rlib 03   0  /usr/local/lib/libpng.so.4.2
 06a32000 26a38000 rlib 03   0
 /usr/local/lib/libjpeg.so.62.0
 04b0b000 24b1b000 rlib 03   0
 /usr/local/lib/libjasper.so.1.0
 032e1000 232e8000 rlib 05   0  /usr/lib/libm.so.2.1
 060fb000 2611f000 rlib 03   0
 /usr/local/lib/libtiff.so.37.3
 0ee7e000 2ee89000 rlib 03   0
 /usr/local/lib/liblcms.so.1.12
 054f3000 254f9000 rlib 03   0  /usr/local/lib/libjbig.so.2.0
 04183000 241b4000 rlib 01   0  /usr/lib/libc.so.39.0
 0a2a3000 0a2a3000 rtld 01   0  /usr/libexec/ld.so
 system:/var/www/bin{5}#
 
 But it still doesn't work. What am i missing?
 Any suggestions or ideas are welcome.
 
 Marcos

You could trying manually chrooting into /var/www and running the
command by hand to see if it throws any useful warnings.  You will need
a shell within the chroot while testing tho.

-- 
James Turner
http://bsdgroup.org

Re: GRE or gif keepalive

[Stuart Henderson]

On 2007/05/17 17:11, Alex Berdan wrote:
 I heard about this command. I ain't using OSPF for the link state I use BGP.

Well, you could lower your timers then...

 My GRE interface never goes down when the IPsec goes down.

That's normal, gre doesn't know about link state.

Re: Chaos Computer Camp 2007. Anyone going?

[Edd Barrett]

Hi,

On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote:

Felix kept on twisting my arm so hard about it that he finally managed
to convince me to go. I have always wanted to go there anyway. I'll
stock up on my meds and if I'm in good enough shape, I'll join the
merry gang. Look for me somewhere in the BSD village.



What do the BSD lot get up to whilst there? Is it a hackathon, or
something less formal? I've never done anything as low level as
operating systems programming in C, so in a hackathon situation I
wouldnt be much use.

Ofcourse I am willing to learn :P

--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett/

OT: cacti, pfflowd and flowd

[carlopmart]

Hi all,

 Somebody have tried to install cacti, pfflowd and flowd on two different 
servers? OpenBSD with pfflowd and another Unix server with cacti and flowd ... I 
am trying to do it without luck (principal problem is how can I do to parse from 
cacti flowd log file)... and I can't find any doc about how to do it ...


Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Chaos Computer Camp 2007. Anyone going?

[Marc Balmer]

* Edd Barrett wrote:
 Hi,
 
 On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote:
 Felix kept on twisting my arm so hard about it that he finally managed
 to convince me to go. I have always wanted to go there anyway. I'll
 stock up on my meds and if I'm in good enough shape, I'll join the
 merry gang. Look for me somewhere in the BSD village.
 
 
 What do the BSD lot get up to whilst there? Is it a hackathon, or
 something less formal? I've never done anything as low level as
 operating systems programming in C, so in a hackathon situation I
 wouldnt be much use.
 
 Ofcourse I am willing to learn :P

It's more of the can we have your liver, please? style...

Re: GRE or gif keepalive

[Alex Berdan]

Thanks anyway!

I was curious about the GRE implementation on OpenBSD as in CISCO
there are keepalives and I can have SNMP traps in case the IPSec
tunnel is down (GRE interface is down).
The BGP works just fine and the routes converge exactly as I wanted.

Is OpenBSD having any plans with this GRE keepalives? (Unfortunately
my environment is not all CISCO)

Thanks, Alex


On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote:

On 2007/05/17 17:11, Alex Berdan wrote:
 I heard about this command. I ain't using OSPF for the link state I use BGP.

Well, you could lower your timers then...

 My GRE interface never goes down when the IPsec goes down.

That's normal, gre doesn't know about link state.

Re: GRE or gif keepalive

[Stuart Henderson]

On 2007/05/17 18:02, Alex Berdan wrote:
 I was curious about the GRE implementation on OpenBSD as in CISCO
 there are keepalives

Unfortunately, despite GRE being documented across a number of
RFCs, there's no mention of this. Looks like it's probably a cisco-
proprietary extension, I couldn't find any docs on packet formats
or implementation. Have you come across any?

Re: Chaos Computer Camp 2007. Anyone going?

[Edd Barrett]

Erm...

On 17/05/07, Marc Balmer [EMAIL PROTECTED] wrote:

 What do the BSD lot get up to whilst there? Is it a hackathon, or
 something less formal?
It's more of the can we have your liver, please? style...


ok. (pauses to think).

