Re: Perpetually Current

[Amarendra Godbole]

On Dec 28, 2007 4:07 AM, Ingo Schwarze [EMAIL PROTECTED] wrote:
[...]
 Keeping a system up to date involves manual work,
 either a little easy work for manual upgrades now and then,
 or lots of hard and scary work for building and maintaining
 an automatic system.  You choose according to your skill,
 and according to your time budget...
[...]

The closest I have come to automation to stay -current is a small
shell script run through cron, which pulls current.html and diffs it
with a previous version. Any change, and it sends me an email so that
I know I have to go and look at current.html.

That's about it. As Ingo rightly mentions, full automation to stay
-current is a very scary thought!

-Amarendra

mfi driver supporting asus SLI mainboards?

[Matthias Tarasiewicz]

hello list,
i just read that the asus SLI mainboards have a silicon image sata  
chipset. does that mean we can use this asus mainboards with the mfi  
driver in openbsd? any experiences?


regards,
matthias

Re: mfi driver supporting asus SLI mainboards?

[Jonathan Gray]

On Fri, Dec 28, 2007 at 11:20:58AM +0100, Matthias Tarasiewicz wrote:
 hello list,
 i just read that the asus SLI mainboards have a silicon image sata chipset. 
 does that mean we can use this asus mainboards with the mfi driver in 
 openbsd? any experiences?

 regards,
 matthias

This is likely sili(4) not mfi.

Re: backup firewall connectivity

[Henning Brauer]

* Aaron [EMAIL PROTECTED] [2007-12-28 03:24]:
 I am wondering,  in a dual firewall situation, preemption enabled, carp 
 working just fine (i think), is it normal that the backup firewall (when in 
 backup state) has no connectivity on any of the carped interfaces?

that depends wether you external carp interface has numbered or 
unnumbered parents.
if the parents (carpdev) are unnumbered (no ipassigned),it is quite 
normal. otherwise you have sth wrong.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: mfi driver supporting asus SLI mainboards?

[Matthias Tarasiewicz]

ah, sorry, my bad - the Areca/Tekram TR-822 is said to have the same  
chipset as the ASUS-A8n-SLI-Deluxe.

so the TR-822 seems to be sili not mfi...

On 28.12.2007, at 11:48, Jonathan Gray wrote:


On Fri, Dec 28, 2007 at 11:20:58AM +0100, Matthias Tarasiewicz wrote:

hello list,
i just read that the asus SLI mainboards have a silicon image sata  
chipset.

does that mean we can use this asus mainboards with the mfi driver in
openbsd? any experiences?

regards,
matthias


This is likely sili(4) not mfi.

Re: Linus about C++

[Tom Van Looy]

I advise you to read The Art of Unix Programming by Eric Steven Raymond
http://www.catb.org/~esr/writings/taoup/html/ch14s04.html#cc_language
In this book you can find more about the Unix philosophy, and arguments on why 
C++ is wrong.


- Oorspronkelijk bericht -
Van: Brian Hansen [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag, december 28, 2007 07:33 AM
Aan: misc@openbsd.org
Onderwerp: Linus about C++

Hi.

This is partly not OpenBSD related, and yet again someone pointed out that
perhaps a lot of bug could be avoided using C++. I am writting my big paper
on C and C++ and would like some comments from people who are experts.

Off-list is okay, but maybe others are interested as well.

I found this statement of Linux Torvalds about C++ online:

snip
C++ is a horrible language. It's made more horrible by the fact that a lot
of substandard programmers use it, to the point where it's much much
easier to generate total and utter crap with it. Quite frankly, even if
the choice of C were to do *nothing* but keep the C++ programmers out,
that in itself would be a huge reason to use C.

C++ leads to really really bad design choices. You invariably start using
the nice library features of the language like STL and Boost and other
total and utter crap, that may help you program, but causes:

 - infinite amounts of pain when they don't work (and anybody who tells me
   that STL and especially Boost are stable and portable is just so full
   of BS that it's not even funny)

 - inefficient abstracted programming models where two years down the road
   you notice that some abstraction wasn't very efficient, but now all
   your code depends on all the nice object models around it, and you
   cannot fix it without rewriting your app.

