Re: 4.1 on ALIX.1C - recommendations?
On Fri, 21 Sep 2007 23:48:11 -0500, Aaron wrote: ... SNIP Is anyone using solid state drives yet? CF is effectively IDE. Witness (a firewall here): # disklabel wd0 # Inside MBR partition 3: type A6 start 63 size 1000881 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: SanDisk SDCFB-51 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 993 total sectors: 1000944 rpm: 3600 8 snip! But I also have a customer using a flash based drive that looks like a 3.5 IDE job. It cost heaps but she loves the speed of random access and I love the cool quiet(er) machine. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
OpenBSD Talk at Open Source Conference 2007 Tokyo/Fall
Hi all, At Open Source Conference 2007 Tokyo/Fall, I'll give an introductory talk about OpenBSD (in Japanese). The talk will be aimed at sysadmins who know the name but haven't used OpenBSD yet. It would be nice to have a chat with OpenBSD users in Japan after the talk. If you happen to be in or near Tokyo area on Oct. 5, please let me know. Open Source Conference 2007 Tokyo/Fall http://www.ospn.jp/osc2007-fall/ http://www.ospn.jp/osc2007-fall/modules/eguide/event.php?eid=43 On Oct. 6, itojun will give a talk, IPv6 and security demystified, and answer all the questions you have about IPv6. http://www.ospn.jp/osc2007-fall/modules/eguide/event.php?eid=53 Best regards, -- Tomoyuki Sakurai
Re: OpenBSD firewalls as virtual machine ?
* Luca Corti [EMAIL PROTECTED] [2007-09-21 18:34]: On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote: I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? Overlapping IP address space. someone just needs to sit down and add the code to put interfaces into alternate routing tables and arp running there and you can have that on openbsd. ok, it is a bit of work (that I am not very interested in). but the hard part (introduction of multiple routing tables) is already done. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
ioapic with single core kernel?
Hi, I was playing around a long time to get CardBus and sound working on my JVC MP-XP741. I've found, that the GENERIC.MP kernel support both if enableing acpi. To my poor mind, it seems that ioapic is needed, but simply adding it to the GENERIG confiuration file doesn't work. Since sysctl - hw.setperf disappears in the mp-kernel regardless using acpi or not, I'd like to add ioapic to the GENERIC kernel. Are there any sugestions? Thx and regards Dag Leine OpenBSD 4.1 (GENERIC) #4: Sat Sep 22 11:00:34 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.10GHz (GenuineIntel 686-class) 1.11 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 795701248 (777052K) avail mem = 717955072 (701128K) using 4278 buffers containing 39907328 bytes (38972K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 10/26/04, SMBIOS rev. 2.3 @ 0xf9960 (37 entries) bios0: JVC J2NE apm0 at bios0: Power Management spec V1.2 apm0: AC on, no battery apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xd000! 0xcd000/0x1800 0xce800/0x8800 acpi at mainbus0 not configured cpu0 at mainbus0 cpu0: Enhanced SpeedStep 1100 MHz (940 mV): speeds: 1100, 1000, 900, 800, 600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02 Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 0xf000, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x03: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x03: irq 4 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x03: irq 7 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x03: irq 3 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x83 pci1 at ppb0 bus 1 cbb0 at pci1 dev 3 function 0 Ricoh 5C475 CardBus rev 0xb8pci_intr_map: no mapping for pin A : couldn't map interrupt Ricoh 5C551 Firewire rev 0x00 at pci1 dev 3 function 1 not configured iwi0 at pci1 dev 5 function 0 Intel PRO/Wireless 2200BG rev 0x05: irq 7, address 00:0e:35:c3:a9:f7 fxp0 at pci1 dev 8 function 0 Intel 82801DB LAN rev 0x83, i82562: irq 5, address 00:80:88:23:02:e8 inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x03 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK1233GAS wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 ignored (disabled) auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x03pci_intr_map: no mapping for pin B Intel 82801DB Modem rev 0x03 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask effd netmask effd ttymask pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 OpenBSD 4.1 (GENERIC.MP) #0: Wed Sep 19 13:47:11 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) M processor 1.10GHz (GenuineIntel 686-class) 1.11 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 795701248 (777052K) avail mem = 717893632 (701068K) using 4278 buffers containing 39907328 bytes (38972K) of memory User Kernel Config UKC enable api\^H \^H\^H \^Hcpi 388 acpi0 enabled UKC disable apm 298 apm0
umts cell phone as modem