I don't get it.

:P


--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett/

Re: Chaos Computer Camp 2007. Anyone going?

[Edd Barrett]

On 17/05/07, Jason Dixon [EMAIL PROTECTED] wrote:

Alkie-haul


Now we're talking!


--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett/

Re: Chaos Computer Camp 2007. Anyone going?

[Jacob Yocom-Piatt]

Marc Balmer wrote:

* Edd Barrett wrote:
  

Hi,

On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote:


Felix kept on twisting my arm so hard about it that he finally managed
to convince me to go. I have always wanted to go there anyway. I'll
stock up on my meds and if I'm in good enough shape, I'll join the
merry gang. Look for me somewhere in the BSD village.
  

What do the BSD lot get up to whilst there? Is it a hackathon, or
something less formal? I've never done anything as low level as
operating systems programming in C, so in a hackathon situation I
wouldnt be much use.

Ofcourse I am willing to learn :P



It's more of the can we have your liver, please? style...

  


this is a great idea: fund openbsd via sales of black market organs!

a bit of vertical integration couldn't hurt, we'd need a surgeon and 
facility in south africa


http://news.nationalgeographic.com/news/2004/01/0116_040116_EXPLorgantraffic.html

then it could be the BSD Liver and Kidney Village. we could even make 
a liver fall off a truck if anybody's looking ;).

Re: OT: flowcharts

[Douglas Allan Tutty]

On Tue, May 15, 2007 at 12:01:35PM +0200, [EMAIL PROTECTED] wrote:

 I have an OT question for you guys.
 Do any of you use flowcharting software, and if so what do you use?
 I am just beginning to explore the world of programming and have so far
 used Microsoft (spit) Visio. I tried both Kivio and Dia but they fall
 short for me.
 My code choices are (due to the course I am attending) limited to
 JavaScript and pseudocode.
 Any recommendations?
 

If you _really_ want actual flow-charts, I just use Xfig or a piece of
paper.

However, instead of pseudocode, try python.  I looks like pseudocode but
is actually a very nice programming language with good documentation.  

I suppose it depends on your course.  If they require a flow-chart, draw
one, and find out if they'll accept python for pseudocode.

Doug.

a cd key

[BradenM - Sonoma Computer]

Hi;

In the past, I read an article which told me of a process in which a cd houses
the important system binaries and software and even some settings and is left
outside of the machine so that unauthorized users, and even root, cannot
access the programs unless the disc is within the system's cdrom drive.
Does anyone have any resources which explain and show the process for doing
something similar to that which is stated above?

Thank you;
Bray.

Re: OT: cacti, pfflowd and flowd

[Darren Spruell]

On 5/17/07, carlopmart [EMAIL PROTECTED] wrote:

Hi all,

  Somebody have tried to install cacti, pfflowd and flowd on two different
servers? OpenBSD with pfflowd and another Unix server with cacti and flowd ... I
am trying to do it without luck (principal problem is how can I do to parse from
cacti flowd log file)... and I can't find any doc about how to do it ...


Maybe because there isn't one... :)

flowd supports a Python API which should allow you to rip the data out
you need. I believe with Cacti you can use external scripts for a
datasource.

DS

Re: GRE or gif keepalive

[Alex Berdan]

This is a nice feature which can be used in cases where you don't run
any dynamic routing protocol over GRE/IPSec tunnel.
If you have OpenBSD as VPN concentrator you can have SNMP traps when
the tunnel is down and take any action etc.

Here is the CISCO implementation:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html

Hopefully someone will see this and eventually purpose a alternate
solution or implement keepalives in the distribution.

Rgds, Alex


On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote:

On 2007/05/17 18:02, Alex Berdan wrote:
 I was curious about the GRE implementation on OpenBSD as in CISCO
 there are keepalives

Unfortunately, despite GRE being documented across a number of
RFCs, there's no mention of this. Looks like it's probably a cisco-
proprietary extension, I couldn't find any docs on packet formats
or implementation. Have you come across any?





--

Alex

Re: ImageMagick and chroot

[Aiko Barz]

Marcos Laufer wrote:
 Hello ,
 
 Has anyone had luck in making ImageMagick work into the www chroot
 environment?

Yes, run the following script and you are done.