In other words, the only way to do good, efficient, and system-level and
portable C++ ends up to limit yourself to all the things that are
basically available in C. And limiting your project to C means that people
don't screw that up, and also means that you get a lot of programmers that
do actually understand low-level issues and don't screw things up with any
idiotic object model crap.
/snip

Is he right?

Best regards, and forgive me if I am to much off topic.

glxpcib from apropos has wrong adress

[Markus Bergkvist]

apropos on 'glxpcib' gives
http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=0manpath=OpenBSD+Currentarch=i386apropos=1format=html
which contains a link to 'glxpcib (4/i386)' which is invalid
http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=4%2fi386apropos=0manpath=OpenBSD+Currentarch=i386
should be
http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=4apropos=0manpath=OpenBSD+Currentarch=i386

BR,
Markus

Re: Linus about C++

[Erik Wikström]

On 2007-12-28 07:33, Brian Hansen wrote:

[snip]

 Is he right?

Yes and no. First of all you should realise that Linus and most other
other kernel hackers are biased. When it comes down to it C++ is not a
better or worse language to write a system in than C, it is just a
question about how you use it.

But as Linus wrote, there are a number of people out there who learned
to program in Java and then learned C++ and now think that they can do
some low-level programming. Truth is they can not since they have
learned to think about programming in a very high-level way. Someone
once said something like nothing is impossible with enough layers of
indirection, but none ever claimed that many layers of indirection was
efficient. If you are down in the kernel writing code that will be run
while holding a lock every micro-second counts since you are stalling
the progress of other threads/processes, so you want efficiency.

But if you are writing a complicated GUI for an application that will
run on a 3GHz machine with 2GB RAM a few layers of indirection can be
very nice, and none will notice the few milliseconds you lose.

It is about choosing the right tool for the job, but also about choosing
how to use the tool, just because a hammer is the right tool does not
mean that hammering away is the right way to do things.

-- 
Erik WikstrC6m

Re: Linus about C++

[Marco Peereboom]

Wow one comprehensive list of the suckage that is C++.  Thanks Miod now
I dont need to type examples anymore.

On Fri, Dec 28, 2007 at 07:19:11AM +, Miod Vallat wrote:
  Is he right?
  
  If you just search the archive, even not to long ago, 'few days' you 
  will see pretty much the same feeling about C++ on the OpenBSD list as 
  well as pretty much any lists that cares about correct code and clarity 
  in programing.
  
  But don't take my words for it, just look and it will not take you long 
  to find it.
  
  That's really what you should do first. It even start to look like an 
  FAQ topic these days.
  
  If you look into the tree, you will not see much of C++, that alone 
  should be a big clue.
  
  Hopefully this tread will die soon as I fell everything was said on it 
  already
 
 Ah, but no C++ bashing thread can be complete until someone mentions the
 excellent FQA site: http://yosefk.com/c++fqa/
 
 Miod

Re: backup firewall connectivity

[Aaron]

 * Aaron [EMAIL PROTECTED] [2007-12-28 03:24]:
 I am wondering,  in a dual firewall situation, preemption enabled, carp
 working just fine (i think), is it normal that the backup firewall (when
 in
 backup state) has no connectivity on any of the carped interfaces?

 that depends wether you external carp interface has numbered or
 unnumbered parents.
 if the parents (carpdev) are unnumbered (no ipassigned),it is quite
 normal. otherwise you have sth wrong.

 --
 Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam


how depressing.. ok.. here is some information, please let me know if
there are other things I should include.

The firewall is a plain jane supermicro pd4sa with a p4 2ghz and 512Mb
memory.  I am not currently at the location with the box so i don't have a
dmesg to post.