Hi, I'm trying to use the SAMSUNG SHG-L760 over usb as modem. OpenBSD recognise it as umodem0 (dmesg attached) and assigns ucom0. First of all I want to have a 'AT OK' sequence. I've tryed echo and cat as well as a small perl script sending 'AT\r\n' to /dev/cuaU0 and read from it. While sending seams to work, there is no answer from the cell phone. Please can anyone give me a hint how to get the communication workin? (The cell phone is ok, under Windows I can talk to it with an teminal client an com4) regards Dag Leine OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 536113152 (523548K) avail mem = 481468416 (470184K) using 4278 buffers containing 26931200 bytes (26300K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf04b0 (66 entries) bios0: ASUSTeK Computer Inc. P4P800SE apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5ce0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8800 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82865G/PE/P CPU-AGP rev 0x02 pci1 at ppb0 bus 1 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 3 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 10 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci2 at ppb1 bus 2 skc0 at pci2 dev 5 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Yukon Lite (0x9): irq 5 sk0 at skc0 port A, address 00:13:d4:32:d9:96 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 ppb2 at pci2 dev 9 function 0 Hint HB6 PCI-PCI rev 0x12 pci3 at ppb2 bus 3 vga1 at pci3 dev 0 function 0 Matrox MGA G400/G450 AGP rev 0x82 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD200BB-00DEA0 wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd1 at pciide0 channel 0 drive 1: SAMSUNG SP0802N wd1: 16-sector PIO, LBA48, 76351MB, 156368016 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-2510A, 2.15 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 5 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq 5, ICH5 AC97 ac97: codec id 0x41445375 (Analog Devices AD1985) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627THF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl,
Re: umts cell phone as modem
On Sat, Sep 22, 2007 at 04:37:11PM +0200, Dag Leine wrote: | Hi, | | I'm trying to use the SAMSUNG SHG-L760 over usb as modem. | OpenBSD recognise it as umodem0 (dmesg attached) and assigns ucom0. | | First of all I want to have a 'AT OK' sequence. I've tryed echo and cat | as well as a small perl script sending 'AT\r\n' to /dev/cuaU0 and read | from it. While sending seams to work, there is no answer from the cell | phone. | | Please can anyone give me a hint how to get the communication workin? | (The cell phone is ok, under Windows I can talk to it with an teminal | client an com4) From your dmesg : | ucom0 at umodem0 You could try cu. If you're in group dialer do : `cu -l cuaU0` and type 'ATZ' and press enter. Perhaps you need to play with the speed of the serial device, since cu defaults to 9600. This is the -s option. Good luck. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD firewalls as virtual machine ?
Douglas A. Tutty wrote: ... Hi Nick. I understand your reasons. To me they look like reasons for separate firewalls on separate boxes. In the scenarios you mention, would you put separate firewalls on one machine? That's where you are supposed to 1) recognize that my mysteriously mangled e-mail address is me and 2) Read back to my previous statement where I stated that I don't feel VM technology is suitable for externally exposed apps or security critical apps and 3) catch the implied sarcastic sneer in If one believed in the idea of 'a perfect VM environment' Yes, very separate is what I was recommending: no VM, keep them as separate as possible. When appropriate, of course. VMware and related technologies look cool, but it's an extra layer of complexity and security vulnerabilities. It is also a technology where the track record is Coolness first, security when they catch us with our pants down. It is also something that is rarely done properly (for my definition of properly), but that's a different discussion for a different list. Nick.
Does OpenBSD support Hebrew?
Dear subscribers/moderators, Does OpenBSD fully support Hebrew? If indeed it does, how does one make applications in X/KDE properly see/present Hebrew letters and filenames? I have already added the following two lines to my .profile: export LC_CTYPE=he_IL.UTF-8 export LC_COLLATE=he_IL.UTF-8 and this made it possible to show Hebrew filenames under normal KDE applications properly. However, when I tried opening an OpenOffice files, for example, which had Hebrew letters in it, it all appeared meshed and garbled or just blanks instead of letters. Amit.
OBSD's perspective on SELinux
Hello all, I'm running OBSD on my older boxes but still Debian on my big box (not ready yet). Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? Please note: this is _not_ a troll, flame-ware-tinder-box, whatever. I'm genuinly interested. Thanks, Doug.
Re: OpenBSD firewalls as virtual machine ?
On Sat, Sep 22, 2007 at 10:53:05AM -0400, Nick Holland wrote: Douglas A. Tutty wrote: ... Hi Nick. I understand your reasons. To me they look like reasons for separate firewalls on separate boxes. In the scenarios you mention, would you put separate firewalls on one machine? That's where you are supposed to 1) recognize that my mysteriously mangled e-mail address is me and 2) Read back to my previous statement where I stated that I don't feel VM technology is suitable for externally exposed apps or security critical apps and 3) catch the implied sarcastic sneer in If one believed in the idea of 'a perfect VM environment' Thanks Nick. I don't catch sarcastic sneer much in person, yet alone via email. Doug.
Re: OBSD's perspective on SELinux
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: OBSD's perspective on SELinux
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Does OpenBSD support Hebrew?