#!/bin/sh


CHROOT=/var/www


# Make dirs
[ ! -d $CHROOT/bin ]   mkdir -p $CHROOT/bin
[ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin
[ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib
[ ! -d $CHROOT/usr/lib ]   mkdir -p $CHROOT/usr/lib
[ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/
[ ! -d $CHROOT/usr/libexec ]   mkdir -p $CHROOT/usr/libexec
[ ! -d $CHROOT/var/run ]   mkdir -p $CHROOT/var/run


SH=/bin/sh
if [ -x $SH ]; then
cp -f $SH $CHROOT/$SH
else
echo No shit. $SH not found! :)
fi


LD_HINTS=/var/run/ld.so.hints
if [ -f $LD_HINTS ]; then
cp $LD_HINTS $CHROOT/$LD_HINTS
else
echo $LD_HINTS not found. Still wondering thou.
fi


CONVERT=$(which convert | awk '{print $1}')
if [ ! -z $CONVERT ]  [ -x $CONVERT ]; then
cp -f $CONVERT $CHROOT/$CONVERT
for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo convert not found.
exit 1
fi


COMPOSITE=$(which composite | awk '{print $1}')
if [ ! -z $COMPOSITE ]  [ -x $COMPOSITE ]; then
cp -f $COMPOSITE $CHROOT/$COMPOSITE
for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo composite not found.
exit 1
fi


IDENTIFY=$(which identify | awk '{print $1}')
if [ ! -z $IDENTIFY ]  [ -x $IDENTIFY ]; then
cp -f $IDENTIFY $CHROOT/$IDENTIFY
for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo identify not found.
exit 1
fi

HTH,
Aiko
-- 
Aiko Barz [EMAIL PROTECTED]
Web: http://www.haeckser.de

Re: a cd key

[Artur Grabowski]

BradenM - Sonoma Computer [EMAIL PROTECTED] writes:

 Hi;
 
 In the past, I read an article which told me of a process in which a cd houses
 the important system binaries and software and even some settings and is left
 outside of the machine so that unauthorized users, and even root, cannot
 access the programs unless the disc is within the system's cdrom drive.
 Does anyone have any resources which explain and show the process for doing
 something similar to that which is stated above?

Erm. What's the problem you're trying to solve?

If you remove some binaries and put them on a CD, what prevents someone
from just getting those binaries somewhere else and putting them on the
machine?

//art

Re: OT: flowcharts

[Jeffrey C. Ollie]

On Thu, 2007-05-17 at 13:02 -0400, Douglas Allan Tutty wrote:

 If you _really_ want actual flow-charts, I just use Xfig or a piece of
 paper.

Inkscape also has been getting some features useful for flowcharts in
recent releases.

Jeff

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Problem with a URL

[Brian]

I am trying to open up this url with firefox on openbsd -current, but there is
a problem with accessing the site.  Is there a problem with doing the lookups
with url's that start with dashes:

http://-amaya-.deviantart.com/

Thanks,

Brian


   
Yahoo!
 oneSearch: Finally, mobile search 
that gives answers, not web links. 
http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC

Re: Problem with a URL

[Peter Hessler]

Its not just starting with a dash, I also cannot open ones that end the 
host section with a dash (ke-.deviantart.com)


On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote:
:I am trying to open up this url with firefox on openbsd -current, but there is
:a problem with accessing the site.  Is there a problem with doing the lookups
:with url's that start with dashes:
:
:http://-amaya-.deviantart.com/
:
:Thanks,
:
:Brian

--
Using TSO is like kicking a dead whale down the beach.
-- S. C. Johnson

Re: Problem with a URL

[Jon Simola]

On 5/17/07, Peter Hessler [EMAIL PROTECTED] wrote:

Its not just starting with a dash, I also cannot open ones that end the
host section with a dash (ke-.deviantart.com)

On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote:
:I am trying to open up this url with firefox on openbsd -current, but there is
:a problem with accessing the site.  Is there a problem with doing the lookups
:with url's that start with dashes:
:
:http://-amaya-.deviantart.com/


RFC962 (and several other places) say that:
  No blank or space characters are permitted as part of a
  name. No distinction is made between upper and lower case.  The first
  character must be an alpha character.  The last character must not be
  a minus sign or period.

--
Jon

Re: a cd key

[Eric Johnson]

On Thu, 17 May 2007 10:40:11 -0700
BradenM - Sonoma Computer [EMAIL PROTECTED] wrote:

 Hi;
 
 In the past, I read an article which told me of a process in which a cd houses
 the important system binaries and software and even some settings and is left
 outside of the machine so that unauthorized users, and even root, cannot
 access the programs unless the disc is within the system's cdrom drive.
 Does anyone have any resources which explain and show the process for doing
 something similar to that which is stated above?

I've heard about someone wanting to do that with compilers and other
development utilities.  The logic was that if someone broke in, they
could not write a small program, compile, and link it on the spot.
But, in reality, if an attacker broke in, they'd be more likely to just
copy what they wanted from their own machine.

