Re: high-end audio drivers [was: OSS audio drivers]
On Wed, Oct 24, 2007 at 12:55:39AM +0200, Jan Stary wrote: What is the relation of OpenBSD's audio drivers to the OSS project? What, if anything, does opensourcing (GPL, I know) their code mean for our audio drivers? In particular, does that mean (future) support for the high-end soundcards such as M-Audio Delta? There's work in progress on adding support for Delta cards (1010, 1010LT, 66, 44), and required features to make them usable (32bit encodings, 12 channel capture, higher sample rate, etc...) Where can I get in touch with this work and possibly test it? Is anything commited - available in curent? it's not in cvs yet. Below's a diff you can test. It probably only works on delta-1010 and delta-1010LT cards and it's enabled on i386 only. The diff adds support for 32bit samples and 10 channels. Neither capture nor mixer are implemented yet. Feel free to contact me privately if you have questions on that. Anyway if you have any delta card, i'm interested in seeing your card's eeprom contents (in dmesg), the kernel should be compiled on i386 with these options: option ENVY_DEBUG envy* at pci? audio* at envy? Also, let me know if you notice regression with other audio drivers. cheers, -- Alexandre Index: arch/i386/conf/GENERIC === RCS file: /cvs/src/sys/arch/i386/conf/GENERIC,v retrieving revision 1.583 diff -u -p -r1.583 GENERIC --- arch/i386/conf/GENERIC 14 Oct 2007 17:39:46 - 1.583 +++ arch/i386/conf/GENERIC 24 Oct 2007 05:54:38 - @@ -628,6 +628,7 @@ maestro* at pci?# ESS Maestro PCI esa* at pci? # ESS Maestro3 PCI yds* at pci? flags 0x# Yamaha YMF Audio emu* at pci? # SB Live! +#envy* at pci? # VIA Envy24 (aka ICE1712) sb0at isa? port 0x220 irq 5 drq 1 # SoundBlaster sb*at isapnp? ess* at isapnp? # ESS Tech ES188[78], ES888 Index: dev/pci/envy.c === RCS file: dev/pci/envy.c diff -N dev/pci/envy.c --- /dev/null 1 Jan 1970 00:00:00 - +++ dev/pci/envy.c 24 Oct 2007 05:54:38 - @@ -0,0 +1,699 @@ +/* + * Copyright (c) 2007 Alexandre Ratchov [EMAIL PROTECTED] + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include sys/param.h +#include sys/systm.h +#include sys/device.h +#include sys/ioctl.h +#include sys/audioio.h +#include sys/malloc.h +#include dev/pci/pcivar.h +#include dev/pci/pcidevs.h +#include dev/pci/envyvar.h +#include dev/pci/envyreg.h +#include dev/audio_if.h +#include machine/bus.h + +#ifdef ENVY_DEBUG +#define DPRINTF(...) do { if (envydebug) printf(__VA_ARGS__); } while(0) +#define DPRINTFN(n, ...) do { if (envydebug (n)) printf(__VA_ARGS__); } while(0) +int envydebug = 1; +#else +#define DPRINTF(...) do {} while(0) +#define DPRINTFN(n, ...) do {} while(0) +#endif +#define DEVNAME(sc) ((sc)-dev.dv_xname) + +int envymatch(struct device *, void *, void *); +void envyattach(struct device *, struct device *, void *); +int envydetach(struct device *, int); + +int envy_ccs_read(struct envy_softc *sc, int reg); +void envy_ccs_write(struct envy_softc *sc, int reg, int val); +int envy_cci_read(struct envy_softc *sc, int index); +void envy_cci_write(struct envy_softc *sc, int index, int data); +void envy_i2c_wait(struct envy_softc *sc); +int envy_i2c_read(struct envy_softc *sc, int dev, int addr); +void envy_i2c_write(struct envy_softc *sc, int dev, int addr, int data); +int envy_gpio_read(struct envy_softc *sc); +void envy_gpio_write(struct envy_softc *sc, int data); +void envy_eeprom_read(struct envy_softc *sc, unsigned char *); +void envy_reset(struct envy_softc *sc); +void envy_ak_write(struct envy_softc *sc, int dev, int addr, int data); +int envy_intr(void *); + +int envy_open(void *, int); +void envy_close(void *); +void *envy_allocm(void *, int, size_t, int, int); +void envy_freem(void *, void *, int); +int envy_query_encoding(void *, struct audio_encoding *); +int envy_set_params(void *, int, int, struct audio_params *, +struct audio_params *); +int envy_round_blocksize(void *, int); +size_t envy_round_buffersize(void *,
Non-x86 (was: About Xen: maybe a reiterative question but ..)
Theo de Raadt wrote: x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. He probably meant psychological security, or job security. ... Then running your operating system on the other side of this brand new pile of shit. Seriously, what (affordable) non-x86 hardware options are available, especially those without AMT or AMT-like backdoors? http://softwarecommunity.intel.com/articles/eng/1148.htm http://www.intel.com/pressroom/archive/releases/20050301net.htm http://www.intel.com/cd/ids/developer/asmo-na/eng/320959.htm Or is workstation and server hardware covered by CALEA now, too? -Lars
Re: : Network Time Synchronization using timed or ntpd or a Combination?
There is one thing I really miss in OpenBSD's ntpd, and that is some way of asking the status. It need not be something like ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would dump current servers, their status and ntpd's general status would be nice. When there is nothing for a while in the syslogs it gets tedious to find out if and what is going on with ntpd on OpenBSD... On Tue, Oct 23, 2007 at 01:52:46PM -0700, Clint Pachl wrote: Darrin Chandler wrote: On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote: On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote: The ntpd from OBSD is raw and lame yet. It takes days (!) to really synchronize, adjusting time and clock frequency back and forth (even if you start with -s) so it's too early to say that using it is right. It will be right after it matures, gets more useful synchronization algorithm and it's own ntpdate (or a parameter to synchronize and exit). Blah blah blah. time1 and time2.srv.ualberta.ca are both running openntpd driven by nmea(4) sensors. As is my home workstation. They wibble around within a microsecond or two of the sensor's time, probably due to a) interrupt handling and b) temperature changes caused by the air conditioner or cats sleeping on the case. And my servers are in a windowless room under a lot of concrete and steel, so there's no good way to get GPS or radio data, and I'm using other time servers on the internet to sync. They keep time very well, on sparc64 and amd64, and both are in pool.ntp.org and score quite well. In fact, they compare favorably to servers running the more heavyweight ntp daemons. That is a very interesting anecdote. That has got to make Henning proud; hell I'm proud of him. The amazing thing is that the ntpd binary on my i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD media center is 263K, not to mention all of the other ntp* binaries, which bring total size to 426K. Plus, OpenNTPD has privilege separation! -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: About Xen: maybe a reiterative question but ..
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]: Virtualization seems to have a lot of security benefits seems? to whom? to people who never wrote a line of code and don't understand how things work? -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: max-src-conn-rate rule question
* Rob [EMAIL PROTECTED] [2007-10-24 00:05]: I'm not a pf newbie by any means, but I'm not really qualified to answer questions about it either. That said, I don't usually use an '=' sign in my pf rules, and the pf faq doesn't list that as one of the accepted operators for the port range well, it is valid. the parser is morepermissive than what we document. (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being parsed correctly, it would cause the behavior you're seeing. Try, hell no! if the rule can't be parsed correctly, pfctl throws an error of course! block in log quick proto tcp port ssh keep state \ (source-track rule, max-src-conn-rate 3 / 30 overload sshd_attackers, src.track 30) Note that I wouldn't use a flush global directive for a rule like this, because it can lead to a neat DoS where somebody can spoof one of your own IP addresses and shut down any ssh sessions you have active. no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus making spoofing unfeasible. that info, of course, is in the manpage... very loud and clear. why don't you check there before spreading fud on the list? this doesn't only comply to you, but is completely beyond me. why dowe invest lots of time and nerves and whatnot in manpages when people do not read them, and instead guess a bit and then spread shit because the guess was of course wrong? read the damn manpages! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
HW selection for openBSD based web/Multimedia server and NAS
Guys, I'm currently in-charge in assembling a generic multimedia server (like youtube) but in much more smaller scale. Before we invest on something big on server platform like ibm, sun, hp or dell, we're thinking of using intel or tyan serverboard. In this testing environment, we will simulate web/multimedia server and Network Attached Storage. I'm really looking forward for an advice on motherboard or H/W selection, and maybe some expert who has experience with similar setup/environment in an openBSD platform, off-course, could share their knowledge. Many Thanks, -- Insan Praja SW
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Boris Goldberg [EMAIL PROTECTED] [2007-10-23 18:15]: It's always better to don't run a demon if you don't have to. :) It's always better to not write a nonsense mail if you don't have to. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Martin Schrvder [EMAIL PROTECTED] [2007-10-24 00:51]: 2007/10/23, Darrin Chandler [EMAIL PROTECTED]: pool.ntp.org and score quite well. In fact, they compare favorably to servers running the more heavyweight ntp daemons. While we are talking about ntpd: Is there hope of an update of the portable version? The debian port is still at 3.9... I can't nor want to do the portable, and the portable maintainer vanished. If you wanna do the work and be the -stable guy, pick ntpd sources, make and test the portable and send it to me :) PS: http://www.openntpd.org is also still at 3.9... due to exactly that. I'll fix it for 4.2 (if I don't forget again) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Clint Pachl [EMAIL PROTECTED] [2007-10-24 00:45]: Henning Brauer wrote: * Boris Goldberg [EMAIL PROTECTED] [2007-10-23 15:50]: CP One system would get time from the NTP pool and all other servers on CP the network would sync to the local server. You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). that is bad advice. it is not only much more work to set up, it also doesn't remotely yield the same results. ntpd is much much better, since it doesn't rely on a single answer from soem server to set the clock, and because it adjusts the clock frequency over time. there is not much point in using rdate at all. From what I have read in this thread, it looks like only one guy prefers the old timed and rdate tools. A few are even telling him he is giving bad advice when promoting the usage of these tools. Henning mentioned that rdate and timed are pretty much useless and others have said that timed is obsolete. So why don't we remove them from the source tree? rdate has an ntp mode, that is useful for checking/monitoring/debugging ntp servers, so it'll stay. timed might indeed be a candidate for the Attic. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: MegaRAID SAS 8204ELP not working ?