Filenames in foreign languages can sometimes be a little problematic, because Unix doesn't really have any standard on how to store them on disk - filenames are just byte arrays. Because a machine may have users with different locales this can make sharing files very difficult, so the desktop environments seem to be storing filenames in UTF-8 with no regard to the locale. GTK apps also look at the environment variable G_FILENAME_ENCODING, which you may want to define, but if memory serves me correctly it defaults to UTF-8 so with an UTF-8 locale you don't need to care. Are you sure .profile is sourced in your X session? Try checking the environment variables are set in an xterm. The command locale will also print out the locale settings, but I can't remember if OpenBSD has one (I'm stuck on a painful mobile device so I can't check). Do the filenames look ok if you ls them in an xterm? HTH, Jussi Peltola [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OBSD's perspective on SELinux
On 9/23/07, Jason Dixon [EMAIL PROTECTED] wrote: On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. yes you're right. Although that point no longer holds. SELinux is more or less official now. But for a looong (long) time, it was pretty apparent what the focus of the developers was *not* on And even now so (IMO) I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. button, yes. The scary (or interesting, depending on how you see it) bit is that there is a whole infrastructure (LKM) behind it making it easy(?) to create, and plug in your own buttons to do your own funky stuff... -jf -- In the meantime, here is your PSA: It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: OBSD's perspective on SELinux
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Hello all, I'm running OBSD on my older boxes but still Debian on my big box (not ready yet). Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? Please note: this is _not_ a troll, flame-ware-tinder-box, whatever. I'm genuinly interested. The OpenBSD developers are trying to make the most secure UNIX system they can; SELinux might or might not be secure, but it's not UNIX. Additionally, it's not entirely clear whether it actually helps; a SELinux configuration is, even at its best, a lot more complex than the equivalent UNIX-ish configuration. Thus, it becomes more likely that there will be either configuration or coding errors. Joachim -- TFMotD: kadmin (8) - Kerberos administration utility
Re: OBSD's perspective on SELinux
2007/9/22, Joachim Schipper [EMAIL PROTECTED]: The OpenBSD developers are trying to make the most secure UNIX system they can; SELinux might or might not be secure, but it's not UNIX. What part of SELinux is NOT Unix? Remember that all traditional Unix rwx permissions are still there. Additionally, it's not entirely clear whether it actually helps; For example for blocking some critical operations for ALL users, even root. Of course, that's the case when strict traditional Unix-awareness is not so critical as the security of the system by itself. SELinux configuration is, even at its best, a lot more complex than the equivalent UNIX-ish configuration. Thus, it becomes more likely that there will be either configuration or coding errors. Every security feature, every OS improvement IS an additional code. That's the problem of proper kernel and security policies audit, not SELinux as an idea. Joachim -- TFMotD: kadmin (8) - Kerberos administration utility
Re: OBSD's perspective on SELinux
Hi, You might be talking about grsecurity and PaX [1]. SELinux hooks through the LSM [2] framework. LSM was designed to be easily enabled and disabled, so that should be a fundamental flaw. LSM has valid criticisms [3] [4]. [1] http://grsecurity.net [2] http://en.wikipedia.org/wiki/Linux_Security_Modules [3] http://www.grsecurity.net/lsm.php [4] http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm Cheers, Ed On 9/23/07, Darrin Chandler [EMAIL PROTECTED] wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: OBSD's perspective on SELinux
On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote: On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. As I understand it, the patches (the button) are maintained by the US NSA; I suppose as a service to their fellow Americans. That likely brings out the conspiracy theorists who say that there's probably a back-door to allow NSA to read your ssh keys, GPG/PGP keys, whatever. My _personal_ perspective is that OBSD is smaller. You don't have 5,000 or whatever people changing the kernel, plus NSA putting their thumb in it. You have my Fellow Canadian Theo and people he trusts. Thanks for your comments. Doug.
Re: OBSD's perspective on SELinux
2007/9/22, Douglas A. Tutty [EMAIL PROTECTED]: On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote: On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. As I understand it, the patches (the button) are maintained by the US NSA; I suppose as a service to their fellow Americans. That likely brings out the conspiracy theorists who say that there's probably a back-door to allow NSA to read your ssh keys, GPG/PGP keys, whatever. GPL code, isn't it? Go read it! Go find backdoors! My _personal_ perspective is that OBSD is smaller. You don't have 5,000 or whatever people changing the kernel, plus NSA putting their thumb in it. You have my Fellow Canadian Theo and people he trusts. The problem of Linux as a whole is that it tries to resolve security problems not by auditing code but by implementing SELinux. But what the problem would be if OpenBSD has SeBSD extension? It's just one of security features, and I don't see the matter for blaming on SELinux. Linux security flaws are not there but in Linux kernel as a bunch of badly tested code. Thanks for your comments. Doug.