Years ago, I considered putting web pages on a CD or DVD for a Windows
NT machine so that in order to deface the page, the attacker would have
to get to the configuration files and do a lot more work instead of
just replacing a few html files.   An added advantage would be that
since most attacks traversed directories on the same hard drive, they
wouldn't be able to get into any system programs by that method.  I
never did try it, though.

Eric Johnson

ssh and skey

[Eric Johnson]

Is there any setting to use to make ssh present a fake skey challenge
for nonexistent accounts?  It would need to save the challenge for
reuse later otherwise an attacker could try it several times and see if
the challenge remains the same.


It would be kind of nice if an attacker could not use ssh with skey to
determine whether or not an account exists and has been initialized
with skey.

Here is an example.  First, we connect to a machine with use of normal
passwords prohibited in the /etc/ssh/sshd_config file.

rum: no such account
whiskey: account exists and skey has been enabled
vodka: account exists, but no skey

$ ssh -l rum:skey 10.1.1.1
Permission denied (publickey,keyboard-interactive).
$ ssh -l whiskey:skey 10.1.1.1
otp-md5 996 trom02893
S/Key Password: 
otp-md5 996 trom02893
S/Key Password: 
otp-md5 996 trom02893
S/Key Password: 
Permission denied (publickey,keyboard-interactive).
$ ssh -l vodka:skey 10.1.1.1
Permission denied (publickey,keyboard-interactive).

Now, another machine with the same accounts set up but with normal
passwords permitted in ssh:

$ ssh -l rum:skey 10.1.1.2
rum:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
rum:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
rum:[EMAIL PROTECTED]'s password: 
Permission denied (publickey,password,keyboard-interactive).
$ ssh -l whiskey:skey 10.1.1.2
otp-md5 99 monk57993
S/Key Password: 
otp-md5 99 monk57993
S/Key Password: 
otp-md5 99 monk57993
S/Key Password: 
whiskey:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
whiskey:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
whiskey:[EMAIL PROTECTED]'s password: 
Permission denied (publickey,password,keyboard-interactive).
$ ssh -l vodka:skey 10.1.1.2
vodka:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
vodka:[EMAIL PROTECTED]'s password: 
Permission denied, please try again.
vodka:[EMAIL PROTECTED]'s password: 
Permission denied (publickey,password,keyboard-interactive).

Thus, an attacker would know that 10.1.1.1 requires skey and 10.1.1.2
does not and that an account named whiskey exists and has skey enabled
on both computers.  About the only thing the attacker would not know is
that on the second machine, the vodka account exists and the rum
account does not exist.

As you can see, it is trivially easy to determine which server requires
skey, which doesn't, and which accounts exist and have skey enabled.

Obviously, a fake skey challenge would need to be saved so that if the
attacker tried again, he would see the same challenge.  If he saw
wildly different challenges on each try, he would know that it was
random.

How much use would this knowledge be to an attacker?  My impression is
that the reason opening the finger daemon to the net is not viewed
favorably is that it identifies usernames to potential attackers.  If
this is wrong, why not open it up again?  Of course, we need to make
sure that any security holes in the code are fixed.

(Note.  In the above cases, the FQDN was replaced with a nonrouteable
IP address.)

Eric Johnson

Re: Chaos Computer Camp 2007. Anyone going?

[Darrin Chandler]

On Thu, May 17, 2007 at 11:51:03AM -0500, Jacob Yocom-Piatt wrote:
 this is a great idea: fund openbsd via sales of black market organs!
 
 a bit of vertical integration couldn't hurt, we'd need a surgeon and 
 facility in south africa

Talk is cheap, and every six months people come up with ideas that would
be great for the project, but would just take away developer time. If
you want to see this happen then go get some organs and come back with
money! ;-)

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: ssh and skey

[Matthew R. Dempsky]

On Thu, May 17, 2007 at 02:14:55PM -0500, Eric Johnson wrote:
 Obviously, a fake skey challenge would need to be saved so that if the
 attacker tried again, he would see the same challenge.

Instead of saving the challenge, just regenerate it each time.  E.g.,
hash a 128-bit secret with the username, and then format this as an
skey challenge.

Re: ssh and skey

[Matthew R. Dempsky]

On Thu, May 17, 2007 at 02:47:37PM -0500, Matthew R. Dempsky wrote:
 Instead of saving the challenge, just regenerate it each time.  E.g.,
 hash a 128-bit secret with the username, and then format this as an
 skey challenge.

Oops, nevermind, libskey already does this in skey_fakeprompt.