From looking at the lsi site and the driver names it ships on these model controllers, it looks like these nics are really mpi(4) based with a driver that does software raid on top of it. Way to sully the MegaRAID name LSI... Anyway, I think you're going to have to move up from the value line of megaraid sas controllers to get a real mfi. Another option is to get an areca controller. They've been extremely friendly and extremely supportive of OpenBSD's development of a driver for their hardware, and it's all hardware raid. dlg On 24/10/2007, at 3:55 AM, Walter B|rger wrote: Hi, just installed a MegaRAID SAS 8204ELP Controller and according to the BIOS: LSI MegaRAID Software RAID BIOS Version M1068e.01.01021804R LSI Logic MPT RAID Found at PCI Bus No:04 Dev No:00 SAS/SATA RAID key is Detected. Bringing up the Controller. Please wait... Scanning for Port 00... Responding. WDC WD800JD-75MS 75781MB Scanning for Port 01... Responding. WDC WD800AAJS-00 75807MB Scanning for Port 02... Not Responding. Scanning for Port 03... Not Responding. Scanning for Port 04... Not Responding. Scanning for Port 05... Not Responding. Scanning for Port 06... Not Responding. Scanning for Port 07... Not Responding. 01 Logical drive(s) Configured. Array# ModeStripe Size No.Of Stripes DriveSize Status 00 RAID1 64KB 02 75340MBOnline Press CTRL-M or Enter to run LSI Logic Software RAID Setup Utility. all goes well so far. But: Normally, if a logical drive is recognized by OpenBSD, there are NO two sd (sd0, sd1) drives at scsibus0. At this installation i had sd0 and sd1 for root disk choice at scsibus0. Also there is no mention of a logical drive in the dmesg. After the installation OpenBSD 4.2 booted from sd0. From the manpage mfi(4) the MegaRAID SAS 820'8'ELP should be recognized as mfi0, so i thought the MegaRAID SAS 820'4'ELP should be recognized as mfi0 too. No, the MegaRAID SAS 8204ELP is recognized as mpi0 as the following dmesg shows. bioctl mpi0 gives: bioctl: Can't locate mpi0 device via /dev/bio bioctl mfi0 gives: bioctl: Can't locate mfi0 device via /dev/bio So I think, I do not have a functioning RAID. Why is the MegaRAID SAS 8204ELP recognized as mpi0 ? Is there a patch to correct the assignment of MegaRAID SAS 8204ELP to mfi0 ? (If the Controller could made to be recognized as mfi0, then I could use bioctl :-)) What method exists to let me know if Raid works, without bioctl ? Thanks, Walter. dmesg: OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz (GenuineIntel 686- class) 1.87 GHz cpu0: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR real mem = 1064464384 (1015MB) avail mem = 1021571072 (974MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xf04e0 (56 entries) bios0: vendor American Megatrends Inc. version 1004date 06/05/2007 bios0: ASUSTek Computer INC. P5L-MX apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7a50/240 (13 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800 0xcc800/0x5000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02: rng active, 800Kb/sec ppb0 at pci0 dev 1 function 0 Intel 82945GP PCIE rev 0x02 pci1 at ppb0 bus 4 mpi0 at pci1 dev 0 function 0 Symbios Logic SAS1068E rev 0x04: irq 11 scsibus0 at mpi0: 173 targets sd0 at scsibus0 targ 0 lun 0: ATA, WDC WD800JD-75MS, 1E03 SCSI3 0/ direct fixed sd0: 76293MB, 76294 cyl, 16 head, 127 sec, 512 bytes/sec, 15625 sec total sd1 at scsibus0 targ 1 lun 0: ATA, WDC WD800AAJS-00, 6H05 SCSI3 0/ direct fixed sd1: 76319MB, 76320 cyl, 16 head, 127 sec, 512 bytes/sec, 156301488 sec total vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02: aperture at 0xe000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 3 ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01 pci3 at ppb2 bus 2 Attansic Technology L1 rev 0xb0 at pci3 dev 0 function 0 not configured uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 14 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 15 ehci0 at pci0 dev 29 function 7 Intel
Re: Performance problem with CF card on AMD CS5536 IDE
As I mentioned in my first mail, it appears to be an OpenBSD - specific problem. On the exact same hardware, I can measure a throuphput of about 10 MB/second when using FreeBSD. This matches more or less the CF specifications (PQI industrial Turbo Compact Flash Card). UDMA33 is used under FreeBSD Any ideas? - Original Message - From: Brian A. Seklecki [EMAIL PROTECTED] To: Stefan Klein [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Monday, October 22, 2007 5:12 PM Subject: Re: Performance problem with CF card on AMD CS5536 IDE pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Turbo Industrial CF Card wd0: 1-sector PIO, LBA, 1983MB, 4062240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) This looks normal. I've yet to find a CF-IDE Adpater combination that makes it into full Ultra-DMA mode 4. CF Media is generally slower than modern high perf. disks, depending a lot on the manufactuer quality. For my bsd-appliance project, I use CF media strictly for booting a MD/RD kernel image. If you're doing a full-install on the CF card, you've got the wrong approach. You're going to nuke your CF media with all of that atime update and IO cache flush overhead. There's no progress(1) in OpenBSD yea, so I'm not sure about the exact speed, but I'm able to un-pax(1) a 20-60 meg kernel image into MFS /usr in about 10 seconds. ARInfotek AMD-Geode 800 SBC (500MHz) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: : Network Time Synchronization using timed or ntpd or a Combination?
Raimo Niskanen [EMAIL PROTECTED] wrote: There is one thing I really miss in OpenBSD's ntpd, and that is some way of asking the status. It need not be something like ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would dump current servers, their status and ntpd's general status would be nice. If you send -current ntpd SIGINFO, it will syslog its status. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: : : Network Time Synchronization using timed or ntpd or a Combination?
On Wed, Oct 24, 2007 at 09:43:56AM +, Christian Weisgerber wrote: Raimo Niskanen [EMAIL PROTECTED] wrote: There is one thing I really miss in OpenBSD's ntpd, and that is some way of asking the status. It need not be something like ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would dump current servers, their status and ntpd's general status would be nice. If you send -current ntpd SIGINFO, it will syslog its status. Swell! But not 4.2, right? -- Christian naddy Weisgerber [EMAIL PROTECTED] -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: LDAP users
On Wed, 24 Oct 2007 07:26:39 +0200, [EMAIL PROTECTED] wrote: Hi all. I want the OpenBSD system to see system users in LDAP. I know, that OpenBSD doesn't have anything, like nsswitch in other Unix. What can i do? First of all post to the right list. ;) This would fit better in the misc-list. Now, for your question; what you're looking for is in the /etc/login.conf file. There is a man-page for it, login.conf(5) In /etc/login.conf you have a line that says: auth-defaults:auth=passwd,skey: You'd want to change that line to something like: auth-defaults:auth=ldap OpenBSD doesn't include an LDAP module though so you'd have to write your own, details for how to do so is in the login.conf(5) man page. Or perhaps you can google something, someone else has probably built one already. -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: gpio support on ALIX board
Martin Hedenfalk wrote: Hello list, Is anyone working on getting the gpio pins supported on the PCEngines ALIX boards? I'd like to be able to control the LEDs using gpioctl, just like on the WRAP. I am. - mb
Re: Network Time Synchronization using timed or ntpd or a Combination?
Boris Goldberg wrote: Hello Rogier, Tuesday, October 23, 2007, 9:01:32 AM, you wrote: RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote: You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). RK While your suggestion would work, it would also entail more work RK without adding benefit. Upon install, you get the question of whether RK you want to use ntpd. Starting with 4.2, it even asks for a specific RK NTP server. It's always better to don't run a demon if you don't have to. :) Talking about a more work - I don't think that someone avoiding small after install tuning like this should be taking care of any network besides his home one. ;) Anyway, for the last five years no version of OBSD (including 4.2) worked for me without tuning a kernel, so an extra line in a crontab is nothing. :) This is a bad advice. If you want your machines to be synchronized, use ntpd. The bad advice given above will not synchronize your machines time.
Re: LDAP users
Linus SwCFCB$las wrote: On Wed, 24 Oct 2007 07:26:39 +0200, [EMAIL PROTECTED] wrote: Hi all. I want the OpenBSD system to see system users in LDAP. I know, that OpenBSD doesn't have anything, like nsswitch in other Unix. What can i do? First of all post to the right list. ;) This would fit better in the misc-list. Now, for your question; what you're looking for is in the /etc/login.conf file. There is a man-page for it, login.conf(5) In /etc/login.conf you have a line that says: auth-defaults:auth=passwd,skey: You'd want to change that line to something like: auth-defaults:auth=ldap OpenBSD doesn't include an LDAP module though so you'd have to write your own, details for how to do so is in the login.conf(5) man page. Or perhaps you can google something, someone else has probably built one already. unfortunately this is not enough. the user ids and groupd ids must also be present on the machine. this means that you have to add the accounts locally as well. -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: : : Network Time Synchronization using timed or ntpd or a Combination?
Raimo Niskanen [EMAIL PROTECTED] wrote: If you send -current ntpd SIGINFO, it will syslog its status. But not 4.2, right? Right. -- Christian naddy Weisgerber [EMAIL PROTECTED]
current and fluxbox
Hi, I made a fresh install of current some five days ago and when I tried to install fluxbox I get: # pkg_add fluxbox Can't install imlib2-1.4.0: lib not found png.6.0 Dependencies for imlib2-1.4.0 resolve to: png-1.2.18, bzip2-1.0.4, libid3tag-0.15.1bp0, jpeg-6bp3, libungif-4.1.4p1, tiff-3.8.2p0 Full dependency tree is png-1.2.18,bzip2-1.0.4,libid3tag-0.15.1bp0,jpeg-6bp3,libungif-4.1.4p1,tiff-3.8.2p0 png.6.0: partial match in /usr/local/lib: major=5, minor=2 (bad major) Can't install fluxbox-0.9.15.1p0: can't resolve imlib2-1.4.0 I have tried different ftp mirrors (even the master one) in these days but I get the same problem all the time. I *know* that this is normal if you're following current but I wonder whether it can take so long (i.e. almost a week) to fix the dependencies. Again, feel free to stone me. If my language is offensive it's a matter of not being native in English. The email is meant to be very nice. I need current because of my bleedy-edge hardware (eek!). Cheers, Pau
Re: current and fluxbox
On 2007/10/24 11:31, Pau Amaro-Seoane wrote: I have tried different ftp mirrors (even the master one) in these days but I get the same problem all the time. At the moment, you need to build your own from ports or wait a while. There have been some changed libraries recently and it will take a while for new package snaps to finish. I *know* that this is normal if you're following current but I wonder whether it can take so long (i.e. almost a week) to fix the dependencies. Yes - as well as actually building the packages, they must be transferred to the ftp servers, which can be up to 4gb or so for some arch, and this takes some time.
Re: current and fluxbox
thanks for the answer! Pau 2007/10/24, Stuart Henderson [EMAIL PROTECTED]: On 2007/10/24 11:31, Pau Amaro-Seoane wrote: I have tried different ftp mirrors (even the master one) in these days but I get the same problem all the time. At the moment, you need to build your own from ports or wait a while. There have been some changed libraries recently and it will take a while for new package snaps to finish. I *know* that this is normal if you're following current but I wonder whether it can take so long (i.e. almost a week) to fix the dependencies. Yes - as well as actually building the packages, they must be transferred to the ftp servers, which can be up to 4gb or so for some arch, and this takes some time.
Re: max-src-conn-rate rule question
On 10/24/07, Henning Brauer [EMAIL PROTECTED] wrote: * Rob [EMAIL PROTECTED] [2007-10-24 00:05]: Note that I wouldn't use a flush global directive for a rule like this, because it can lead to a neat DoS where somebody can spoof one of your own IP addresses and shut down any ssh sessions you have active. no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus making spoofing unfeasible. that info, of course, is in the manpage... very loud and clear. why don't you check there before spreading fud on the list? I was quoting that from memory, specifically from Joachim Schipper's comment on August 9th: Or maybe not - 'flush' enables an attacker to not only prevent you connecting, but actually to log you out as well. (http://marc.info/?l=openbsd-miscm=118665539219389w=2) I managed to miss the follow-up post on the 3-way-handshake. this doesn't only comply to you, but is completely beyond me. why dowe invest lots of time and nerves and whatnot in manpages when people do not read them, and instead guess a bit and then spread shit because the guess was of course wrong? read the damn manpages! People read the man pages. I would sooner read, re-read, and then study the man pages, then perform background research, experiment, and then write sample code, before asking a question on this list. The guy's question had languished for 2 days. I didn't bother to go back through the 2,079 lines of pf.conf manpage to get the correct answer; my bad. I had five minutes today in which I wasn't catching shit from someone else, so I thought I'd give a best guess and catch some shit here instead. - R.
ifstated(8) missing if state changes?
Hi list, it seems that ifstated(8) sometimes does not see all events and thus fails to change state. My setup consists of 2 boxes with 5 carp interfaces. CARP works fine, on box frw1 all are MASTER and on box frw2 all are in BACKUP state. When i bring down all carp interfaces on frw1, all get MASTER on frw2. However, ifstated(8) on frw2 does not change state. [EMAIL PROTECTED] [~] # cat /etc/ifstated.conf init-state auto carp_up = carp0.link.up carp1.link.up carp2.link.up carp3.link.up carp5.link.up carp_down = carp0.link.down || carp1.link.down || carp2.link.down || carp3.link.down || carp5.link.down state auto{ if ($carp_up) set-state master if ($carp_down) set-state slave } state master{ init{ run logger CARP up! # run /root/scripts/carp-up.sh } if ($carp_down) set-state slave } state slave{ init{ run logger CARP down! # run /root/scripts/carp-down.sh } if ($carp_up) set-state master } I did a ktrace on the ifstated(8) process on frw2 and the dump gives: [EMAIL PROTECTED] [~] # kdump -l | grep carp \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\^A\f\0\^P\^B\0\0\M-,\^U\^A\ \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^O\0\M-w\^E\^F\0carp3\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^P\0\M-w\^E\^F\0carp5\0\0^\0\ The first 3 lines show the transition from BACKUP to MASTER. carp3 and carp 5 are missing! The other lines show the transition from MASTER to BACKUP. I have verified in both cases that *all* carp devices changed state with ifconfig(8). Are there known issues with ifstated(8) or kevent(2) about lost events? As a workaround i will change my $carp_up definition to test if *any* of the interfaces is up, but that isnot a good solution. Any clues? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2-stable (GENERIC) #2: Wed Oct 17 10:08:11 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 536113152 (511MB) avail mem = 510750720 (487MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: vendor American Megatrends Inc. version 0219 date 11/03/2005 bios0: ASUSTeK Computer Inc. A8V apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x4000! 0xcf000/0x800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Yukon Lite (0x9): irq 10 sk0 at skc0 port A: address 00:13:d4:de:cf:88 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 xl0 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:0a:5e:61:7a:2d exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 14 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 00:0a:5e:61:7a:04 exphy1 at xl1 phy 24: 3Com internal media interface pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt wd0 at pciide0 channel 1 drive 0: Maxtor 6V080E0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
System time 100% on Vmware Fusion
Hello, On Vmware Fusion (tested with Fusion 1.1 on a Core2duo imac), OpenBSD (-current) is very slow on anything that is not just a pure computation task. While compiling something, or while running MySQL, PgSQL, Apache or Sendmail, top always shows that the CPU spends 99% or 100% of its time in the system state. This is of course with the vic(4) and mpi(4) drivers. But this is always the case anyway, even without any disk or network I/O. Does anyone know what might be wrong? Best regards, -Frank.