Re: OBSD's perspective on SELinux
On Sep 22, 2007, at 12:28 PM, Ihar Hrachyshka [EMAIL PROTECTED] wrote: 2007/9/22, Jason Dixon [EMAIL PROTECTED]: On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. You can also turn off OBSD security features by lowering its level, isn't it? Only in single-user mode, not in a running multi-user system. Please see securelevel(8). Men, just say that OBSD doesn't support task-based security policies, sure. It's not so bad, not really, because most of OSs don't have it too. But please stop blaming about Linux flaws: SELinux IS in kernel mainline, so what's the problems with it, hum? It's a button. Buttons are easily turned off. Ask *any* Linux server admin. Odds are 10-1 they've disabled SELinux. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OBSD's perspective on SELinux
SELinux has clearly defined security mechanisms implemented through different components. It is doing what it was designed for. The real problem with SELinux is the way it hooks to the Linux kernel. The inaccurate marketing of this tool doesn't help too, unsuspecting users are blindly using it as a magical security solution. On 9/23/07, Ihar Hrachyshka [EMAIL PROTECTED] wrote: 2007/9/22, Douglas A. Tutty [EMAIL PROTECTED]: On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote: On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? I don't know all the details, and especially not the SELinux details, but that won't stop me from commenting. Not long ago I was talking with a Linux person about security, and they pointed me to a set of patches that did a lot of nifty stuff. Good stuff, like the things you find OpenBSD doing. But it's not in the mainline kernel, it's a set of patches. Security should not be grafted on, it should be integrated into the main development process. I'm sure the patch maintainers are doing their best, but this doesn't change the fundamental flaw in the process. It's not a flaw of their making, it's inherent in the situation. But it's still a flaw. Compare that to a complete operating system (OpenBSD) where security is part of code quality, and part of the normal mainline development. If I could add one thing to Darrin's comment (of which I agree completely), it would be this: SELinux is a button. Buttons are easy to turn off. As I understand it, the patches (the button) are maintained by the US NSA; I suppose as a service to their fellow Americans. That likely brings out the conspiracy theorists who say that there's probably a back-door to allow NSA to read your ssh keys, GPG/PGP keys, whatever. GPL code, isn't it? Go read it! Go find backdoors! My _personal_ perspective is that OBSD is smaller. You don't have 5,000 or whatever people changing the kernel, plus NSA putting their thumb in it. You have my Fellow Canadian Theo and people he trusts. The problem of Linux as a whole is that it tries to resolve security problems not by auditing code but by implementing SELinux. But what the problem would be if OpenBSD has SeBSD extension? It's just one of security features, and I don't see the matter for blaming on SELinux. Linux security flaws are not there but in Linux kernel as a bunch of badly tested code. Thanks for your comments. Doug.
Re: : : OpenBSD Install Goal
Douglas A. Tutty wrote: 1) there are no multiple consoles on the install kernel. Ouch! How big a deal would it be to do that? Very, if the installer will still fit on a floppy. Would it be difficult to provide on the CD and perhaps a tarball on FTP a directory structure that would allow an option from the installer (either on the same screen or a separate terminal if that was possible) to run lynx to read the FAQ directly off the CD? http://g.paderni.free.fr/olivebsd/ Doesn't work as part of the install, but at least you can quit the install and look up something if you only have one computer.
Re: OBSD's perspective on SELinux
On 9/22/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. rhetorical question: why aren't the policies ready? the problem with security by policy is that the policy is always wrong. exercise for the reader: find somebody using SELinux. ask them to describe their policy over the phone. then repeat it back to them. did you get it right?
Re: Does OpenBSD support Hebrew?
On 9/22/07, Jussi Peltola [EMAIL PROTECTED] wrote: Filenames in foreign languages can sometimes be a little problematic, because Unix doesn't really have any standard on how to store them on disk - filenames are just byte arrays. Because a machine may have users with different locales this can make sharing files very difficult, so the desktop environments seem to be storing filenames in UTF-8 with no regard to the locale. GTK apps also look at the environment variable G_FILENAME_ENCODING, which you may want to define, but if memory serves me correctly it defaults to UTF-8 so with an UTF-8 locale you don't need to care. Are you sure .profile is sourced in your X session? Try checking the environment variables are set in an xterm. I don't know what you mean by sourced, but when I type set xterm I see them. The command locale will also print out the locale settings, but I can't remember if OpenBSD has one (I'm stuck on a painful mobile device so I can't check). I don't think it has one either. In any case I noticed that indeed the two sets weren't really accepted by the system: perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LC_ALL = (unset), LC_CTYPE = he_IL.UTF-8, LC_COLLATE = he_IL.UTF-8, LANG = (unset) are supported and installed on your system. perl: warning: Falling back to the standard locale (C). Can't resolve locale Do the filenames look ok if you ls them in an xterm? OK, I checked that and they don't. They appear like gibberish and question marks surrounded by circles. I guess this conforms to the above perl warning. Maybe there just isn't a he_IL.UTF-8 locale for OpenBSD. HTH, Jussi Peltola -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG9UGo0SX92aZxWNIRAuVUAKCEoA+wg57S7VA9saaiJ/3vjGcyOQCdEZnb JtD1KDPlmqEO51PrrcMOYiw= =b0l1 -END PGP SIGNATURE-
Re: lock(1) to lock all virtual terminals?