There are 5 physical interfaces on the machine, fxp0-3 and rl0 which I use
for my pfsync interface.

in my best ascii art, this is the machine layout.

 |-|
- wanA/carp0   carp2-dmz-
 | |
- wanB/carp1   carp3--lan
 |-|


Here are my interface configs:

main firewall fxp0:
inet 10.125.221.2 255.255.255.0 NONE
main firewall fxp1:
inet 10.126.221.2 255.255.255.0 NONE

backup firewall fxp0:
inet 10.125.221.3 255.255.255.0 NONE
backup firewall fxp1:
inet 10.126.221.3 255.255.255.0 NONE

main firewall Carp0:
inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass
tester1
inet alias 192.168.3.66 255.255.255.224
inet alias 192.168.3.67 255.255.255.224
inet alias 192.168.3.68 255.255.255.224
inet alias 192.168.3.69 255.255.255.224
inet alias 192.168.3.70 255.255.255.224
inet alias 192.168.3.71 255.255.255.224
inet alias 192.168.3.72 255.255.255.224
inet alias 192.168.3.73 255.255.255.224
inet alias 192.168.3.74 255.255.255.224
inet alias 192.168.3.75 255.255.255.224
inet alias 192.168.3.76 255.255.255.224
inet alias 192.168.3.77 255.255.255.224
inet alias 192.168.3.78 255.255.255.224
inet alias 192.168.3.79 255.255.255.224
inet alias 192.168.3.80 255.255.255.224
inet alias 192.168.3.81 255.255.255.224
inet alias 192.168.3.82 255.255.255.224
inet alias 192.168.3.83 255.255.255.224
inet alias 192.168.3.84 255.255.255.224
inet alias 192.168.3.85 255.255.255.224
inet alias 192.168.3.86 255.255.255.224
inet alias 192.168.3.87 255.255.255.224
inet alias 192.168.3.88 255.255.255.224
inet alias 192.168.3.89 255.255.255.224
inet alias 192.168.3.90 255.255.255.224
inet alias 192.168.3.91 255.255.255.224
inet alias 192.168.3.92 255.255.255.224
inet alias 192.168.3.93 255.255.255.224

main firewall Carp1:
inet 192.168.3.129 255.255.255.224 192.168.3.159 vhid 2 carpdev fxp1 pass
tester2
inet alias 192.168.3.130 255.255.255.224
inet alias 192.168.3.131 255.255.255.224
inet alias 192.168.3.132 255.255.255.224
inet alias 192.168.3.133 255.255.255.224
inet alias 192.168.3.134 255.255.255.224
inet alias 192.168.3.135 255.255.255.224
inet alias 192.168.3.136 255.255.255.224
inet alias 192.168.3.137 255.255.255.224
inet alias 192.168.3.138 255.255.255.224
inet alias 192.168.3.139 255.255.255.224
inet alias 192.168.3.140 255.255.255.224
inet alias 192.168.3.141 255.255.255.224
inet alias 192.168.3.142 255.255.255.224
inet alias 192.168.3.143 255.255.255.224
inet alias 192.168.3.144 255.255.255.224
inet alias 192.168.3.145 255.255.255.224
inet alias 192.168.3.146 255.255.255.224
inet alias 192.168.3.147 255.255.255.224
inet alias 192.168.3.148 255.255.255.224
inet alias 192.168.3.149 255.255.255.224
inet alias 192.168.3.150 255.255.255.224
inet alias 192.168.3.151 255.255.255.224
inet alias 192.168.3.152 255.255.255.224
inet alias 192.168.3.153 255.255.255.224
inet alias 192.168.3.154 255.255.255.224
inet alias 192.168.3.155 255.255.255.224
inet alias 192.168.3.156 255.255.255.224
inet alias 192.168.3.157 255.255.255.224

backup firewall Carp0:
inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass
tester1 advskew 100
inet alias 192.168.3.66 255.255.255.224
inet alias 192.168.3.67 255.255.255.224
inet alias 192.168.3.68 255.255.255.224
inet alias 192.168.3.69 255.255.255.224
inet alias 192.168.3.70 255.255.255.224
inet alias 192.168.3.71 255.255.255.224
inet alias 192.168.3.72 255.255.255.224
inet alias 192.168.3.73 255.255.255.224
inet alias 192.168.3.74 255.255.255.224
inet alias 192.168.3.75 255.255.255.224
inet alias 192.168.3.76 255.255.255.224
inet alias 192.168.3.77 255.255.255.224
inet alias 192.168.3.78 255.255.255.224
inet alias 192.168.3.79 255.255.255.224
inet alias 192.168.3.80 255.255.255.224
inet alias 192.168.3.81 255.255.255.224
inet alias 192.168.3.82 255.255.255.224
inet alias 192.168.3.83 255.255.255.224
inet alias 192.168.3.84 255.255.255.224
inet alias 192.168.3.85 255.255.255.224
inet alias 