Re: About Xen: maybe a reiterative question but ..
Dear sirs please: I will return to my original question. I just wondered if xen will be included into the OpenBSD's kernel to act as a para-virtualized DomU or not. Nothing more. I will not go into issues of the type is insecure or not. Theo, or somebody from developer team: Will be para-virtualized domU xen kernel included on next OpenBSD release (4.3?) or not?? I only want to know this... Many thanks to all. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, carlopmart [EMAIL PROTECTED] wrote: Dear sirs please: I will return to my original question. I just wondered if xen will be included into the OpenBSD's kernel to act as a para-virtualized DomU or not. Nothing more. I will not go into issues of the type is insecure or not. Theo, or somebody from developer team: Will be para-virtualized domU xen kernel included on next OpenBSD release (4.3?) or not?? I only want to know this... Not unless someone actually writes the code to do it. Notice the extreme number of people with openbsd.org email addresses jumping up and down, volunteering to do it (hint: none). Possibly not even if someone writes the code. Diffs are not always merged. They should be good diffs that improve OpenBSD. Notice the number of people with openbsd.org email addresses who are not convinced that doing this a) will improve OpenBSD and b) won't actually hurt. So I'm going to guess the answer is No, integrating xen paravirtualization is not a project priority at this time. Also, where are your diffs? CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: About Xen: maybe a reiterative question but ..
Chris Kuethe wrote: On 10/24/07, carlopmart [EMAIL PROTECTED] wrote: Dear sirs please: I will return to my original question. I just wondered if xen will be included into the OpenBSD's kernel to act as a para-virtualized DomU or not. Nothing more. I will not go into issues of the type is insecure or not. Theo, or somebody from developer team: Will be para-virtualized domU xen kernel included on next OpenBSD release (4.3?) or not?? I only want to know this... Not unless someone actually writes the code to do it. Notice the extreme number of people with openbsd.org email addresses jumping up and down, volunteering to do it (hint: none). Possibly not even if someone writes the code. Diffs are not always merged. They should be good diffs that improve OpenBSD. Notice the number of people with openbsd.org email addresses who are not convinced that doing this a) will improve OpenBSD and b) won't actually hurt. So I'm going to guess the answer is No, integrating xen paravirtualization is not a project priority at this time. Also, where are your diffs? CK Many thanks Chris. A clear response. I am not a developer but I can offer to test xen based OpenBSD kernels on my servers ... -- CL Martinez carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, Henning Brauer wrote: * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]: Virtualization seems to have a lot of security benefits seems? to whom? Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. There is also a big benefit when maintaing VM images - restoring a VM in the case of corruption/attach/whatever is as simple as reloading a copy of that image and connecting to system data on the local SAN. Irrespective of the guest OS, there is good security between the virtualized machines. Running OBSD as the guest OS provides the best of both worlds, and it would be great if OBSD would run paravirtualized for the best performance, but apparently nobody has a need for that functionality. to people who never wrote a line of code and don't understand how things work? Nobpdy has to write any code to understand that - the secuity benefits are ovbious to everyone from the PHBs to the admins. Of course, this is most obvious in 'enterprise space', which is pretty far removed from the typical OBSD world. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: About Xen: maybe a reiterative question but ..
On Tue, Oct 23, 2007 at 08:35:39PM -0700, Ben Goren wrote: On 2007 Oct 23, at 5:57 PM, [EMAIL PROTECTED] wrote: Virtualization seems to have a lot of security benefits. ``Seems'' is the key word, here. On hardware like an IBM mainframe that can acutally support what's necessary for secure virtual machines, sure. On x86? Well, it'll keep your kid sister out Is there any hardware inbetween that would be secure? Or, is there now nothing between the two at all? I thought that Opterons had some type of hardware support on the CPU; perhaps its only enablers not secureors. Doug.
Re: About Xen: maybe a reiterative question but ..
On Wed, Oct 24, 2007 at 08:31:26AM -0500, L. V. Lammert wrote: | On Wed, 24 Oct 2007, Henning Brauer wrote: | | * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]: | Virtualization seems to have a lot of security benefits | | seems? | to whom? | | Virtualization provides near absolute security - DOM0 is not visible to | the user at all, only passing network traffic and handling kernel calls. | The security comes about in that each DOMU is totally isolated from the | the others, while the core DOM0 is isolated from any attacks. This is the theory. In theory, there's no bugs in OpenBSD. In practice, many of the commits to the tree are not new features/drivers but actual bugfixes. Read the paper by Tavis Ormandy, referenced by Theo. There is a real problem with virtualization. Until all bugs are fixed, virtualization is worse than real hardware. And it'll be hard to prove all the bugs are fixed. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: About Xen: maybe a reiterative question but ..
On Tuesday 23 October 2007 18:22:00 ropers wrote: Hi Christoph, Right now, on the OpenBSD misc mailing list, there is this discussion: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2007-10/thread s.html#01149 about OpenBSD/Xen. We last spoke last year, when I put your BSDtalk interview transcript online at http://ropersonline.com/openbsd/xen . It seems to me that most people on the misc mailing list currently are not very aware of your OpenBSD Xen port. Could I possibly ask you to participate in the discussion? I feel that you (and Theo) are the only guys who can provide authoritative answers on the issue. Some of the questions that I feel are unclear are: - Was your porting work fully completed? IIRC it was, but please clarify. DomU support is ready. Dom0 is work in progress. (apart from use-after-free bugs in MI buffer-cache and filesystem code, which damages filesystem.) Dom0 is work in progress, but is stalling on a NULL-pointer bug in uvm_pglistalloc_simple(). This code piece in the kernel reproduces this crash: void foo(void) { struct pglist mlist; uvm_pglistalloc(PAGE_SIZE * 64, 0, 0x, 0, 0, mlist, 64, 0); } I didn't investigate further into this, because I have put my focus on the xen-kernel and xen-tools to compile on OpenBSD and NetBSD out-of-the-box. To finish this task, I need some things in OpenBSD: - aio(2) support - POSIX ptsname() (this is used in a python binding module) - newer gcc version due to a structure padding bug with an alignment attribute hidden in a typedef (this is fixed in gcc 3.4) I use gcc 4.2 from the ports FYI. - I need i386 headers and libc on OpenBSD/amd64 for 64bit builds. gcc -m32 defines __i386__ so it is possible to distinguish if a #include stdint.h must provide 32bit or 64bit integer type definitions. Oh, a libc header cleanup is nice to have. I don't know why uvm kernel headers should be in /usr/include/uvm/, for example. - Is your port still being maintained? Can it be run with OpenBSD -current or 4.2? 4.1. It needs an update. Maybe some of the nasty MI bugs are gone. - It seems to me that your port didn't achieve wide recognition and acclaim because of a lack of publicity. I'm not a marketing guy. - AFAIK your OpenBSD/Xen port code hasn't found its way into the official OpenBSD distribution. Is this correct? yes. - Are there any reasons why your code didn't go into the official OpenBSD distro? Was it lack of awareness? Have you ever talked to Theo and/or other central OpenBSD people? I haven't found someone who is willing to commit the diffs. - Is there any hope that your port might still become part of the official OpenBSD distribution? (Theo: Could you possibly comment as well?) I don't know. I'd personally be very interested to see your port become part of the official distribution, but I sadly can't code myself, so all I can do is ask and hope. :) Once again, thanks for your hard work. :) You're welcome. Many thanks in advance and kind regards, Jens Ropers
Re: About Xen: maybe a reiterative question but ..
On Wednesday 24 October 2007 16:14:19 Chris Kuethe wrote: On 10/24/07, carlopmart [EMAIL PROTECTED] wrote: Dear sirs please: I will return to my original question. I just wondered if xen will be included into the OpenBSD's kernel to act as a para-virtualized DomU or not. Nothing more. I will not go into issues of the type is insecure or not. Theo, or somebody from developer team: Will be para-virtualized domU xen kernel included on next OpenBSD release (4.3?) or not?? I only want to know this... Not unless someone actually writes the code to do it. Notice the extreme number of people with openbsd.org email addresses jumping up and down, volunteering to do it (hint: none). Possibly not even if someone writes the code. Diffs are not always merged. They should be good diffs that improve OpenBSD. Notice the number of people with openbsd.org email addresses who are not convinced that doing this a) will improve OpenBSD and b) won't actually hurt. So I'm going to guess the answer is No, integrating xen paravirtualization is not a project priority at this time. Also, where are your diffs? The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg Unfortunately, Anil has troubles with the availability of the server. I rely on having a willing OpenBSD developer who commits the patches I send to him. But as long as there is none, it doesn't go in. Christoph
Re: About Xen: maybe a reiterative question but ..
* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Wake on LAN, tcpdump weirdness with two ethernet interfaces
I'm noticing some strangeness in conjunction with WOL(*), which seems not to be working and am not sure where the problem lies(**). The machine launching the packets has two interfaces, re0 and em0, with the receiving machine connected to re0. The machine does not wake up either using port 9 or port 4. A bit of strangeness in the diagnostics is that tcpdump appears not to register and packets from or to re0. It does not catch any packets on re0, even from nmap -P0 -e re0 -T5 a.b.c.d tcpdump -i re0 ip proto 17 whereas the following catches packets, even from wol, when sent to addresses on em0. tcpdump -i em0 ip proto 17 Route shows the following: Internet: Destination GatewayFlagsRefs UseMtu Interface a.b.c.d 00:0f:1f:78:82:07 UHLc1 8629 - re0 and when the machine is already on, I can ping and connect via ssh. pfctl -s rules are as simple as possible: scrub in all fragment reassemble pass in all flags S/SA keep state pass out all flags S/SA keep state What's up with tcpdump and, more importantly, wol? -Lars (*) Installed using pgk_add: http://www.openbsd.org/4.1_packages/i386/wol-0.7.1p1.tgz-long.html (**) Hardware is a Dell DHP on which I've set the BIOS to allow remote wakeup and have the lowpower mode (which hinders remote wakeup) off.
Re: About Xen: maybe a reiterative question but ..
On Wednesday 24 October 2007 17:25:25 Artur Grabowski wrote: Christoph Egger [EMAIL PROTECTED] writes: So I'm going to guess the answer is No, integrating xen paravirtualization is not a project priority at this time. Also, where are your diffs? The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg Unfortunately, Anil has troubles with the availability of the server. I rely on having a willing OpenBSD developer who commits the patches I send to him. But as long as there is none, it doesn't go in. I'm willing to stretch as far as saying: This might be interesting for some testing purposes for kernel hackers if Xen could be hosted on OpenBSD. But this doesn't mean that I'm even close to volunteering doing the job. It just would be cool to have if it doesn't break stuff. //art Actually it is good to find NULL-pointer (mostly use-after-free) bugs, that are hard to find on real hardware. Believe me or not: OpenBSD has tons of them. Christoph
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, L. V. Lammert wrote: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. In theory, you're correct. In practice there are (at least) four questions which all must be answered in the affirmative for this to be true: 1) Does the hardware architecture provide all of the hooks needed to implement virtualization? 2) Does the specific hardware correctly implement that architecture? 3) Does the virtualization software architecture properly implement virtualization? 4) Does the specific software correctly implement that architecture? Answering any of those questions takes both a lot of work and, all too often, access to information which is not generally available. And if any of the answers is 'no', the security of anything run under that virtualization may be fatally compromised -- no matter how secure that software may be when run standalone. Dave -- Dave Anderson [EMAIL PROTECTED]
spamdb expire value gets default value instead of spamd_flag value (-G)
Hi, When testing greylisting with synchronizing we noticed the following strange behavior: Machine A (10.100.64.234) is the machine we receive mail through. Machine B (10.100.64.233) is synced through spamd Check out the expire value on machine A after the state have gone from Grey to White! It has taken the default 36 days ahead instead of our 2 hour (testvalue) from spamd_flags!! But Machine B (the passive brother which gets synced through spamd-sync) behaves as it should!? spamdb (A): WHITE|10.100.64.199|||1193231843|1193232057|1196342528|3|1 spamdb (B): WHITE|10.100.64.199|||1193231843|1193232057|1193239279|3|1 pf.conf: no rdr inet proto tcp from spamd-white to any port smtp rdr pass inet proto tcp from !own_ips to $ext_if:0 port smtp - 127.0.0.1 port spamd pass in quick log on $ext_if proto tcp from any to ($ext_if) port $public_tcp pass in log on $int_if proto tcp from own_ips to ($int_if) port $sec_tcp /etc/rc.conf.local (B) pf=YES syslogd_flags=-a /var/spool/postfix/dev/log spamd_flags=-y fxp0 -Y 10.100.64.234 -G 3:1:2 spamlogd_flags=-i fxp0 -Y 10.100.64.234 /etc/rc.conf.local (A) pf=YES syslogd_flags=-a /var/spool/postfix/dev/log spamd_flags=-y fxp0 -Y 10.100.64.233 -G 3:1:2 spamlogd_flags=-i fxp0 -Y 10.100.64.233 --- Probably some small feature to fix Regards Claes Strvm
Re: About Xen: maybe a reiterative question but ..