On Sat, Sep 22, 2007 at 06:08:53PM +0200, Joachim Schipper wrote: On Fri, Sep 21, 2007 at 12:46:40PM -0400, Douglas A. Tutty wrote: I don't use X much and instead use lots of Virtual Terminals. Since I'm on dialup, sometimes I need to leave multiple VTs open to do things, perhaps downloading something, or its just that I'm in the middle of things. How can I lock the whole virtual termial setup? lock(1) only lets me lock the one VT without blocking the ability to switch to others. On Debian, there's vlock -a that does this. I don't see anything similar in the available packages for OBSD. I can't read code so I don't know how lock(1) works internally. To get it to lock everything, I guess it would have to capture the Alt-Fn key combo. However, the OS (wscons(4)?) likely captures that before the keys get passed on to the application. So I'm sorry, I can't provide a patch. Switch to GNU screen? You get the locking you desire, and lots of other neat stuff thrown in for free. I do believe lock(1) doesn't really work in this case; I don't know if it could be made to work, but since I always use screen I don't really care. I tried Screen on Debian briefly. I'm not good at remembering magic keystrokes. If necessary, I'll try again. However, since I'm trying to get used to the OBSD way of doing things, and since this seemed like a security issue, I wanted to see how to solve this using what is in OBSD base. Thanks, Doug.
Re: OBSD's perspective on SELinux
On 2007/09/22 11:50, Ted Unangst wrote: exercise for the reader: find somebody using SELinux. From what I've seen, 9 times/10, they'll only know they're using it if they had to disable it to fix an app with a broken policy...
Re: 1440x900 resolution problem
On 9/21/07, Marius ROMAN [EMAIL PROTECTED] wrote: Like Darrin suggested try matching Modelines and Modes : On xorg.conf Enable only this (comment the rest of the modellines) : Modeline 1680x1050_60.00 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync Modify the screen section : Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 DefaultDepth 24 SubSection Display Depth 24 Modes 1680x1050_60.00 EndSubSection EndSection How many times should I repeat that the current i810 and vesa drivers can only use the modes that the BIOS knows about? You need to use the i915resolution from ports to fix your bios for now. In the future, Xenocara will be updated to use the intel 2.x driver which doesn't rely on the BIOS for defining the modes anymore, it should make things easier. (Although the BIOS is still needed for other informations, and it turns out that there are also lots of quirks there,,,)
Re: OBSD's perspective on SELinux
On Sat, Sep 22, 2007 at 11:50:08AM -0700, Ted Unangst wrote: On 9/22/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. rhetorical question: why aren't the policies ready? the problem with security by policy is that the policy is always wrong. exercise for the reader: find somebody using SELinux. ask them to describe their policy over the phone. then repeat it back to them. did you get it right? I only know (via the mailing list) people running Debian. Debian comes with the SELinux patches compiled into the libraries and kernel but the SELinux policies haven't been integrated into the Debian way of doing things yet. In other words, since debian packages, by policy, must just work on install (come with a reasonable default setup), (except for a few things like the Shorewall firewall builder that installs to a disabled state that prints a warning), once Debian decides on a SELinux policy, all the thousands of packages have to be set up to detect the SELinux policy on the box at the time and integrate themselves into it. That's the limit to what I know about it. It sounds like solving the opening of a can of worms by dumping it into a vermiculture pot. Anyway, thanks for the discussion. For security I'll stick with OBSD. For watching movies, I'll stick with Debian until someone builds a video card that doesn't need a blob driver to run the hardware converter. Doug.