Re: sparc64 on Sun Netra T1 with external CD Drive

[new_guy]

Still no go. However, it doesn't appear to be a OpenBSD specific issue.
FreeBSD and Debian CD installers won't boot from the external CD drive
either. Currently, I can boot the machine with a Solaris install CD or from
Solaris that had been installed on the HDD prior to me receiving the
computer. Can I copy bsd.rd onto one of the drives and then boot from that
to install?

I also applied Sun's latest firmware to OBP, just to make sure things were
current.

Thanks again,
Brad

-- 
View this message in context: 
http://www.nabble.com/sparc64-on-Sun-Netra-T1-with-external-CD-Drive-tp14518767p14526293.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: glxpcib from apropos has wrong adress

[Jason McIntyre]

On Fri, Dec 28, 2007 at 12:57:18PM +0100, Markus Bergkvist wrote:
 apropos on 'glxpcib' gives
 http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=0manpath=OpenBSD+Currentarch=i386apropos=1format=html
 which contains a link to 'glxpcib (4/i386)' which is invalid

it's not invalid. man -S i386 glxpcib will get you the page.

 http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=4%2fi386apropos=0manpath=OpenBSD+Currentarch=i386
 should be
 http://www.openbsd.org/cgi-bin/man.cgi?query=glxpcibsektion=4apropos=0manpath=OpenBSD+Currentarch=i386
 

and this is because the script that turns man pages into web links does
not always work ;(

i recommend that people use the online man pages (i.e. the man(1)
command) if they are having issues with the, er, online man pages (i.e.
the web stuff).

jmc

Re: sparc64 on Sun Netra T1 with external CD Drive

[new_guy]

Sorry for all the posts. I figured it out. I dd'ed floppy42.fs to one of the
unused drives and booted that way. 
-- 
View this message in context: 
http://www.nabble.com/sparc64-on-Sun-Netra-T1-with-external-CD-Drive-tp14518767p14526801.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Load balancing

[Manpreet Nehra]

I am still working on the same problem, I was able to get  2 ISPs load
balanced and even got the bandwidth aggregated. Now i am trying to
balance 3 ISPs and even with the multipath routing enabled and
cofigureed i am not able to even browse anything. Here is my pf.conf

lan_net = 10.15.0.0/16
int_if  = fxp0
ext_if1 = em0
ext_if2 = em1
ext_if1 = em1
ext_gw1 = 192.168.5.1
ext_gw2 = 192.168.6.1
ext_gw3 = 10.7.0.253

nat on $ext_if1 from $lan_net to any - ($ext_if1)
nat on $ext_if2 from $lan_net to any - ($ext_if2)
nat on $ext_if3 from $lan_net to any - ($ext_if3)

block in  from any to any
block out from any to any


pass out on $int_if from any to $lan_net

pass in quick on $int_if from $lan_net to $int_if

pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
, ($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to any
flags S/SA modulate state
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto { udp, icmp } from
$lan_net to any keep state


pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any

pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any

pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any

This setup is not working and the odd thing is i am not even able to
ping the local interfaces with this configurting.

Thanks for the help

Manpreet

Re: Linus about C++

[Gary Baluha]

On Dec 28, 2007 7:51 AM, Erik Wikstrvm [EMAIL PROTECTED] wrote:

 On 2007-12-28 07:33, Brian Hansen wrote:

 [snip]

  Is he right?

 Yes and no. First of all you should realise that Linus and most other
 other kernel hackers are biased. When it comes down to it C++ is not a
 better or worse language to write a system in than C, it is just a
 question about how you use it.