Christoph Egger wrote: On Wednesday 24 October 2007 17:25:25 Artur Grabowski wrote: Christoph Egger [EMAIL PROTECTED] writes: So I'm going to guess the answer is No, integrating xen paravirtualization is not a project priority at this time. Also, where are your diffs? The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg Unfortunately, Anil has troubles with the availability of the server. I rely on having a willing OpenBSD developer who commits the patches I send to him. But as long as there is none, it doesn't go in. I'm willing to stretch as far as saying: This might be interesting for some testing purposes for kernel hackers if Xen could be hosted on OpenBSD. But this doesn't mean that I'm even close to volunteering doing the job. It just would be cool to have if it doesn't break stuff. //art Actually it is good to find NULL-pointer (mostly use-after-free) bugs, that are hard to find on real hardware. Believe me or not: OpenBSD has tons of them. Christoph Christoph, One question about your Xen port: is it possible to compile a xen para-virtualized openbsd kernel to launch a clean OpenBSD 4.1 or 4.2 install?? Thanks for your great job Christoph. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Clint, Tuesday, October 23, 2007, 5:36:15 PM, you wrote: CP From what I have read in this thread, it looks like only one guy CP prefers the old timed and rdate tools. A few are even telling him he is CP giving bad advice when promoting the usage of these tools. Henning CP mentioned that rdate and timed are pretty much useless and others have CP said that timed is obsolete. So why don't we remove them from the source CP tree? I've never suggested (or mentioned) the timed. Of course I was talking about the -n mode of rdate (as a replacement to ntpdate like Paul de Weerd was suggesting in this thread). May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: max-src-conn-rate rule question
David, I would take a look at adding synproxy to your rules before worrying about max-src-states. Synproxy will allow max-src-conn-rate to work more reliably. By default, pf(4) passes packets that are part of a tcp(4) handshake be- tween the endpoints. The synproxy state option can be used to cause pf(4) itself to complete the handshake with the active endpoint, perform a handshake with the passive endpoint, and then forward packets between the endpoints. No packets are sent to the passive endpoint before the active endpoint has completed the handshake, hence so-called SYN floods with spoofed source addresses will not reach the passive endpoint, as the sender can't complete the handshake. The proxy is transparent to both endpoints, they each see a single connection from/to the other endpoint. pf(4) chooses random initial se- quence numbers for both handshakes. Once the handshakes are completed, the sequence number modulators (see previous section) are used to translate further packets of the connection. Synproxy state includes modulate state. (pf.conf man page) -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote: On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote: David, Was the offending client completing the 3-way handshake everytime it connected? For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. The max-src-conn-rate number/seconds limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. You may also want to use synproxy for ssh and take a look at max-src-states. I have examples here: http://calomel.org/pf_config.html I didn't respond to this until now, because I wanted to do some research first. As the hosts that are being blocked by this aren't hosts I control, I needed to set up some access on the outside. So it looks like i can run 'nmap -sS -p22 25.103.82.80/28' until doomsday and it will always show as a passed connection. But when i start telnetting to port 22 on machines in this subnet, the fourth 'telnet' connection is blocked, no matter which host I hit previously. So I think that you are correct in that the attackers are not initially completing the 3-way handshake, and are thus not tripping the filter. I'll look in to max-src-states, but I think now that I've shown that the actual attack (if that's what they are) attempts are blocked properly, I'm not terribly concerned if they can scan the subnet. Thanks, --david -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: Nobody? Sad, it's still doing it. On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: I've set up a max-src-conn-rate rule on my gateway router to mitigate brute-force ssh attacks. This router protects a /28 subnet, 25.108.82.80/28. The relevant rules: # pfctl -sr | grep attack block drop in log quick proto tcp from sshd_attackers to any pass in log proto tcp from any to any port = ssh keep state (source-track rule, max-src-conn-rate 3/30, overload sshd_attackers flush global, src.track 30) # What the three columns of output in the below tcpdump output are: timestamp, rule action, and target host. As you can tell from the tcpdump command, the sending host is the same in all cases, 208.53.147.204 # tcpdump -enr /var/log/pflog host 208.53.147.204 \ | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 12:09:45.849594 pass 25.103.82.80 12:09:45.850279 pass 25.103.82.82 12:09:45.850827 pass 25.103.82.83 12:09:45.851310 pass 25.103.82.84 12:09:45.852003 pass 25.103.82.85 12:09:45.852496 pass 25.103.82.86 12:09:45.853007 pass 25.103.82.87 12:09:45.866580 pass 25.103.82.88 12:09:45.867345 pass 25.103.82.89 12:09:45.868339 pass 25.103.82.92 12:09:45.902389 pass 25.103.82.95 12:25:52.632295 pass 25.103.82.80 12:25:52.632973 pass 25.103.82.82 12:25:52.648804 pass 25.103.82.83 12:25:52.684792 pass 25.103.82.84 12:25:52.687989 pass 25.103.82.85 12:25:52.688652 pass 25.103.82.86 12:25:52.690882 pass 25.103.82.87 12:25:52.691371 pass 25.103.82.88 12:25:52.692290 pass 25.103.82.89 12:25:52.695340 pass 25.103.82.92 12:25:52.698864 pass 25.103.82.95 13:08:36.949178 pass 25.103.82.87 13:08:38.864585 pass 25.103.82.87 13:08:40.452215 pass 25.103.82.87 13:08:42.038388 pass 25.103.82.87 13:08:46.923469 block 25.103.82.88 13:08:49.922116 block 25.103.82.88 13:08:50.212040 block 25.103.82.87 13:08:51.099435 block 25.103.82.87 # It seems to me like this host should have been blocked back at 12:09:45, not 13:08:46. Am I misunderstanding the rule? --david [demime 1.01d removed an attachment of type application/pgp-signature
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, Paul de Weerd [EMAIL PROTECTED] wrote: This is the theory. In theory, there's no bugs in OpenBSD. In practice, many of the commits to the tree are not new features/drivers but actual bugfixes. Read the paper by Tavis Ormandy, referenced by Theo. There is a real problem with virtualization. Until all bugs are When you read Ormandy's paper, referenced by Damien Miller, in regards to Xen, you find: 1. Ormandy states that Xen's design is congruent with good security 2. Ormandy doesn't actually demonstrate a Dom0 - DomU escalation, and in fact, didn't test any HVMs at all. 3. Qemu compromises != Xen HVM Qemu compromises Furthermore: 1. Upstream patches already exist [1] in response to Ormandy's bug report [2] fixed, virtualization is worse than real hardware. And it'll be hard to prove all the bugs are fixed. Unless you are using a purely functional language implemented directly on provably correct hardware, it's impossible to (mathematically) prove a program is free of bugs. Since you want to solve real-world problems, you make a tradeoff between features you want and issues you can live with. OpenBSD is very, very, very good at security. On the other hand, if you want to program a fast, parallelized quantum gravity model to run on a large cluster of OpenMosix nodes, it's not the right tool for the job. In the scientific cluster computing and enterprise spaces, it's already well demonstrated, by many, many practitioners in those fields [3], that virtualization is a very, very good tool. Paul 'WEiRD' de Weerd [1] https://launchpad.net/ubuntu/+source/xen-3.1/ [2] http://secunia.com/advisories/26986/ [3] In addition to my own work, I can point to colleagues and organizations, for example, http://cse.ucdavis.edu and http://immunetolerance.org Adam -- Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu
Re: About Xen: maybe a reiterative question but ..
In the scientific cluster computing and enterprise spaces, it's already well demonstrated, by many, many practitioners in those fields [3], that virtualization is a very, very good tool. So what? Someone showed up here and said it is actually all about security. That is obviously false to anyone skilled in the field. You don't build better security by building another gigantic layer. That is obvious to anyone who actually works in the field. The people who are being fooled are just being 'users'. They need it, so they invent all sorts of judgements to make it OK.
Re: About Xen: maybe a reiterative question but ..
On Oct 24, 2007, at 10:59 AM, Theo de Raadt wrote: You don't build better security by building another gigantic layer. That is obvious to anyone who actually works in the field. Having worked in REAL VM :-) (IBM VM/ESA now z/VM) it isn't per se about security like we mean security ... preventing cracking attempts ... it is about isolation of processes. Isolation of processes does contribute to security but it's not the only point of flexion. In practice, mainframe VM varies greatly in security from installation to installation ... the protection of processes from one another in the VM operating system is as hardware/software perfect as the wit and skill of humankind can provide ... but I've found VM installations with accounts like USER passwd USER :-( All things being equal, the safest base installations in the universe would be those whose user instances were encased in some kind of solid VM and whose base instance administrators were provided with and followed best practices. In re that solid VM ... As Theo pointed out the other day, the Intel hardware support for virtualization is less than complete, i.e., less mature than the 35-year-old support for virtualization in the IBM 370/390 architecture. So we still gots a ways to go. -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
multimode fiber card recs for OpenBGPD
I have two servers that I would like to setup to run OpenBGPD for our border routers. I need to find a supported PCIe (not PCI-X) fiber card that runs multi-mode and a supported PCIe (not PCI-X) fiber card that runs single-mode. (One of our providers is coming to us with mm, the other with sm.) A dual port card is preferable, but we will take single port cards if those are the only ones available. Any recommendations? The supported cards page on the OpenBSD site only lists PCI-X cards. thanks, Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo
Re: Network Time Synchronization using timed or ntpd or a Combination?
On Wed, Oct 24, 2007 at 10:47:45AM -0500, Boris Goldberg wrote: | May be it makes sense to set -ncv as a default behavior of rdate, but | there is should be a way to synchronize time without running a demon (don't | understand why are people so aggressive about that) if you don't need | up-to-second synchronization (in my case modern hardware goes less than a | second off per day, and really old hardware - less than 10 seconds). The problem here is the jump in time. You repeat a second or more (if you have to jump back) or skip some (if you jump forward). This may not be a problem for you in particular, but is considered bad in general. Another issue is the fact that the server you're syncing to may not be perfectly sync'ed itself. Or maybe there's some (assymmetrical) delay in the network. This may make time on your machine somewhat off (this isn't as big a problem as the previous, IMO). And it's totally unneccessary, simply run ntpd and be done with it. It solves all the problems with syncing every once in a while, and as I indicated in my earlier mail, I don't see any of the problems with running another daemon on my machines that you described. It's small, uses proven security techniques and is still reasonably simple. But hey, if using rdate from a cron is your thing, dont let me get in your way. I used to do this before we had OpenNTPD too, since I wasn't really happy with ntp.org's daemon. If you're not really happy with OpenNTPD, more power to you ! But I dont think it's a good practice to do so, so suggesting it to others on this mailinglist will get you some replies from opponents of your solution... Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, Paul de Weerd wrote: On Wed, Oct 24, 2007 at 08:31:26AM -0500, L. V. Lammert wrote: | On Wed, 24 Oct 2007, Henning Brauer wrote: | | * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]: | Virtualization seems to have a lot of security benefits | | seems? | to whom? | | Virtualization provides near absolute security - DOM0 is not visible to | the user at all, only passing network traffic and handling kernel calls. | The security comes about in that each DOMU is totally isolated from the | the others, while the core DOM0 is isolated from any attacks. This is the theory. Practice also. XEN is a great tool for 'duplicating' a machine in an entererprise environment (IME running 'user level' tools for hundreds or thousands of users). Separating applications is invaluable, and the ability to do a machine restore in minutes, using the most recent data from a local SAN is also a major advantage. Nobody in the XEN (or VM) world in their right mind would put a VM on the 'Net without significant protection (an OBSD PF machine, perhaps), and I'm certainly not suggesting that. Remember that there is more than one world from a technology standpoint! The vast majority of the SME marketspace (where we operate) is heavily infiltrated with MS crap; OTOH, OBSD is the only choice for public servers, or as a front-end to other OSs. The virtualization space will have to mature significanty, if ever, to meet the security standards of OBSD. In the meantime, virtualization provides a great solution for those applications that benefit from running separately isolated, while maximizing h/w utilization. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: About Xen: maybe a reiterative question but ..