Re: Volume Management

[Tobias Weingartner]

In article [EMAIL PROTECTED], Sibastien Colmant wrote:
   
  I m quite new to OpenBSD but i m familiar with *nix systems.
  I m currently looking at using OpenBSD to build a nas appliance,
  however after looking into the packages list i havent found a Volume
  Manager, anyone able to point me in the right direction?

fdisk(8), disklabel(8), bioctl(8), newfs(8), dump(8), restore(8)

-- 
 [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax

Re: GRE or gif keepalive

[Stuart Henderson]

On 2007/05/17 18:44, Alex Berdan wrote:
 This is a nice feature which can be used in cases where you don't run
 any dynamic routing protocol over GRE/IPSec tunnel.
 If you have OpenBSD as VPN concentrator you can have SNMP traps when
 the tunnel is down and take any action etc.

 Here is the CISCO implementation:

 http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html

 Hopefully someone will see this and eventually purpose a alternate
 solution or implement keepalives in the distribution.

I already found some pages about how to turn it on in IOS, but they
don't bother with any implementation details. Thanks to a kind person
who contacted me offlist, I now know how the hack works:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml#topic2

Re: a cd key

[Joachim Schipper]

On Thu, May 17, 2007 at 10:40:11AM -0700, BradenM - Sonoma Computer wrote:
 Hi;
 
 In the past, I read an article which told me of a process in which a cd houses
 the important system binaries and software and even some settings and is left
 outside of the machine so that unauthorized users, and even root, cannot
 access the programs unless the disc is within the system's cdrom drive.
 Does anyone have any resources which explain and show the process for doing
 something similar to that which is stated above?

Aside from the answers you've already received, I've heard quite a few
people running the entire system from CD for security-sensitive things
like firewalls, mostly when using Linux. (The argument is that it is
very hard to compromise a machine in a way that survives reboots if you
can't write to the system disk.)

Of course, this is an OpenBSD list, and I am sure we can all imagine the
easy Linux-bashing remark that follows. It's not entirely unjustified,
either; if an attacker can compromise your system once, he can comprose
it twice.

Also, I've found that anything that makes upgrading the system harder,
including removing the compiler, is very likely to be a net security
loss.

Joachim

-- 
TFMotD: dirname (1) - return directory portion of pathname

Re: Problem with a URL

[Joachim Schipper]

On Thu, May 17, 2007 at 12:03:52PM -0700, Jon Simola wrote:
 On 5/17/07, Peter Hessler [EMAIL PROTECTED] wrote:
 Its not just starting with a dash, I also cannot open ones that end the
 host section with a dash (ke-.deviantart.com)
 
 On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote:
 :I am trying to open up this url with firefox on openbsd -current, but 
 there is
 :a problem with accessing the site.  Is there a problem with doing the 
 lookups
 :with url's that start with dashes:
 :
 :http://-amaya-.deviantart.com/
 
 RFC962 (and several other places) say that:
   No blank or space characters are permitted as part of a
   name. No distinction is made between upper and lower case.  The first
   character must be an alpha character.  The last character must not be
   a minus sign or period.

FWIW, it's Firefox, not anything deeper:

$ host -- -amaya-.deviantart.com
-amaya-.deviantart.com has address 69.28.181.43
-amaya-.deviantart.com mail is handled by 0 a.mx.deviantart.com.
$ ping -- -amaya-.deviantart.com
PING -amaya-.deviantart.com (69.28.181.43): 56 data bytes
64 bytes from 69.28.181.43: icmp_seq=0 ttl=48 time=172.842 ms
64 bytes from 69.28.181.43: icmp_seq=1 ttl=48 time=162.626 ms
64 bytes from 69.28.181.43: icmp_seq=2 ttl=48 time=163.964 ms
--- -amaya-.deviantart.com ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/std-dev = 162.626/166.477/172.842/4.545 ms

So, you might want to give that artist a warning and/or use a different
browser for visiting this site. Links+, from ports, works.

Joachim

-- 
TFMotD: cas (4) - Sun Cassini 10/100/Gigabit Ethernet device

Re: Volume Management

[Joachim Schipper]

On Thu, May 17, 2007 at 04:15:32PM +0200, S?bastien Colmant wrote:
 I m quite new to OpenBSD but i m familiar with *nix systems.
 I m currently looking at using OpenBSD to build a nas appliance,
 however after looking into the packages list i havent found a Volume
 Manager, anyone able to point me in the right direction?
 Much appreciated.

There is no volume manager in OpenBSD. Use a combination of RAID and
ccd, if so inclined; 4.2 might feature a new software RAID framework (or
not; I've not heard anything official, besides some cvs commits on
'softraid').