 But as Linus wrote, there are a number of people out there who learned
 to program in Java and then learned C++ and now think that they can do
 some low-level programming. Truth is they can not since they have
 learned to think about programming in a very high-level way. Someone
 once said something like nothing is impossible with enough layers of
 indirection, but none ever claimed that many layers of indirection was
 efficient. If you are down in the kernel writing code that will be run
 while holding a lock every micro-second counts since you are stalling
 the progress of other threads/processes, so you want efficiency.


 I think that's one of the main problems with programmers today.  All the
schools I know that teach programming, start by teaching Java to the
students.  It's definitely easier to learn Java with little-to-no prior
programming experience, than it is to learn C (I struggled for quite some
time to fully understand and realize how C uses pointers, in all its various
ways).  I think the problem comes when these same programmers see that Java
and C have a similar style of syntax, and think that simply learning the
superficial differences means they now understand the language.  Two
programming languages can look similar on the surface, but be very different
beneath the skin.

I'm also not sold on the concept of object oriented programming in general.
Along the lines of nothing is impossible with enough layers of
indirection, I think too much abstraction also removes the programmer from
what he/she is actually doing.  OOP is a nice concept on paper, until you
realize that most large programming projects are not written by a single
person, and most people will not be coding the entire tree of abstraction
they are using.  This leads to errors that may be very difficult (if not
impossible) to fully track down.



 But if you are writing a complicated GUI for an application that will
 run on a 3GHz machine with 2GB RAM a few layers of indirection can be
 very nice, and none will notice the few milliseconds you lose.

 It is about choosing the right tool for the job, but also about choosing
 how to use the tool, just because a hammer is the right tool does not
 mean that hammering away is the right way to do things.


Yes, that's true, but sometimes using that old trusty tool (C) can be just
as effective as the shiny new tool (Java, C++, etc).

Re: Linus about C++

[Pieter Verberne]

On Fri, Dec 28, 2007 at 10:16:08AM -0500, Gary Baluha wrote:
 I think that's one of the main problems with programmers today.  All the
 schools I know that teach programming, start by teaching Java to the
 students.
I'm learning Java at school. I told my teachers that I think it is a
great pity that I've to learn Java while all my favorite software is
written in C and and have the code of it! I really would be more
motivated when we would learn C. But well, I do understand they want us
to learn a object oriented programming language. And that is -far- more
practical to use a single PL for all students.

 It's definitely easier to learn Java with little-to-no prior
 programming experience, than it is to learn C (I struggled for quite some
 time to fully understand and realize how C uses pointers, in all its various
 ways).
Oh, I was thinking that C just might be easier since I don't have all
that class/method/method-call shit. But C has it's own difficulties
ofcourse.

 I think the problem comes when these same programmers see that Java
 and C have a similar style of syntax, and think that simply learning the
 superficial differences means they now understand the language.  Two
 programming languages can look similar on the surface, but be very different
 beneath the skin.
Sounds like stupid programmers.
 
 I'm also not sold on the concept of object oriented programming in general.
 Along the lines of nothing is impossible with enough layers of
 indirection, I think too much abstraction also removes the programmer from
 what he/she is actually doing.  OOP is a nice concept on paper, until you
 realize that most large programming projects are not written by a single
 person, and most people will not be coding the entire tree of abstraction
 they are using.  This leads to errors that may be very difficult (if not
 impossible) to fully track down.
The (a) 'purpose' of OOP is that I don't need to study the Class-code of
someone else. This makes it possible to focus on your own thing only.
(I don't care about being exactly right here, I think you understand
what I mean)

Pieter Verberne

Re: Embedding OpenBSD

[Unix Fan]

This is a neat idea, but personally I think it'll be hard to make the device 0 
maintenance, problems can always occur...



If you're set on using OpenBSD in this project, remove everything from the base 
system that isn't needed... and try running the unit non-stop for 48/hours... 
just to be sure it's not going to die days after you leave the country.



If this all seems horribly complex, use one of Doug's suggestions.



(Consider a modem, or a net card... so remote maintenance is possible..)