Bottom-line is, the more complicated your setup gets, the more chances you get to fuck-up. All that stuff about extra permissions, extra layers. Each thingie you add you need to configure. And you won't be 100%, not all the time. So, Xen is just another opportunity to get fucked. Instead of designing security, you add another plugin, wave your magic wand, and say `this is improved security' (take your deepest booming voice, if you want to be convincing). Security theater, once again.
Re: About Xen: maybe a reiterative question but ..
At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. Sorry, the kernel hacking world is pretty far removed from 'enterprise reality' not that it's a bad thing - I often wish it were that simple!! In reality, there are tons of SMEs out there using MS Crap and other risky software! The few security risks you cite for XEN are negligable by comparison. Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. Lee
Re: About Xen: maybe a reiterative question but ..
I am just astounded by how some people who love virtualization keep making the same mistakes. Are you even listening? Practice also. XEN is a great tool for 'duplicating' a machine in an entererprise environment (IME running 'user level' tools for hundreds or thousands of users). Separating applications is invaluable, and the ^^ Who said it actually seperates? ability to do a machine restore in minutes, using the most recent data from a local SAN is also a major advantage. Nobody in the XEN (or VM) world in their right mind would put a VM on the 'Net without significant protection (an OBSD PF machine, perhaps), and I'm certainly not suggesting that. Remember that there is more than one world from a technology standpoint! The vast majority of the SME marketspace (where we operate) is heavily infiltrated with MS crap; OTOH, OBSD is the only choice for public servers, or as a front-end to other OSs. The virtualization space will have to mature significanty, if ever, to meet the security standards of OBSD. In the meantime, virtualization provides a great solution for those applications that benefit from running separately isolated, while ^ You believe it does seperation and isolation? maximizing h/w utilization. This, it does do. But the people who want to maximize hw utilization are trying to lie to themselves about the security aspects. You can't run more code and then have less failures.
Re: About Xen: maybe a reiterative question but ..
At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. Sorry, the kernel hacking world is pretty far removed from 'enterprise reality' not that it's a bad thing - I often wish it were that simple!! In reality, there are tons of SMEs out there using MS Crap and other risky software! The few security risks you cite for XEN are negligable by comparison. Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. The fact is that you, and most of the other fanboys, only care about the [that also increased hardware utilization]. The yammering about security is just one thing -- job security. You've got to be able to sell increased harwdare utilization in a way that does not hang you up at the end of the day. If people were saying: Yes, it increased hardware utilization, and the nasty security impact might be low it would be fine. But instead we have many uneducated people saying: Yes, it increased hardware utilization, and it improved security too. And that's complete and utter bullshit.
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, Christoph Egger [EMAIL PROTECTED] wrote: - aio(2) support creaking along. - POSIX ptsname() (this is used in a python binding module) dunno. - newer gcc version due to a structure padding bug with an alignment attribute hidden in a typedef (this is fixed in gcc 3.4) I use gcc 4.2 from the ports FYI. can you tell me which structure? attribute packed/aligned should never be used on typedefs because of this. it's one of those astounding things that gcc compiles, but then neglects to warn that it completely ignores the attribute. Oh, a libc header cleanup is nice to have. I don't know why uvm kernel headers should be in /usr/include/uvm/, for example. so that userland programs can talk to the kernel. what's the problem? they're not in the way are they? (where else would they go?)
Question about 4.2 Package availability
I just wanted to confirm the following: If I've installed OpenBSD 4.2 and I need a specific package (in this case, net-smpd) which is not available on the CD, I must wait until 4.2 is officially released. Then I can get the packages I need from the ftp site.
Re: Network Time Synchronization using timed or ntpd or a Combination?
Boris Goldberg wrote: May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). You don't understand the implications of changing the time of a computer at runtime. Time can be seen a continuum whos axis can be stretched or compressed or as series of time units with fixed length. In the first case the computer clock runs faster or slower, but no time unit is lost. In the second case the computer runs at constant speed, but time units can be lost. If either case is acceptable depends on the software that runs on the computer. A computer that controls an insulin pump probably should run at constant speed whereas a computer that does a task at a certain time should not skip time units. If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time to 17:20, cron will not start that job. See?
Re: Question about 4.2 Package availability
Hi Joe, If I've installed OpenBSD 4.2 and I need a specific package (in this case, net-smpd) which is not available on the CD, I must wait until 4.2 is officially released. Then I can get the packages I need from the ftp site. Yes. (Or you build it from ports. Still, 4.2 is very much unreleased at this moment.) HTH... Nico
pgt/Netgear WG511
I have, what appears to be, v1 of this card, but I get the following from dmesg--even when booting from the latest snapshot of cd42.iso: Intersil, ISL3890, -, - (manufacturer 0xb, product 0x3890) Intersil Prism GT/Duette rev 0x01 at cardbus1 dev 0 function 0 not configured I'm not certain how to update pcidevs and related to accurately reflect this (I noticed product 0x3890 is already in pcidevs.h), so some advice is appreciated. Thanks.
Re: About Xen: maybe a reiterative question but ..
At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. That depends on your viewpoint. There certainly may be some issues at the OS level (which have been mentioned previously), however the majority of VM applications benefit from security *isolation*, which has nothing to do with security issues of the underlying OS, and that was the viewpoint I was communicating. For example, say you have three departments within a company: Marketing, Development, Production. Allowing each department to maintain their own server instance allows each department to have their own users, home directory configuration, samba (possibly) network config authorization, separate file/print sharing domain, etc. That is simple not doable with a single OS, yet with a reasonable priced of h/w all can be maintained on one platform. The security benefits are at the application level, *NOT* at the OS level. If people were saying: Yes, it increased hardware utilization, and the nasty security impact might be low it would be fine. But instead we have many uneducated people saying: Yes, it increased hardware utilization, and it improved security too. And that's complete and utter bullshit. Perhaps more correctly: Yes, it increased hardware utilization, and it improves security/isolation between different work domains However few outside this community would have any comprehension of the difference. Lee
Re: HP ProLiant DL320 v. Sun Fire V125
Hello evo, Wednesday, October 24, 2007, 12:51:13 AM, you wrote: e I'm choosing firewall/proxy/mail-gateway hardware running (of course) e OpenBSD for medium office and my shortlist is: e (a) HP ProLiant DL320 and (b) Sun Fire V125 I'm upgrading my servers/firewalls to HP ProLiant DL320 G5, and the experience... isn't easy. First of all you need to allow acpi in an MP kernel, otherwise it's slow and unstable (it's disabled by default and not really documented). Then you have couple more issues I couldn't resolve yet: Fists - uhci (uhci4 in my case) giving an error during boot and shutdown: OpenBSD 4.2-stable (GENERIC) #1: Thu Oct 18 12:35:10 CDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1021MB) avail mem = 1028595712 (980MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 0xe6000/0x2000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5 pci3 at ppb2 bus 3 bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 11, address 00:1b:78:07:c9:9a brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 10, address 00:1b:78:07:c9:9b brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, address 00:1b:78:57:58:e0 em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, address 00:1b:78:57:58:e1 ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci6 at ppb5 bus 6 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 5 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci7 at ppb6 bus 7 vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11 uhci4: cannot stop Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured usb1 at uhci4: USB revision 1.0 uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: FB160C4081 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 usb2 at uhci0: USB revision 1.0 uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5: Intel UHCI root hub, rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard,
Re: About Xen: maybe a reiterative question but ..
L. V. Lammert wrote: At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. Sorry, the kernel hacking world is pretty far removed from 'enterprise reality' not that it's a bad thing - I often wish it were that simple!! In reality, there are tons of SMEs out there using MS Crap and other risky software! The few security risks you cite for XEN are negligable by comparison. When all this crap/risky software is running on separate boxes, you only have the network as an attack path to the other crap. This path is well understood, and there are established policies, best practices, tools that you can use to control and monitor your network. Now, when you put all this crap onto the same hardware, you remove the well known and trusted hardware from underneath the already crappy setups, and introduce a (possibly crappy/unknown) software layer that claims to provide isolation. Advantages: 1. buzzword compliance 2. some 'cool features' like snapshots and migration 3. perhaps better utilize the (high performance/ultra expensive) hardware you just bought to gain 1 2. Disadvantages: 1. isolation between the systems is in fact *reduced* 2. whole new attack paths through the VM system are introduced: you get access to the host OS, not necessarily through a guest, you compromise ALL guests. 3. A compromised guest could, at the very least cause stability problems and DoS affecting ALL the guests, at worst compromising the host OS. Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. You do not get security improvements out of using a VM system at all. Look at the list above. This is *not* some kernel hackers' out of the world scenario. This is just common sense and security best practices that every enterprise should be aware of. You do have some benefits in terms of management and flexibility, and perhaps faster recovery. VMs are invaluable for development/testing. But there is absolutely *no* security improvement at all. You may accept the risks in favor of the benefits to your business, but do not claim that you are actually improving the security. Can
Re: About Xen: maybe a reiterative question but ..
At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. That depends on your viewpoint. There certainly may be some issues at the OS level (which have been mentioned previously), however the majority of VM applications benefit from security *isolation*, which has nothing to do with security issues of the underlying OS, and that was the viewpoint I was communicating. The ends justify the means, even if the means don't actually perform as you declare? For example, say you have three departments within a company: Marketing, Development, Production. Allowing each department to maintain their own server instance allows each department to have their own users, home directory configuration, samba (possibly) network config authorization, separate file/print sharing domain, etc. That is simple not doable with a single OS, yet with a reasonable priced of h/w all can be maintained on one platform. The security benefits are at the application level, *NOT* at the OS level. This has NOTHING to do with security. You are just saving pennies. You did zero actual security assessment, so you are just talking out of your ass. If people were saying: Yes, it increased hardware utilization, and the nasty security impact might be low it would be fine. But instead we have many uneducated people saying: Yes, it increased hardware utilization, and it improved security too. And that's complete and utter bullshit. Perhaps more correctly: Yes, it increased hardware utilization, and it improves security/isolation between different work domains However few outside this community would have any comprehension of the difference. You're so full of it. There is no security/isolation. You are making it up out of thin air to justify the pennies you saved. It's a total lie.