Joachim

-- 
TFMotD: motd (5) - message of the day

Re: pf state limits

[Brian A. Seklecki]

Wild guess: The limitiation is the max value that the variable size of 
the counter can contain, followed secondly by physical memory.


~BAS

On Mon, 5 Mar 2007, Bill Marquette wrote:


I know this has come up in the past but I haven't been able to track
down a definitive answer (I'm sure there's a reason why), so I'll ask
the question again.

Given a i386 kernel, assume I can toss as much RAM at the box as
needed (I know this isn't the limitation, it's a kernel memory issue),
what's the maximum I can set the state table size to?  I have a couple
boxes that are running around 200K states with the limit set at 256K.
I expect that I will see a growth in that state table size as the
traffic to the servers behind these machines increases during our peak
season.  I can tune the tcp.closed parameter a bit on the external
rules as 75% of these states are fin_wait_2:fin_wait_2, but before I
start messing with that I'd rather increase the state limit some more.
I can also try adaptive timeouts on those rules, but I'm more than a
little paranoid about having the system dynamically change timeout
values.

Any suggestions on what the max might be and how I can monitor the
system to see where I'm at in relationship to the max (if there's no
hard number, I'm guessing the number depends on hardware and other
system options that affect kernel memory).

--Bill




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan

Re: PF keep state does'nt like Mandriva2007

[Brian A. Seklecki]

Could be sliding windows, selective ack (SACK), MTU/MTU Disc/MSS issues, 
any of the RFC extensions.  Check sysctl on linux v.s. scrub on OpenBSD 
~BAS


On Mon, 29 Jan 2007, Marco Peereboom wrote:


Nobody likes Mandriva.

On Sun, Jan 28, 2007 at 07:56:04PM -0800, Reza Muhammad wrote:

Dear Lists.

I have one bridge PF machine for packet queue and
prio,
and few  new install Mandriva2007 (linux kernel) that
couldn not browse the web (the other protocol work OK)
if the rules keep state in PF machine is activated.
but the others hosts (WinXP, BSD, Mac, Others Linux)
work fine.
Why PF (OpenBSD-3.9) doesnt like Mandriva2007 
Plese help

regards
Reza




Never Miss an Email
Stay connected with Yahoo! Mail on your mobile.  Get started!
http://mobile.yahoo.com/services?promote=mail





l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan

Re: About pf states

[Brian A. Seklecki]

I just ran into this same problem.  Trying to accomplish Cisco ASA style 
reflexive stateful rules(r):


- Default block in
- Trust no subnets / interface
- Pass in rules which ingress/egress an interface pair
- Inbound tcp syn on any interface shoud create relfexsive outbound
  equivilant on the egress interface

~~BAS

On Wed, 17 Jan 2007, Brian Candler wrote:


On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:

With this config, I can't access dmz hosts from lan or internet. The
state gets created:

all tcp $dmz_ip:25 - 192.168.1.161:19399   CLOSED:SYN_SENT

but the response is blocked:

Jan 16 19:32:59.627083 rule 0/(match) block in on xl2: $dmz_ip.25 
192.168.1.161.19399: [|tcp] (DF)

So, there's something I don't understand from pf.conf  man page

If a packet matches a pass ... keep state rule, the filter creates a
state for this connection and automatically lets pass all subsequent
packets of that connection.


If just someone could show me what's wrong here, and why


Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:

pkt1++   pkt1'
   --- | ext_if  int_if | --
   --- || --
pkt2++   pkt2'

A rule which matches pkt1 inbound on ext_if with keep state will also
match pkt2 outbound on ext_if.

But I believe you will need another rule to permit pkt1' outbound via
int_if. If that rule has keep state then it will also match pkt2' inbound
via int_if.

If you look at the example at
http://www.openbsd.org/faq/pf/example1.html
you will see that they deal with this by a global pass out keep state
rule. Try adding this to your ruleset after your block in log all

If you were to argue that pf.conf(5) is unclear on this point, especially
where it it says

By default, packets coming in and out of any interface can match a state

then I would not disagree with you :-)

HTH,

Brian.




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan

Re: ImageMagick and chroot

[Maxim Belooussov]

Has anyone had luck in making ImageMagick work into the www chroot
environment?


snip


But it still doesn't work. What am i missing?
Any suggestions or ideas are welcome.