Re: OBSD's perspective on SELinux
On Sat, Sep 22, 2007 at 07:45:57PM +0300, Ihar Hrachyshka wrote: 2007/9/22, Joachim Schipper [EMAIL PROTECTED]: The OpenBSD developers are trying to make the most secure UNIX system they can; SELinux might or might not be secure, but it's not UNIX. What part of SELinux is NOT Unix? Remember that all traditional Unix rwx permissions are still there. Insofar as that ls -la shows them, yes. In the sense that files actually work that way, `usually'. Additionally, it's not entirely clear whether it actually helps; For example for blocking some critical operations for ALL users, even root. Of course, that's the case when strict traditional Unix-awareness is not so critical as the security of the system by itself. Root almost always can gain complete control over the system anyway, so that's not a big issue. Also see my comments below. Still, yes, SELinux can be - rarely - used to solve problems for which no clean UNIX-ish solution exists. Far too often, though, it's thought of a as a magic bullet, which it certainly is not. SELinux configuration is, even at its best, a lot more complex than the equivalent UNIX-ish configuration. Thus, it becomes more likely that there will be either configuration or coding errors. Every security feature, every OS improvement IS an additional code. That's the problem of proper kernel and security policies audit, not SELinux as an idea. Yes, but not all code is created equal. Layering a second permission layer into the system integrates closely with all other security mechanisms, which is more dangerous than yet another driver. Additionally, it's completely the wrong way to go about securing a system. The best way not to have any vulnerabilities is not to have any vulnerabilities; stuff like SELinux, Pax, or W^X is cool, but not a substitute for good programming. An OpenBSD system running properly chosen and secured programs without W^X is almost as secure as one with it. I'd argue the same goes a Linux system running a haphazard collection of badly-out-of-date, unpatched monstrosities with or without SELinux. Finally, SELinux is almost never necessary. (But it *is* - rarely - useful.) And takes a lot of time, which is usually better spent doing something actually useful - like log monitoring. Joachim -- TFMotD: packages-specs (7) - binary package names specifications
Re: OpenBSD firewalls as virtual machine ?
On 22.09-02:06, Luca Corti wrote: [ ... ] We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect These are great news. If the implementation will allow to assign interfaces to different VRFs it would solve the virtual router/firewall setup without the need for OS virtualization. i have a feeling that the funds currently available for your virtualisation project would improve the quality and delivery of these requirements.
Re: OBSD's perspective on SELinux
On 22.09-16:21, Douglas A. Tutty wrote: [ ... ] exercise for the reader: find somebody using SELinux. ask them to describe their policy over the phone. then repeat it back to them. did you get it right? [ ... ] In other words, since debian packages, by policy, must just work on install (come with a reasonable default setup), (except for a few things like the Shorewall firewall builder that installs to a disabled state that prints a warning), once Debian decides on a SELinux policy, all the thousands of packages have to be set up to detect the SELinux policy on the box at the time and integrate themselves into it. i would be willing to bet this will never happen, particularly in a community like debian's. if, by some miracle, it does i'd make a further bet that they'll have to roll back the decision because their users will be crippled. basically, good programming practices get you a lot more for a lot less than wide ethos changes. having said that the extended feature set of selinux can solve issues that unix systems are not able to. in short, stick to openbsd. if you need selinux you'll know it ... then you'll go find another product that's not such a nightmare ... actually, nearly all of them are but that's another story.
Re: OpenBSD firewalls as virtual machine ?
On Sat, 2007-09-22 at 22:50 +, [EMAIL PROTECTED] wrote: i have a feeling that the funds currently available for your virtualisation project would improve the quality and delivery of these requirements. If I had such project and funds I'd certainly contribute. In the meantime I have assigned part of my limited resources to buying the CDs for the new release... ciao Luca
Re: OpenBSD firewalls as virtual machine ?
On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote: Read this: http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/ Read the paper linked there as well. Always good to go back to original source material. Anyone who told you VM technology and security had anything to do with each other was full of doo-doo. Ironically, today's ISC handler's diary entry talks to this as well. http://isc.sans.org/diary.html?storyid=3411rss DS
Re: OBSD's perspective on SELinux
On Sat, 22 Sep 2007, Douglas A. Tutty wrote: Hello all, I'm running OBSD on my older boxes but still Debian on my big box (not ready yet). Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient, compact OS done by folks you can trust and actually talk to, use OBSD; if you want 'fairly secure Linux' [which has had thousands of hand in it including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***. Simple and easy to implement, even by less senior Admins. SELinux is **NOT** ready for primetime, unless it's changed tremenduously in the past couple of years. Last time we tried it, management was totally arcane and the machines would lock up on a regular (monthly) basis. It wasn't worth the time to troubleshoot so we went with AppArmor for that application. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: WG: Re: isakmp phase 2 negotiation failed