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Paul de Weerd [EMAIL PROTECTED] [2007-10-24 19:28]: On Wed, Oct 24, 2007 at 10:47:45AM -0500, Boris Goldberg wrote: | May be it makes sense to set -ncv as a default behavior of rdate, but | there is should be a way to synchronize time without running a demon (don't | understand why are people so aggressive about that) if you don't need | up-to-second synchronization (in my case modern hardware goes less than a | second off per day, and really old hardware - less than 10 seconds). The problem here is the jump in time. You repeat a second or more (if you have to jump back) or skip some (if you jump forward). This may not be a problem for you in particular, but is considered bad in general. rdate can use adjtime, so that point is moot. Another issue is the fact that the server you're syncing to may not be perfectly sync'ed itself. Or maybe there's some (assymmetrical) delay in the network. This may make time on your machine somewhat off (this isn't as big a problem as the previous, IMO). this is the key. rdate sets/skews the clock based on a single reply. which might get affected badly by network issues or whatever, or be spoofed, or... ntpd doesn't have that problem at all - last not least it never uses less than 8 packets to form a single update (just picking that one as example, there is more it can do, because it can develop thing over TIME instead of a single one-shot update exit. and it fixes the clock frequency permanently using adjtick. rdate doesn't. And it's totally unneccessary, simply run ntpd and be done with it. exactly. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
On Wed, Oct 24, 2007 at 01:41:38PM -0500, L. V. Lammert wrote: | For example, say you have three departments within a company: Marketing, | Development, Production. Allowing each department to maintain their own | server instance allows each department to have their own users, home | directory configuration, samba (possibly) network config authorization, | separate file/print sharing domain, etc. | | That is simple not doable with a single OS, yet with a reasonable priced of | h/w all can be maintained on one platform. | | The security benefits are at the application level, *NOT* at the OS level. Let's have a look at the case. Three departments all on one machine, each under one VM. Why compare this to all departments on one machine, all on the same OS ? That's not a fair comparison. Compare your one machine with 3 VMs to three machines. What do you think is more secure ? If you really, honestly think that the one machine/3 VM's solution is more secure, I'm actually very interested in your reasoning for this. You seperate and isolate each department on their own machine. As secure as the OS and/or application running on that machine. Now you join three machines into one machine with three VMs, adding a layer of complexity/code that is quite useful (as it saves on hardware costs) but maybe not very mature yet. How does that joining *add* security ? Please elaborate. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Marc Balmer [EMAIL PROTECTED] [2007-10-24 20:25]: Boris Goldberg wrote: May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). You don't understand the implications of changing the time of a computer at runtime. Time can be seen a continuum whos axis can be stretched or compressed or as series of time units with fixed length. In the first case the computer clock runs faster or slower, but no time unit is lost. In the second case the computer runs at constant speed, but time units can be lost. that is NOT the damn point, rdate can use adjtime. If either case is acceptable depends on the software that runs on the computer. A computer that controls an insulin pump probably should run at constant speed whereas a computer that does a task at a certain time should not skip time units. If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time to 17:20, cron will not start that job. See? bad example, since cron is the worst example you could pick, it is reasonably smart trying to deal with time jumps. but it DOES NOT in the first place using rdate -a. yet, ntpd is STILL a way better solution, but don't spread fud to push it either, it doesn't need that. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
Can Erkin Acar wrote: L. V. Lammert wrote: At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]: Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. Sorry, the kernel hacking world is pretty far removed from 'enterprise reality' not that it's a bad thing - I often wish it were that simple!! In reality, there are tons of SMEs out there using MS Crap and other risky software! The few security risks you cite for XEN are negligable by comparison. When all this crap/risky software is running on separate boxes, you only have the network as an attack path to the other crap. This path is well understood, and there are established policies, best practices, tools that you can use to control and monitor your network. Contrariwise, there is *some* security benefit to running all the services virtualized, compared to running all the services on the same machine but *not* virtualized. In that case, though, you're not getting any improved resource utilization, and you're going with a very complicated and unaudited system (with arbitrary code execution bugs coming to light *this month*) to achieve improved security. You can achieve a lot of the promises of virtualized servers (with fewer moving parts, and more code audits) using chroot and login classes to run many services on a single big machine. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Marc, Wednesday, October 24, 2007, 1:13:23 PM, you wrote: May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). MB You don't understand the implications of changing the time of a computer MB at runtime. I believe I do. :) There are pros and cons in the demon and in the cron schema. I decided to use cron and I know why. Every sysadmin/architect should make that decision for *his* systems (and know why). Home users should probably stay with the default (ntpd), but they are usually using Windows and cheap hardware firewalls anyway. ;) MB If either case is acceptable depends on the software that runs on the MB computer. Exactly. And I believe that usual case is not a cluster, monetary transaction server or traffic control system. MB A computer that controls an insulin pump probably should run at MB constant speed whereas a computer that does a task at a certain time MB should not skip time units. Have you seen an insulin pump ran by OpenBSD system? ;) Give me some *real* examples (if you want to). MB If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time MB to 17:20, cron will not start that job. First of all, this is not a *real* case again. I was talking about 10 seconds a day, not 20 minutes. If your *production* hardware goes 20 minutes off a day you will probably replace it (I believe, for new hardware it's a warranty case). Second of all, I've seen that behavior (with much smaller time adjustments) on SCO, but OpenBSD handles it pretty good - my cron doesn't repeat itself after adjusting time back. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, L. V. Lammert [EMAIL PROTECTED] wrote: At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. That depends on your viewpoint. There certainly may be some issues at the OS level (which have been mentioned previously), however the majority of VM applications benefit from security *isolation*, which has nothing to do with security issues of the underlying OS, and that was the viewpoint I was communicating. For example, say you have three departments within a company: Marketing, Development, Production. Allowing each department to maintain their own server instance allows each department to have their own users, home directory configuration, samba (possibly) network config authorization, separate file/print sharing domain, etc. This is called a tangent. It has nothing to do with the reliable security aspects of segmentation via virtualization. The point you may try making here is that by segmenting your servers into individual instances for each department, rather than having all departments on a shared server, an attack against one department's server doesn't affect the other. _In theory_, that's true. _In reality_, this is only a surface assumption as without strong segmentation at the network level to separate a compromised department from another department, the attacker can compromise the other departments' servers from the first one and have the same result. Remember back 10-ish years ago when VLANs were being touted as the ultimate network segmentation technology by marketers of managed switches? And now everyone hopefully realizes that while VLANs technically do offer network segmentation, it's really rudimentary and cannot be relied on for truly reliable security due to various layer 2 attacks that subvert them? Or that if there's any communication conduits that allows one to talk to the other, that can simply be leveraged to subvert security? That simply segmenting networks with VLANs can't be considering to fully isolate them? That when people want solid assurance of isolating hosts they often still air gap them? That is the point that VM-based segmentation is at right now. This isn't supposed to be a remedial lesson on network architectures; you're supposed to pick up the parallels to separation of systems/applications via VM technology. VM based segmentation or isolation (whichever buzzword you prefer ATM) is fine on the surface level, but please stop acting as if it is a security measure. People much smarter than $you are blowing that idea out of the water right now. http://www.intelguardians.com/ndss.pdf http://www.pauldotcom.com/2007/08/27/pauldotcom_security_weekly_int_1.html http://www.cutawaysecurity.com/blog/archives/170 (read Ed Skoudis' comment on this post) DS
Re: About Xen: maybe a reiterative question but ..
The security benefits are at the application level, *NOT* at the OS level. What hogwash. The security benefits are at the ability to buy a steak for dinner level. You've already made the decision to decrease security by de-compartmentalizing onto one physical box, so you are just thrilled with the ability to decrease security more by de-compartmentalizing the software further.
Re: LDAP users
Linus SwCFCB$las schrieb: OpenBSD doesn't include an LDAP module though so you'd have to write your own, details for how to do so is in the login.conf(5) man page. Or perhaps you can google something, someone else has probably built one already. login_ldap no longer in ports?
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, Jack J. Woehr [EMAIL PROTECTED] wrote: All things being equal, the safest base installations in the universe would be those whose user instances were encased in some kind of solid VM and whose base instance administrators were provided with and followed best practices. My VM: The World. -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: multimode fiber card recs for OpenBGPD
* N.J. Thomas [EMAIL PROTECTED] [2007-10-24 19:28]: I have two servers that I would like to setup to run OpenBGPD for our border routers. I need to find a supported PCIe (not PCI-X) fiber card that runs multi-mode and a supported PCIe (not PCI-X) fiber card that runs single-mode. (One of our providers is coming to us with mm, the other with sm.) A dual port card is preferable, but we will take single port cards if those are the only ones available. Any recommendations? The supported cards page on the OpenBSD site only lists PCI-X cards. i have some pcie-ems, there are pcie-bnxs, and certainly others. fibre limits your options. i usually terminate wan fibres on a switch and use copper or plain sx (really just copper these days) to the routers - has the disadvantage that you don't see link state changes directly, has the advantage of added flexibility and just connecting two machines for redundancy reasons (details differ a lot depending on environment). that said, it shouldn't be too hard to find a pcie-sx card. lx could get hairy. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
* Darren Spruell [EMAIL PROTECTED] [2007-10-24 21:48]: Remember back 10-ish years ago when VLANs were being touted as the ultimate network segmentation technology by marketers of managed switches? And now everyone hopefully realizes that while VLANs technically do offer network segmentation, it's really rudimentary and cannot be relied on for truly reliable security due to various layer 2 attacks that subvert them? err, that is a very bad comparision. I am not aware of any layer2 attacks (you probably mean vlan hopping things) that work against any half reasonable configured switch from the last 10 years. heck, these days even everybody except cisco has sane defaults. (well, I dunno about those cheap switches, admittedly) this comparision is wrong on another basis: vlans are dead simple, just a tiny and simple header before the ethernet segment. virtualization is certainly not. That simply segmenting networks with VLANs can't be considering to fully isolate them? without bad config errors (that are getting harder to make, except on cisco, they got the semantics completely wrong and stupid defaults) and usedcorrectly, yes, VLANs perfectly isolate network segments. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
It's a very simple concept. There is *nothing* in any virtualization software that makes having it *more secure* than not having it at all. Period. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, Theo de Raadt wrote: The security benefits are at the application level, *NOT* at the OS level. What hogwash. The security benefits are at the ability to buy a steak for dinner level. Nah, I like steak, I hate enterprise computing. You've already made the decision to decrease security by de-compartmentalizing onto one physical box, so you are just thrilled with the ability to decrease security more by de-compartmentalizing the software further. Quite the opposite!! A VM provides a safe, sane, decently compartmentalized way to run a specific application domain. It's obvious we have different viewpoints, but both are equally valid - your's from the OS, mine from the application. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: Network Time Synchronization using timed or ntpd or a Combination?
Boris Goldberg wrote: [snip] There are pros and cons in the demon and in the cron schema. I decided to use cron and I know why. Every sysadmin/architect should make that decision for *his* systems (and know why). Home users should probably stay with the default (ntpd), but they are usually using Windows and cheap hardware firewalls anyway. ;) [snip] I hate beating a dead horse, but this one needs one more whack. OpenNTPD runs as a 'daemon,' yes, but it does so using privilege separation and other goodies. The network code runs as a normal user, isolated from other users. This is superior to running rdate AS ROOT from a cronjob. OpenNTPD does not open any TCP or UDP ports by default. It is true that rdate has about 63% less lines of code than ntpd and is older, and may have had more code audits performed; However, ntpd is new code, written with security in mind, runs as a normal user (privilege separated for the most part) and has superior time keeping ability. Your advice about not running a daemon if it's possible to do the task otherwise may be true with a (bloated) daemon such as ntp.org ntpd, however, with OpenNTPD the tables are turned. It is far safer to run the 'daemon' than to perform the task otherwise. That being said, it is up to the individual users to decide what to do. Hopefully this above explanation will help those who don't necessarily understand the risks of running programs as root vice daemons which execute code with proper separation of privileges. -Brian [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, Henning Brauer [EMAIL PROTECTED] wrote: without bad config errors (that are getting harder to make, except on cisco, they got the semantics completely wrong and stupid defaults) and usedcorrectly, yes, VLANs perfectly isolate network segments. I'm curious about this. Do you have any pointers I can go look up? Thanx! -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: About Xen: maybe a reiterative question but ..
On Oct 24, 2007, at 4:16 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Darren Spruell [EMAIL PROTECTED] [2007-10-24 21:48]: Remember back 10-ish years ago when VLANs were being touted as the ultimate network segmentation technology by marketers of managed switches? And now everyone hopefully realizes that while VLANs technically do offer network segmentation, it's really rudimentary and cannot be relied on for truly reliable security due to various layer 2 attacks that subvert them? err, that is a very bad comparision. I am not aware of any layer2 attacks (you probably mean vlan hopping things) that work against any half reasonable configured switch from the last 10 years. heck, these days even everybody except cisco has sane defaults. (well, I dunno about those cheap switches, admittedly) this comparision is wrong on another basis: vlans are dead simple, just a tiny and simple header before the ethernet segment. virtualization is certainly not. That simply segmenting networks with VLANs can't be considering to fully isolate them? without bad config errors (that are getting harder to make, except on cisco, they got the semantics completely wrong and stupid defaults) and usedcorrectly, yes, VLANs perfectly isolate network segments. Why does this continue to pop up in misc@ every year? --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: About Xen: maybe a reiterative question but ..