Re: Linus about C++

[Gary Baluha]

On Dec 28, 2007 11:21 AM, Pieter Verberne [EMAIL PROTECTED] wrote:

 On Fri, Dec 28, 2007 at 10:16:08AM -0500, Gary Baluha wrote:
  I think that's one of the main problems with programmers today.  All the
  schools I know that teach programming, start by teaching Java to the
  students.
 I'm learning Java at school. I told my teachers that I think it is a
 great pity that I've to learn Java while all my favorite software is
 written in C and and have the code of it! I really would be more
 motivated when we would learn C. But well, I do understand they want us
 to learn a object oriented programming language. And that is -far- more
 practical to use a single PL for all students.


There's certainly no problem with using a single programming language to
teach to first or even second year students, and I have no problem with the
chosen language being Java, either.  The problem comes up when some students
think that similar-looking programming languages can be programmed using
nearly identical programming practices.  But in the end, it doesn't really
matter which programming language is taught, as there will always be
students who get the wrong idea, and that was the main thing I was trying to
convey.


  It's definitely easier to learn Java with little-to-no prior
  programming experience, than it is to learn C (I struggled for quite
 some
  time to fully understand and realize how C uses pointers, in all its
 various
  ways).
 Oh, I was thinking that C just might be easier since I don't have all
 that class/method/method-call shit. But C has it's own difficulties
 ofcourse.


Well, I originally learned in C, so learning Java was fairly easy since you
didn't have to do all the memory/pointer management that you have to do in
C, or even C++.  I was also learning C++ around the same time, so by the
time I got to Java, I already had the basic concepts of OOP.  I guess it's
all up to the individual which language is easiest to learn as one's first
programming language.  Still, my opinion is that any advanced programming
language that has automatic garbage collection and memory allocation is
easier to learn.


  I think the problem comes when these same programmers see that Java
  and C have a similar style of syntax, and think that simply learning the
  superficial differences means they now understand the language.  Two
  programming languages can look similar on the surface, but be very
 different
  beneath the skin.
 Sounds like stupid programmers.


Indeed.  I don't know about everyone else's experience, but I find it rare
to come across actual good programmers.  I've met and come across a lot of
programmers who manage to get through their tasks, but don't fully
appreciate what it is that their code is actually doing.


  I'm also not sold on the concept of object oriented programming in
 general.
  Along the lines of nothing is impossible with enough layers of
  indirection, I think too much abstraction also removes the programmer
 from
  what he/she is actually doing.  OOP is a nice concept on paper, until
 you
  realize that most large programming projects are not written by a single
  person, and most people will not be coding the entire tree of
 abstraction
  they are using.  This leads to errors that may be very difficult (if not
  impossible) to fully track down.
 The (a) 'purpose' of OOP is that I don't need to study the Class-code of
 someone else. This makes it possible to focus on your own thing only.
 (I don't care about being exactly right here, I think you understand
 what I mean)

I see where you're coming from, and I fully agree that the concept of OOP is
great.  However, I think blindly using someone else's class code without at
least having a basic understanding of what the underlying code is doing
misses the point.  And this is true whether we're talking about an
OO-language, or a procedural language.  The only difference is, OO-languages
provide the weak programmer more opportunities to abuse the concept than
procedural languages.

I don't claim to be a world-class programmer myself, but I do realize
there is a difference between code that does the job, and code that does the
job well.  And in my opinion, OO-languages simply provide more opportunity
to get the job done poorly by blindly trusting someone elses code, since the
idea is that you shouldn't need to know.  And this is often taught poorly in
school, giving the false impression that you shouldn't _want_ to have a
basic understanding of what the other person's code does.

Re: Linus about C++

[Douglas A. Tutty]

On Fri, Dec 28, 2007 at 10:16:08AM -0500, Gary Baluha wrote:
 
 I'm also not sold on the concept of object oriented programming in general.
 Along the lines of nothing is impossible with enough layers of
 indirection, I think too much abstraction also removes the programmer from
 what he/she is actually doing.  OOP is a nice concept on paper, until you
 realize that most large programming projects are not written by a single
 person, and most people will not be coding the entire tree of abstraction
 they are using.  This leads to errors that may be very difficult (if not
 impossible) to fully track down.
 