Marcos



when I was getting gallery to run under chmoded apache, I got pretty
tired of ldd-ing the files, so I've simply extracted package contents
into chroot (/var/www):

#tar xzvf ~/ImageMagick-6.3.2.1-no_x11.tgz  -C /var/www

Don't know how wrong that was, but it worked pretty well - in the end
I only needed a couple of shared libs that were missing. The script is
a cleaner solution, though.

By the way, gallery2 works pretty well with GD php plugin, elimitating
the need to use ImageMagic. GD is much slower, though.

Maxim

Re: PF set state-policy

[Brian A. Seklecki]

On Sun, 16 May 2004, Tim Kornau wrote:


On Fri, 14 May 2004 at 14:50 -0400, Roy Morris wrote:

I am working with a simple two interface route/pf and block in and out packets
on all interfaces. It makes sense that you would have to have a rule to allow
the packet in on if-a, but I would have thought the state would carry across
to if-b, without having to place another rule that said let the packet out. I
have tried the 'set state-policy', although floating is the default and should
be passing this along??


Hello Roy,

Without your pf.conf this Mail cannot be completely answered but
mybe there is a hint that i can give you that might resolve the
situation. The state is kept with the default setting of floating


Presumably because, with a default block in/out, the traffic ingresses one 
interface, the state is create, but when it egresses another interface it 
is re-evaluated ?


This is where I always get confused:

If the OpenBSD pf(4) stateful firewall is acting as an intermediary 
forwarding device for a 3-way TCP handshake, shouldn't the re-evaluation 
of the initial the initial packet (S/SA) matching a pass in rule on an 
ingress interface punch a hole back out of the original ingress 
interface, _as well as_ punch a hole *in* and *out* of the egress 
interrace.


Come to think of it, that sounds like pretty agressive for keep state, 
maybe that's my nasty assumption?


~BAS


but if your ruleset explicitly denies outgoing packets on the
interface then in my understanding these will be dropped.

Tim

--
Darksun rising over blood red sea



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan

Re: keep state in pf

[Brian A. Seklecki]

That seems logical.  A little bit of pfctl -s state | egrep [regex] 
should be revealing.  Also pfctl -x loud if you can test during a 
low-volume timeframe ~BAS


On Wed, 9 Jun 2004, Lawren Quigley-Jones wrote:


I recently tracked down the cause of a problem we have been having in our
building with file transfers that travel out of our OpenBSD firewall and
then back in.  The tcp transfer would time out if and only if the transfer
went cross subnet, and therefor had to pass the firewall twice as it went
to the building's router and then back in to the receiving machine.  This
occurred on both our old 3.3 system and our replacement 3.5 system with
the same pf rules and net configuration.

It didn't seem to drop all transfers.  SMTP transfers with mail
attachments would fail every time.  Transfers of certain files via FTP and
SCP would fail every time and yet most files had not problems.  Because
most of our traffic isn't cross-subnet, we didn't see enough of the errors
to track down exactly what the variables were.

In the pf rules, our default action was to pass everything, pass all keep
state.  The solution was to remove the keep state from this rule.  Once
removed it read pass all and the time outs stopped occurring.

Not surprisingly, the following rules produced the timeouts as well:
pass out on $ext_if all keep state
pass in on $ext_if all keep state
pass out on $int_if all
pass in on $int_if all

A hypothesis is that because the keep state rules are seeing two
transfers with the same session IDs (the transfer as it exits and then the
identical transfer as it enters again), at some point during the transfer
PF balks at the sequence as if there was an intruding packet trying to
hijack the transfer.  This is not substantiated at all though.

Has anyone else experienced this problem or seen documentation on it?

If there is no documentation, I'm going to submit it as a bug.

Thanks...

-Lawren



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan

Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I m familiar with those, my question was regarding a volume manager
not simple disk operation.
Something similar to lvm or evms maybe

Tobias Weingartner a icrit :
 In article [EMAIL PROTECTED], Sibastien Colmant wrote:

 I m quite new to OpenBSD but i m familiar with *nix systems. I m
 currently looking at using OpenBSD to build a nas appliance,
 however after looking into the packages list i havent found a
 Volume Manager, anyone able to point me in the right direction?

 fdisk(8), disklabel(8), bioctl(8), newfs(8), dump(8), restore(8)
iD8DBQFGTMks8B8RxF4jfhQRAmAXAJ9ixUZRjZ247Xw51u2Z2Tdt038L8QCeIdJs
x53HDI86/4IqWzhfdQwdcjQ=
=oelW
-END PGP SIGNATURE-

Re: ImageMagick and chroot

[Marcos Laufer]

Hello ,

The script just worked . Thanks a lot Aiko for that script, and thanks to 
everybody for  the suggestions and help. Now the convert command 
runs , and i can see the web application shows me an image where it
supposed to be showd, but i still have some errors though , but i 
guess they are about the programming of this web application . 
I know that on the old server (lionux)  it  worked just fine with 
the code as it is (php5), but maybe has to be changed because 
of the chroot , i don't know , i'll try to contact the programmer to 
let him see it .
 