You have failed to satisfactorily explain why running a specific application in a VM is more secure then running it in a standard OS. It's nonsense that you think it's more secure that way. It saves a lot of money, yes -- you don't necessarily want a separate box just to run an application - but that's not the debate here. The debate is about security, and I'm amazed that you think a virtual environment is somehow more secure then a dedicated non-virtual environment. On 10/24/07, L. V. Lammert [EMAIL PROTECTED] wrote: On Wed, 24 Oct 2007, Theo de Raadt wrote: The security benefits are at the application level, *NOT* at the OS level. What hogwash. The security benefits are at the ability to buy a steak for dinner level. Nah, I like steak, I hate enterprise computing. You've already made the decision to decrease security by de-compartmentalizing onto one physical box, so you are just thrilled with the ability to decrease security more by de-compartmentalizing the software further. Quite the opposite!! A VM provides a safe, sane, decently compartmentalized way to run a specific application domain. It's obvious we have different viewpoints, but both are equally valid - your's from the OS, mine from the application. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, Theo de Raadt wrote: At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. That depends on your viewpoint. There certainly may be some issues at the OS level (which have been mentioned previously), however the majority of VM applications benefit from security *isolation*, which has nothing to do with security issues of the underlying OS, and that was the viewpoint I was communicating. The ends justify the means, even if the means don't actually perform as you declare? Huh? What does circular logic have to do with a simple statement? Running different application domains on separate VMs provides isolation BETWEEN those application domains. That's security by anyone's definition. The fact is that the OS level security is *separate*, and could be an issue has nothing to do with the point I'm making. What if the client OS were Windoze? The security of that OS is crap, and we all know it. Any sane sysadmin will have a good firewall in front of that machine, whether it's running in a VM or on separate hardware. What if the client OS were Linux with AppArmor? SE Linux is a BIG improvement over regular Linux, and WAY more secure than ANY product from Redmond. Certainly there is a small, compount risk increase due to multiple OS images involved, but the OS images must be analyzed independently FIRST, and THOSE risks addressed. **IF** OBSD were available as a host OS, that would be good security. If not, then security issues compound due to multiple guest OSs and each set of inherent vulnerabilities. No matter how you twist the logic, however, a VM provides a good level of application domain security, from the standpoint that each set of domain users and applications can only see the services provided within that domain guest OS. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: About Xen: maybe a reiterative question but ..
Theo de Raadt wrote: The security benefits are at the ability to buy a steak for dinner level. I vote to add it to theo.c. Thanks Daniel Index: src/usr.bin/mg/theo.c === RCS file: /cvs/src/usr.bin/mg/theo.c,v retrieving revision 1.101 diff -u -p -r1.101 theo.c --- src/usr.bin/mg/theo.c 28 Aug 2007 17:57:16 - 1.101 +++ src/usr.bin/mg/theo.c 24 Oct 2007 21:19:08 - @@ -147,6 +147,7 @@ static const char *talk[] = { cache aliasing is a problem that would have stopped in 1992 if someone had killed about 5 people who worked at Sun., Don't spread rumours about me being gentle., If municipal water filtering equipment was built by the gcc developers, the western world would be dead by now., + The security benefits are at the 'ability to buy a steak for dinner' level., }; static const int ntalk = sizeof(talk)/sizeof(talk[0]);
Re: About Xen: maybe a reiterative question but ..
* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]: Running different application domains on separate VMs provides isolation BETWEEN those application domains. no, it does not. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
Certainly there is a small, compount risk increase due to multiple OS images involved, but the OS images must be analyzed independently FIRST, and THOSE risks addressed. Certainly you pulled that assesment out of your ass. **IF** OBSD were available as a host OS, that would be good security. You must be more qualified with regards to the actual code than I am because I flat out don't believe this at all. If not, then security issues compound due to multiple guest OSs and each set of inherent vulnerabilities. security issues and protections do not add up like numbers. No matter how you twist the logic, however, a VM provides a good level of application domain security, from the standpoint that each set of domain users and applications can only see the services provided within that domain guest OS. The phrase application domain security is a cover-up statement that means I have already decided to run the multiple things on one box because I am cheap, and I need to invent reasons why I can continue doing so.
Re: multimode fiber card recs for OpenBGPD
On Wed, Oct 24, 2007 at 10:25:32PM +0200, Henning Brauer wrote: * N.J. Thomas [EMAIL PROTECTED] [2007-10-24 19:28]: I have two servers that I would like to setup to run OpenBGPD for our border routers. I need to find a supported PCIe (not PCI-X) fiber card that runs multi-mode and a supported PCIe (not PCI-X) fiber card that runs single-mode. (One of our providers is coming to us with mm, the other with sm.) A dual port card is preferable, but we will take single port cards if those are the only ones available. Any recommendations? The supported cards page on the OpenBSD site only lists PCI-X cards. i have some pcie-ems, there are pcie-bnxs, and certainly others. fibre limits your options. i usually terminate wan fibres on a switch and use copper or plain sx (really just copper these days) to the routers - has the disadvantage that you don't see link state changes directly, has the advantage of added flexibility and just connecting two machines for redundancy reasons (details differ a lot depending on environment). that said, it shouldn't be too hard to find a pcie-sx card. lx could get hairy. http://www.transtec.co.uk/ they have em(4) based cards with sx and lx (lx only as pci-x for some strange reason). The also offer msk(4) cards with sx and lx but those are pci-x only. -- :wq Claudio
Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel
knitti wrote: On 10/19/07, Stephen Bosch [EMAIL PROTECTED] wrote: Other things I've tried: - moving the Jetdirect to a different port on the same physical switch - a variety of static and dynamic IPs in the subnet I also forwarded the external port 9100 to this print server and tried to access it from a public host, but this didn't work either. This leads me to suspect a peculiar interaction between OpenBSD 4.1 and this particular print server. Of course, it might well be the fault of HP's IP stack, but I've already talked to them at great length and got pretty much nowhere: We don't support JetDirect over WAN connections. look with tcpdump, whether the packets of the printserver look like you expect. perhaps it only has a ttl of 1 or 2 ;-) No -- the damn thing is doing ARP for the remote address, even though it has a gateway configured. The stupid thing is that this same model of printer works on another network, same configuration -- except the local VPN endpoint is a SonicWall. -Stephen-
Re: About Xen: maybe a reiterative question but ..
You have failed to satisfactorily explain why running a specific application in a VM is more secure then running it in a standard OS. It's nonsense that you think it's more secure that way. It saves a lot of money, yes -- you don't necessarily want a separate box just to run an application - but that's not the debate here. The debate is about security, and I'm amazed that you think a virtual environment is somehow more secure then a dedicated non-virtual environment. It's that extra 4MB of poo code, that is what makes it more secure. It's slippery and sticky at the same time, so that the application attackers slip and slide and fall into the page boundaries. If the actual hardware let us do more isolation than we do today, we would actually do it in our operating system. The problem is the hardware DOES NOT actually give us more isolation abilities, therefore the VM does not actually do anything what the say they do. While x86 hardware has the same page-protection hardware that an IBM 390 architecture machine has, modern PC machines are a mess. They are architecturally so dirty, that parts of the video, keyboard, and other IO devices are interfaced with even to do simple things like context switching processes and handling interrupts. Those of us who have experience with the gory bits of the x86 architecture can clearly say that we know what would be involved in virtualizing it, and if it was so simple, we would not still be fixing bugs in the exact same area in our operating system going on 12 years. We know what a VM operating system has to do to deal with the PC architecture. It is too complex to get perfectly right. And now you've entered into the layered approach where *any error* in the PC model exposed to the client operating system is not just a crashing bug -- it is now exploitable. It might be nice, but it is stupid. And anyone who thinks there is any security advantage at any level knows nothing about PC architecture.
Re: About Xen: maybe a reiterative question but ..
At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote: Certainly there is a small, compount risk increase due to multiple OS images involved, but the OS images must be analyzed independently FIRST, and THOSE risks addressed. Certainly you pulled that assesment out of your ass. I thought it was obvious, .. but I know you have beter things on your mind. I DO mind you liking my ass, however - ain't gonna happen. **IF** OBSD were available as a host OS, that would be good security. You must be more qualified with regards to the actual code than I am because I flat out don't believe this at all. Believe what? OBSD is secure? I thought you were proud of the project? Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be running for cover. Linux, anyone? If you're saying that OBSD will never be modified to run AS a XEN hypervisor, that's probably a true statement. No need to corrupt a decent OS with GPL s/w. If not, then security issues compound due to multiple guest OSs and each set of inherent vulnerabilities. security issues and protections do not add up like numbers. Sure they do. If I'm running Windoze as a guest OS, there are hundreds or thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS, guess what (I hope you don't have to??) - few to none. There is no way to 'compound threat [interaction]', but that doesn't detract from the basic truth - the lower the risk/number of vulnerabilities of the OS, the better off you are. As a corollary, you might also say that there is no way to improve the security of a server without improving the security of the OS. No matter how you twist the logic, however, a VM provides a good level of application domain security, from the standpoint that each set of domain users and applications can only see the services provided within that domain guest OS. The phrase application domain security is a cover-up statement that means I have already decided to run the multiple things on one box because I am cheap, and I need to invent reasons why I can continue doing so. Huh?? Do you know what an application domain is? Guess not - here's a definition: Application + Users + Access Method = Application Domain Examples: File/Print, httpd, DB, . . . The more discrete the security model (i.e. File/Print users are not valid on the httpd server) the better. Lee
Re: About Xen: maybe a reiterative question but ..
At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]: Running different application domains on separate VMs provides isolation BETWEEN those application domains. no, it does not. Is that your ostrich response? Lee
Re: About Xen: maybe a reiterative question but ..
* L. V. Lammert [EMAIL PROTECTED] [2007-10-25 00:11]: At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote: * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]: Running different application domains on separate VMs provides isolation BETWEEN those application domains. no, it does not. Is that your ostrich response? it has been pointed out several times that virtualization does not provide the isolation you keep talking about. you keep repeating it does. just like vmware marketing co. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: About Xen: maybe a reiterative question but ..
L. V. Lammert wrote: gibberish
Re: About Xen: maybe a reiterative question but ..
Paul de Weerd wrote: Why compare this to all departments on one machine, all on the same OS ? That's not a fair comparison. Why? Because that's what happens *anyway*. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: About Xen: maybe a reiterative question but ..
At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote: L. V. Lammert wrote: gibberish Wow, such intelligence Now we get crap instead of ostrich logic. Sheesh. Lee
new dell install completed, but...
all, I'm happy to read whatever I need to, in order to get this system running. I come before this list humbly. Please don't flame my ass with RTFMs :) I have a new Dell Optiplex 745 with an Intel Core 2 Duo. this system completed the install. Now on boot it hangs after: wskbd1: connecting to wsdisplay0 the only issue I had during install was that the on-board nic would not grab a dhcp address - but the pci nic did. how can I troubleshoot this further? I followed the FAQ for the install - and I've looked at the common issues after install. years ago I had an issue with a piece of hardware that I had to exclude. but I don't recall how I got into that particular sub system to deactivate it. Is there something I can do at the boot prompt? Humbly yours, Metajunkie -- 010101010101010101010101010101010 010101010101010101010101010101010 0101010101 Meta Junkie 101010101010 010101010101010101010101010101010 010101010101010101010101010100101
Re: About Xen: maybe a reiterative question but ..
On Oct 24, 2007, at 3:41 PM, Theo de Raadt wrote: We know what a VM operating system has to do to deal with the PC architecture. It is too complex to get perfectly right. I concur with this assessment and the discussion of actual x86 PC implementation vs. 390 architecture which led up to it. -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Problem with disk size
Hello all! I have an OpenBSD-box with two 250G drives inside (and some SCSI). Trying to use one of the drives as a whole gave this from disklabel $ sudo disklabel -p g wd0 [snip] 16 partitions: # sizeoffset fstype [fsize bsize cpg] c:233.8G 0.0G unused 0 0 # Cyl 0 -486343 d:233.8G 0.0G 4.2BSD 2048 16384 16 # Cyl 0*-486343* but df -h says: /dev/wd0d 7.8G7.4G4.2M 100% and I cant create any new files on the drive. What could be the problem here? Any hints appreciated. dmesg attached. Jon Sjvstedt _O_ OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 665 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536387584 (523816K) avail mem = 482426880 (471120K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 05/31/00, BIOS32 rev. 0 @ 0xfdae0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7710/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C686 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA Riva TNT2 rev 0x15 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x1b uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x0e: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x0e: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x20 ahc0 at pci0 dev 9 function 0 Adaptec AHA-2940U rev 0x00: irq 10 scsibus0 at ahc0: 16 targets sd0 at scsibus0 targ 0 lun 0: SEAGATE, ST39102LW, 0004 SCSI2 0/direct fixed sd0: 8683MB, 6962 cyl, 12 head, 212 sec, 512 bytes/sec, 17783240 sec total sd1 at scsibus0 targ 1 lun 0: SEAGATE, ST39102LW, 0004 SCSI2 0/direct fixed sd1: 8683MB, 6962 cyl, 12 head, 212 sec, 512 bytes/sec, 17783240 sec total sd2 at scsibus0 targ 2 lun 0: IBM, DNES-309170, SAH0 SCSI3 0/direct fixed sd2: 8748MB, 11474 cyl, 5 head, 312 sec, 512 bytes/sec, 17916240 sec total cd0 at scsibus0 targ 3 lun 0: SONY, CD-RW CRX140S, 1.0e SCSI4 5/cdrom removable pciide0 at pci0 dev 10 function 0 CMD Technology PCI0680 rev 0x02 pciide0: bus-master DMA support present pciide0: channel 0 configured to native-PCI mode pciide0: using irq 9 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: Maxtor 6L250R0 wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 configured to native-PCI mode wd1 at pciide0 channel 1 drive 0: Maxtor 6L250R0 wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 dc0 at pci0 dev 11 function 0 Davicom DM9102 rev 0x31: irq 12, address 00:80:ad:72:3b:17 amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0 emu0 at pci0 dev 12 function 0 Creative Labs SoundBlaster Live rev 0x05: irq 11 ac97: codec id 0x54524123 (TriTech Microelectronics TR28602) audio0 at emu0 Creative Labs PCI Gameport Joystick rev 0x05 at pci0 dev 12 function 1 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec isapnp0 at isa0 port 0x279: read port 0x203 Maxi Sound 64 Series, ESS8600, , at isapnp0 port 0x800/8 not configured Maxi Sound 64 Series, ESS8601, , at isapnp0 port 0x220/16,0x388/4,0x300/2 irq 5 drq 1,0 not configured Maxi Sound 64 Series, ESS8602, , at isapnp0 port 0x201/1 not configured Maxi Sound 64 Series, ESS8603, , at isapnp0 port 0x330/6 irq 5 not configured biomask f765 netmask f765 ttymask f7e7 pctr: 686-class user-level performance counters enabled
Re: How can i boot a bsd.rd from windows 2000 ?