On 21.09-16:47, Christoph Leser wrote: [ ... ] [low-crypto-quick] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Transforms= QM-ESP-DES-MD5-SUITE [ ... ] Maybe there is a problem with your isakmpd.conf: [ ... ] IPsec-configuration names Suites QM-ESP-DES-MD5-SUITE !! so maybe it should be [low-crypto-quick] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-MD5-SUITE i.e. transforms is not a valid parameter in the IPsec-configuration section you were spot on. i'm a little confused as to how my other tunnels are working and also what the difference between transforms and suites are but i _think_ that transforms are for phase-1 and suites are for phase-2. still not quite sure the deliniator there but thanks again ... working like a charm. -- t t w
Instant Messenger (CLI-based multi-protocol)
Hi, I have been wanting to switch from a GUI meta-type chat (uses Yahoo, AIM, etc.) to terminal/CLI-based. I came across centericq (apparently it works with multiple protocols) though when trying to install it I get... $ sudo make === centericq-4.9.11p0 is marked as broken: requires update but new version has issues. I'm not a computer guru... don't really know how to resolve that issue. I'm running OpenBSD 4.1 and that install attempt was straight out of 4.1's unaltered ports tree. ( /usr/ports/net/centericq ) I'm wondering if I have somehow messed up my ports (not sure how, I set them up exactly as instructed) :( or perhaps the actual application in the 4.1 ports just comes like that, broken. I hope not. Is there a better program out there somewhere that is CLI-based for using chat with Yahoo, AIM, MSN, ICQ, IRC, and Jabber? (Or is there a way to get centericq to install/work?) Better yet... one with encryption options? Thank you very much for your help! Sean
Instant Messenger (CLI-based multi-protocol)
I'm not sure if my message (below) went through, it didn't seem to post. Attempting again. Sorry if duplicated. Subject: Instant Messenger (CLI-based multi-protocol) Hi, I have been wanting to switch from a GUI meta-type chat (uses Yahoo, AIM, etc.) to terminal/CLI-based. I came across centericq (apparently it works with multiple protocols) though when trying to install it I get... $ sudo make === centericq-4.9.11p0 is marked as broken: requires update but new version has issues. I'm not a computer guru... don't really know how to resolve that issue. I'm running OpenBSD 4.1 and that install attempt was straight out of 4.1's unaltered ports tree. ( /usr/ports/net/centericq ) I'm wondering if I have somehow messed up my ports (not sure how, I set them up exactly as instructed) :( or perhaps the actual application in the 4.1 ports just comes like that, broken. I hope not. Is there a better program out there somewhere that is CLI-based for using chat with Yahoo, AIM, MSN, ICQ, IRC, and Jabber? (Or is there a way to get centericq to install/work?) Better yet... one with encryption options? Thank you very much for your help! Sean
How to upgrade libstdc++ to 4.2 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Is there a way for building libstdc++ and friends without having to do a ``make build'' in /usr/src ? I've managed to upgrade gcc to 3.3.5, but I get the following issue when compiling a fresh kernel from today's head branch: mkdir -p /usr/src/sys/arch/i386/compile/GENERIC/lib/kern making sure the kern library is up to date... `libkern.o' is up to date. making sure the compat library is up to date... `libcompat.a' is up to date. sh /usr/src/sys/arch/i386/compile/GENERIC/../../../../conf/newvers.sh cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized - Wno-format -Wno-main -fno-builtin-printf -fno-builtin-log -O2 -pipe -nostdinc - I. -I/usr/src/sys/arch/i386/compile/GENERIC/../../../../arch -I/usr/src/sys/arch /i386/compile/GENERIC/../../../.. -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKME MSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMP AT_35 -DCOMPAT_43 -DLKM -DFFS -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS - DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DP PP_DEFLATE -DMROUTING -DBOOT_CONFIG -DI386_CPU -DI486_CPU -DI586_CPU -DI686_CPU -DUSER_PCICONF -DUSER_LDT -DAPERTURE -DCOMPAT_SVR4 -DCOMPAT_IBCS2 -DCOMPAT_LINUX -DCOMPAT_FREEBSD -DCOMPAT_BSDOS -DCOMPAT_AOUT -DPROCFS -DACPIVERBOSE -DPCIVERBO SE -DEISAVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD - DWSDI! SPLAY_DEF rm -f bsd ld -Ttext 0xD0100120 -e start -N -S -x -o bsd ${SYSTEM_OBJ} vers.o vfs_bio.o(.text+0x171): In function `bufinit': : undefined reference to `buf' vfs_bio.o(.text+0x193): In function `bufinit': : undefined reference to `buffers' vfs_subr.o(.text+0x1ca4): In function `vfs_syncwait': : undefined reference to `buf' vfs_subr.o(.text+0x1d5d): In function `vfs_syncwait': : undefined reference to `buf' ffs_subr.o(.text+0x231): In function `ffs_checkoverlap': : undefined reference to `buf' ext2fs_subr.o(.text+0xc9): In function `ext2fs_checkoverlap': : undefined reference to `buf' uvm_glue.o(.text+0x86): In function `uvm_kernacc': : undefined reference to `buffers' machdep.o(.text+0x367): In function `allocsys': : undefined reference to `buf' machdep.o(.text+0x397): In function `setup_buffers': : undefined reference to `buffers' machdep.o(.text+0x48f): In function `setup_buffers': : undefined reference to `buffers' *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 702 of Makefile). Here's some details: cc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd4.2/3.3.5/specs Configured with: Thread model: single gcc version 3.3.5 (propolice) uname -a OpenBSD flick 4.2 GENERIC#1 i386 (I know this question is not quite related with the bug outlined above but at least it could help to get the kernel compiling :] Also, for extra bonus points, I'm not sure why a 'basic_file.h' file is missing when trying to build libstdc++: cd /usr/src make build ... lot's of lines here skipped for readability but included in attachment ... install: ./i386-unknown-openbsd4.2/bits/basic_file.h: No such file or directory *** Error code 71 Any ideas what should be done for upgrading libstdc++ to 4.2 ? Regards, - -Etienne iEYEARECAAYFAkb1xLUACgkQdXKAffkXj4OUQgCfR0nL6doj45ydgjD4vTsYHD9X UCgAoL8EFbMGrYfoyjswy+3sXkF/7dKu =ip5E -END PGP SIGNATURE- [demime 1.01d removed an attachment of type application/octet-stream which had a name of out]
Re: Instant Messenger (CLI-based multi-protocol)
I know you're not asking about this, but naim http://naim.n.ml.org is an excellent console-based AIM, IRC, and ICQ client. Plus it supports being in multiple chat rooms on IRC in a very intuitive manner.