Thanks ,
Marcos 

- Original Message - 
From: Aiko Barz [EMAIL PROTECTED]
To: Marcos Laufer [EMAIL PROTECTED]
Cc: misc@openbsd.org
Sent: Thursday, May 17, 2007 2:51 PM
Subject: Re: ImageMagick and chroot


: [EMAIL PROTECTED]

Marcos Laufer wrote:
 Hello ,
 
 Has anyone had luck in making ImageMagick work into the www chroot
 environment?

Yes, run the following script and you are done.

#!/bin/sh


CHROOT=/var/www


# Make dirs
[ ! -d $CHROOT/bin ]   mkdir -p $CHROOT/bin
[ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin
[ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib
[ ! -d $CHROOT/usr/lib ]   mkdir -p $CHROOT/usr/lib
[ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/
[ ! -d $CHROOT/usr/libexec ]   mkdir -p $CHROOT/usr/libexec
[ ! -d $CHROOT/var/run ]   mkdir -p $CHROOT/var/run


SH=/bin/sh
if [ -x $SH ]; then
cp -f $SH $CHROOT/$SH
else
echo No shit. $SH not found! :)
fi


LD_HINTS=/var/run/ld.so.hints
if [ -f $LD_HINTS ]; then
cp $LD_HINTS $CHROOT/$LD_HINTS
else
echo $LD_HINTS not found. Still wondering thou.
fi


CONVERT=$(which convert | awk '{print $1}')
if [ ! -z $CONVERT ]  [ -x $CONVERT ]; then
cp -f $CONVERT $CHROOT/$CONVERT
for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo convert not found.
exit 1
fi


COMPOSITE=$(which composite | awk '{print $1}')
if [ ! -z $COMPOSITE ]  [ -x $COMPOSITE ]; then
cp -f $COMPOSITE $CHROOT/$COMPOSITE
for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo composite not found.
exit 1
fi


IDENTIFY=$(which identify | awk '{print $1}')
if [ ! -z $IDENTIFY ]  [ -x $IDENTIFY ]; then
cp -f $IDENTIFY $CHROOT/$IDENTIFY
for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo identify not found.
exit 1
fi

HTH,
Aiko
-- 
Aiko Barz [EMAIL PROTECTED]
Web: http://www.haeckser.de

Re: Volume Management

[Ted Unangst]

On 5/17/07, Sibastien Colmant [EMAIL PROTECTED] wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I m familiar with those, my question was regarding a volume manager
not simple disk operation.
Something similar to lvm or evms maybe


use ccdconfig.

Re: SFTP no autocompletion?

[Mouring]

Darren Tucker dtucker at zip.com.au writes:

 
 On Tue, May 15, 2007 at 12:36:43PM +0200, Paul de Weerd wrote:
  On Tue, May 15, 2007 at 11:33:27AM +0200, Pieter Verberne wrote:
  | Hi there,
  | 
  | does SFTP have no TAB-autocompletion for local/remote files? TAB
  | doesn't work. It makes transferring files very clumsy. And does SFTP
  | secure my username and password or only my file transfers by default?
  
  SFTP uses ssh and thus secures the entire connection. The sftp(1)
  client that comes by default with OpenBSD does not do tabcompletion.
  Feel free to use another client or to write support for it and send a
  patch ;)
 
 Anyone looking into this would probably want to look at what Ben
 Lindstrom has already done with this:
 
 http://www.eviladmin.org/patches/sftp-tab.patch
 


I would just beware of this patch.  It works fine for local files, but there are
some serious flaws in remote file completion due to the fact that remote-glob()
doesn't act like glob() (Read:  sftp will crash in some cases).

This is a long known bug to me, but I've had very little energy to complete it
since I have no real backers nor have had time in the past few years.

Just wanted to provide the warning. =-)

- Ben

Sun Netra X1 Firewall Throughput?

[Bryan Vyhmeister]

Can anyone give any information about the Sun Netra X1 being used as  
a pf firewall. I am specifically looking for throughput information.  
I am considering using a pair for a theoretical maximum throughput of  
about 45 Mbps. Can the Netra X1 comfortably handle this with carp(4)  
and some pf firewalling. I know this is pretty generic but any  
comments? (In case you are wondering, I would run pfsync on a VLAN on  
the less used interface.) Thank you.


Bryan