Christopher Bianchi skrev: Hello everyone. My situation is this: i've a laptop, a Sharp pc-ax10 with Windows 2000 preinstalled , without cdrom, floppy. I wish install OpenBSD on it. Naturally bios can't boot from USB. So i've thinked to boot the bsd.rd , but how ? The faq explain the procedure from an older OpenBSD operating system... i've Windows 2000 on it. Is it possible ? and if is possible, in which way ? Where i must put the bsd.rd and in which way i can boot from him ? If all other booting possibilities were unavailable, I'd try this (though I cannot say for sure it'd work): first: BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP (well no, I would probably not, but it's strongly recommended) and then, - make room for bsd partition with e.g. Partition Magic. - create a primary partition (of any type) to use for the OpenBSD install. You'll probably have to change the type to A6 in fdisk during the OpenBSD install. - create a virtual machine in vmware that uses the physical disk and a virtual cdrom (with mounted installXX.iso). Install openbsd carefully TO THE FREE'D PARTITION ONLY - do NOT ``use the entire disk for openbsd''! (Yes, this requires some fiddling with fdisk manually, but having a Windows tool creating the partition with the right offset and size helps a lot - then you only need to change the type). - After the installation is done, copy the mbr (as per the FAQ mentioned earlier in the thread) to the windows machine via network, usb stick, whatever. - Throw the mbr into 'C:\openbsd.mbr' and fix C:\boot.ini (FAQ too). - Boot your favourite os and don't forget: BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP cheers /Alexander
Re: About Xen: maybe a reiterative question but ..
On 24-Oct-07, at 5:59 PM, L. V. Lammert wrote: At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote: You must be more qualified with regards to the actual code than I am because I flat out don't believe this at all. Believe what? OBSD is secure? I thought you were proud of the project? Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be running for cover. Linux, anyone? So you judge the security of the operating system by how many (possibly brash) risks its developers are willing to take with it? That's counter-intuitive. If I'm looking for security, I'd rather get my software from a developer who isn't satisfied because (s)he is more likely to work harder to improve it and be much more careful while doing it. If confidence is all that matters, then heck, lets get rid of all the privilege separation and other risk-minimizing techniques because you don't need them when your code is flawless right?
sanely designed hardware?
After enjoying the Xen thread, and the comments about the horrid mess that is x86 hardware design, I'm wondering what hardware on which OpenBSD will run _is_ well designed. Who makes a hardware architecture that is open (enough) that OpenBSD can run fully on it, that has good performance. I'm assuming that its not COTS an so will cost more than x86. Note that I'm not asking: who makes good hardware on which we can then run Xen. I'm talking about a solid piece of hardware on which to run one and only one OpenBSD. Doug.
Re: About Xen: maybe a reiterative question but ..
Hi! I think you are missing the point about x86 hardware being a mess. Theo made an excellent point about the architecture itself having so many filthy quirks. If a VM is compromised through any means, that attacker can now leverage the dirty architecture to bypass the hypervisors (supposed) isolation techniques. If the attacker can utilize the VM to infiltrate the hypervisor, even more damage can be done. The entire point is this: You cannot increase security by putting more things on one physical server. You can run your different 'Application Domains' on different physical servers. That is much closer to security than through obscurity. -Brian L. V. Lammert wrote: At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote: Certainly there is a small, compount risk increase due to multiple OS images involved, but the OS images must be analyzed independently FIRST, and THOSE risks addressed. Certainly you pulled that assesment out of your ass. I thought it was obvious, .. but I know you have beter things on your mind. I DO mind you liking my ass, however - ain't gonna happen. **IF** OBSD were available as a host OS, that would be good security. You must be more qualified with regards to the actual code than I am because I flat out don't believe this at all. Believe what? OBSD is secure? I thought you were proud of the project? Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be running for cover. Linux, anyone? If you're saying that OBSD will never be modified to run AS a XEN hypervisor, that's probably a true statement. No need to corrupt a decent OS with GPL s/w. If not, then security issues compound due to multiple guest OSs and each set of inherent vulnerabilities. security issues and protections do not add up like numbers. Sure they do. If I'm running Windoze as a guest OS, there are hundreds or thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS, guess what (I hope you don't have to??) - few to none. There is no way to 'compound threat [interaction]', but that doesn't detract from the basic truth - the lower the risk/number of vulnerabilities of the OS, the better off you are. As a corollary, you might also say that there is no way to improve the security of a server without improving the security of the OS. No matter how you twist the logic, however, a VM provides a good level of application domain security, from the standpoint that each set of domain users and applications can only see the services provided within that domain guest OS. The phrase application domain security is a cover-up statement that means I have already decided to run the multiple things on one box because I am cheap, and I need to invent reasons why I can continue doing so. Huh?? Do you know what an application domain is? Guess not - here's a definition: Application + Users + Access Method = Application Domain Examples: File/Print, httpd, DB, . . . The more discrete the security model (i.e. File/Print users are not valid on the httpd server) the better. Lee [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: About Xen: maybe a reiterative question but ..
On Wed, Oct 24, 2007 at 05:44:37PM -0500, L. V. Lammert wrote: At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote: L. V. Lammert wrote: gibberish Wow, such intelligence Now we get crap instead of ostrich logic. Sheesh. Actually, that's a fair assessment at this point. Looking at what you've written, you seem to consider OpenBSD to be pretty secure. By extension, let's assume the developers, and Theo in particular, have some darned good knowledge about security and some priorities in that regard. Then, when Theo and developers (and others in this community) weigh in and tell you that virtualization is not more secure, but less, you continue and continue. As someone who doesn't know a great deal about virtualization, I can tell you that you're not convincing me of anything with your arguments. I feel confident in saying that you're not convincing any of the devs, either. And I doubt you've done much for this cause with the list members at large. So what the hell are you doing? Just flaming now? Gave up trying to show something and just trying to get a few jabs in? As someone who reads this list and would like to know more about virtualization, pros and cons, I ask you to put more actual meat into your posts if you're going to continue. As it stands, gibberish fits all too well. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Problem with disk size
Jon Sjvstedt wrote: Hello all! I have an OpenBSD-box with two 250G drives inside (and some SCSI). Trying to use one of the drives as a whole gave this from disklabel $ sudo disklabel -p g wd0 [snip] don't snip. 16 partitions: # sizeoffset fstype [fsize bsize cpg] c:233.8G 0.0G unused 0 0 # Cyl 0-486343 d:233.8G 0.0G 4.2BSD 2048 16384 16 # Cyl 0*-486343* but df -h says: /dev/wd0d 7.8G7.4G4.2M 100% and I cant create any new files on the drive. What could be the problem here? Any hints appreciated. dmesg attached. thanks for the dmesg. You tried darned hard to obscure this (I really don't care how many G your disk is, I care about which sectors you are using), but it does appear that you opted to not properly partition your disk. The fact that you didn't show the output of fdisk causes me to believe you knew it, though you may not have recognized the significance. ;) Your OpenBSD subpartition appears to start at sector zero. Bad idea. This means, whether by design or by accident, you don't have an fdisk partition table (aka, MBR) on the disk. Also a bad idea. On some platforms, i386 is one of them, you must use fdisk partitions, and your disklabel partitions must start at a one track offset (in your case, probably 63 sectors). When you don't follow the rules, ugly things happen. It isn't the size of the disk, it's the way it's laid out that is giving you problems. See faq14.html... Nick.
Re: new dell install completed, but...
[EMAIL PROTECTED] wrote: all, I'm happy to read whatever I need to, in order to get this system running. I come before this list humbly. Please don't flame my ass with RTFMs :) I have a new Dell Optiplex 745 with an Intel Core 2 Duo. this system completed the install. Now on boot it hangs after: wskbd1: connecting to wsdisplay0 the only issue I had during install was that the on-board nic would not grab a dhcp address - but the pci nic did. how can I troubleshoot this further? I followed the FAQ for the install - and I've looked at the common issues after install. years ago I had an issue with a piece of hardware that I had to exclude. but I don't recall how I got into that particular sub system to deactivate it. Is there something I can do at the boot prompt? Humbly yours, Metajunkie First, make sure you are trying a snapshot, not 4.1 or older. If you are using 4.2, still try a snapshot, a lot has happened since 4.2 already. If that fixes your problem, you are done. (the onboard NIC problem is hinting to me that you are using an older version). If that doesn't, the good news is since it installed with the bsd.rd kernel but won't run GENERIC, it is probably just a matter of turning the right device driver off. GENERIC has more in it than bsd.rd does. http://www.openbsd.org/faq/faq5.html#BootConfig (see the next two sections as well, which are also appropriate for you) I don't recall if I ever installed OpenBSD on a 745. Certainly did a fair amount with a 620 (which worked fine). Nick.
Re: About Xen: maybe a reiterative question but ..
L. V. Lammert [EMAIL PROTECTED] wrote: If not, then security issues compound due to multiple guest OSs and each set of inherent vulnerabilities. security issues and protections do not add up like numbers. Sure they do. If I'm running Windoze as a guest OS, there are hundreds or thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS, guess what (I hope you don't have to??) - few to none. There is no way to 'compound threat [interaction]', but that doesn't detract from the basic truth - the lower the risk/number of vulnerabilities of the OS, the better off you are. As a corollary, you might also say that there is no way to improve the security of a server without improving the security of the OS. This has *nothing* to do with VM security. The issue with VM security is that: 1. if any guest is compromised you all guests and the host are in danger. 2. if any user or admininstrator of a guest is malicious, all guests and the host is in danger. This threat is NOT because of any possible interaction (network/services etc.) between the guests and/or the host. It is because of a completely different attack vector, the VM system. The 'virtual hardware' that *all* host and guest OS systems implicitly trust to behave well can be subverted. You should NEVER trust a virtual machine to properly isolate the guests. It is a good approximation to having separate boxes, but it is NOT a security barrier. No matter how you twist the logic, however, a VM provides a good level of application domain security, from the standpoint that each set of domain users and applications can only see the services provided within that domain guest OS. The phrase application domain security is a cover-up statement that means I have already decided to run the multiple things on one box because I am cheap, and I need to invent reasons why I can continue doing so. Huh?? Do you know what an application domain is? Guess not - here's a definition: Application + Users + Access Method = Application Domain Examples: File/Print, httpd, DB, . . . The more discrete the security model (i.e. File/Print users are not valid on the httpd server) the better. What you try to describe in a somewhat clumsy and round about way corresponds to moving different applications to their respective/isolated machines. This is actually a good thing to do for security. However, depending on the applications and the interactions between them, you may sometimes end up being with a more complex/less secure architecture. But this is not the point. What you fail to realize is that, when you try to implement this using a VM system, you actually break the isolation. The fact that well behaved applications and OS's work peacefully side by side under a VM setup DOES NOT mean that a malicious program and/or user is not able to break that isolation. Consider a web application login form with an SQL injection vulnerability. It validates the users and works perfectly fine %100 of the time, passes all tests. Denies incorrect passwords etc. UNTIL one malicious user decides to enter ' or 1=1;-- as his password. In a VM system the security of the *entire* system depends on the weakest link in only one of the OS's. To continue your example, you can install as many OpenBSD guests as you like. It takes one windows/linux whatever guest to break them all. That is why the protections do not 'add up'. Can