Re: Instant Messenger (CLI-based multi-protocol)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Sean, While thinking about your post, you could most likely install an alternative icq client by either looking on some websites, or perhaps by taking a peek at the FreeBSD ports collection (in the ``net-im ''category). As an alternative, maybe you could try compiling ``ysm`` ? [1] Regards, Etienne 1. http://ysmv7.sourceforge.net/ On Sat, 22 Sep 2007 20:05:57 -0500 Sean Darby [EMAIL PROTECTED] wrote: I'm not sure if my message (below) went through, it didn't seem to post. Attempting again. Sorry if duplicated. Subject: Instant Messenger (CLI-based multi-protocol) Hi, I have been wanting to switch from a GUI meta-type chat (uses Yahoo, AIM, etc.) to terminal/CLI-based. I came across centericq (apparently it works with multiple protocols) though when trying to install it I get... $ sudo make === centericq-4.9.11p0 is marked as broken: requires update but new version has issues. I'm not a computer guru... don't really know how to resolve that issue. I'm running OpenBSD 4.1 and that install attempt was straight out of 4.1's unaltered ports tree. ( /usr/ports/net/centericq ) I'm wondering if I have somehow messed up my ports (not sure how, I set them up exactly as instructed) :( or perhaps the actual application in the 4.1 ports just comes like that, broken. I hope not. Is there a better program out there somewhere that is CLI-based for using chat with Yahoo, AIM, MSN, ICQ, IRC, and Jabber? (Or is there a way to get centericq to install/work?) Better yet... one with encryption options? Thank you very much for your help! Sean iEYEARECAAYFAkb10BgACgkQdXKAffkXj4OmJACfaknkLBCrddLcPYGxigkCwngX hsQAn0aTylIk5Z9OFQQee1tsbGUxvSnr =yFMI -END PGP SIGNATURE-
Re: OpenBSD firewalls as virtual machine ?
Check out the HP c-Class BladeSystems offerings. It is sad that HP is marketing it with virtualization via Vmware. Just disregard the vmware affair. On 9/21/07, Josh [EMAIL PROTECTED] wrote: Hello there. We have a bunch of obsd firewalls, 8 at the moment, all working nice and so forth. But we need to add about another 4 in there for new connections and networks, which means more machines to find room for. So basically I have been asked to investigate running all these firewalls in two big boxes, with lots of NIC's, with a bunch of openbsd vritual machines on them. One main box for the primary firewalls, one for the secondary. Each virtual machine getting its own physical NIC. Personally I dont really like the idea, I can see things going wrong, lots of stuff balancing on a guest os and box. Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? Cheers, Josh
Re: OBSD's perspective on SELinux
The first thing people do when they run with SELinux is disabling it. You decide how great it is. On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: Hello all, I'm running OBSD on my older boxes but still Debian on my big box (not ready yet). Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? Please note: this is _not_ a troll, flame-ware-tinder-box, whatever. I'm genuinly interested. Thanks, Doug.
Re: Instant Messenger (CLI-based multi-protocol)
Pidgin includes finch (command line client), it's a little awkard to use though (just my opinion). -- Mike
Re: Instant Messenger (CLI-based multi-protocol)
On Sat, Sep 22, 2007 at 08:05:57PM -0500, Sean Darby wrote: Is there a better program out there somewhere that is CLI-based for using chat with Yahoo, AIM, MSN, ICQ, IRC, and Jabber? I'm using irssi (irc client) with bitlbee (IM to IRC gateway). I'm VERY happy with it. -ME