AIUI, that's where Ada's compile-time checks come it.  With Ada, (if you
choose to do OOP) you have the object definition and the implementation
separate.  If everyone can agree (and hense document) the object
definition, the implementation can change all it wants.  If the person
doing the implementation also changes the definition, then Ada screams
at you since the definition in all places that use the object must
agree.  Ada is designed specifically for the software-engineering world.
It is supposed to do low level stuff well, since most of the embedded
things it runs (e.g. missles) don't actually have an OS, just he Ada
program accessing the hardware directly.

Doug.

Re: Embedding OpenBSD

[Henning Brauer]

* Unix Fan [EMAIL PROTECTED] [2007-12-28 17:44]:
 remove everything from the base system that isn't needed... 

yeah THAT is certainly going to help... deleting binaries saves the 
world!

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: backup firewall connectivity

[Darren Spruell]

On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote:
 main firewall Carp0:
 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass
 tester1
 inet alias 192.168.3.66 255.255.255.224
 inet alias 192.168.3.67 255.255.255.224

Not to solution your problem, but the correct netmask for interface
aliases is 255.255.255.255.

Refer to archives and hostname.if(5).

DS

Re: Linus about C++

[Marc Espie]

On Fri, Dec 28, 2007 at 07:37:54AM -0600, Marco Peereboom wrote:
 Wow one comprehensive list of the suckage that is C++.  Thanks Miod now
 I dont need to type examples anymore.

I will probably regret this, but all of these issues are known, and only
show that C++ is not a simple language.

Real C++ programmers know how to work around these. C++ is all about
giving you choices.

As a list:
- No compile time encapsulation: deliberate language choice. You want to
provide clean C++ interfaces ? you use the `compiler firewall/pimpl' idiom.
As a good example, look at the KDE libraries.  It's all about NOT having to
pay the extra price if you want speed to the detriment of portability.
- complicated grammar: red herring. This does NOT account for any amount of
slowness of C++ compilers. It *does* account for somewhat bad error messages.
It is complicated to build a yacc parser for C++, and thus to add meaningful
error messages.  Every slow C++ compiler out there is slow for other reasons.
Mostly, that you need efficient data structures to take care of namespace
lookup (C doesn't have that issue: it doesn't have any support for namespaces).
And also, that people abuse inline functions.  As far as different compilers
interpreting rules differently, C++ was not standardized until 1998...
Did you try any new-fangled C99 constructs recently ? Like, variable
definitions work everywhere on every C compiler shipped with OpenBSD ? Yeah,
right...
- No easy way to locate definition: mix of stuff inherited from C (where you
can do anything with include files, and thus you're relying on people having
bad habits) and OO practice, where it is indeed often difficult to locate
definitions... That's why smalltalk has browsers...
- No run-time encapsulation. Yeah right... as if there are no smart pointers
out there. Not worse than C.
- No binary implementation rules... partly false. There are ELF ABIs for C++,
fortunately, and Unix implementations follow them these days. That's a bit
like looking at C from 20 years ago. Between COFF, a.out, and other shit,
you did not have a binary implementation either...

Rules for types and operators are fairly complex, granted, but there is
some actual logic. This is well documented in a few books. The main issue
with C++ there is that it it a big language. You want to understand those
rules ? You have to read Scott Meyers.

Exceptions can be managed. Again you have to read Herb Sutter.

And yeah, the standard library is somewhat small.  But there are useful
libraries out there developed on top of C++, and they work (qt is the
one nice example, as far as I'm concerned).

All of this shows the one thing we already know, which is that C++ is
a terribly complicated language that is hard to master. When it's used
properly, by people who know how to program in it, it can be really good
and really fast. I'm still happily using quite a few apps written in C++,
like most of kde, and I don't see them getting rewritten in anything else
yet.

You want OO ? you've got a choice of:
- C++, which *works*.
- java, which is really slow, and not portable at all (and written partly
in C++).
- smalltalk, which is beautiful, very nice, and that no-one uses because it
does not talk to the rest of the world, still locked in its ivory tower.
- eiffel or ada... yeah right, everyone uses them.
- python or perl, which work just fine... perl has about the same set of
defects as C++ (except for speed and reflection). python is probably about
the same, I don't use it enough to comment.

In the end, I still see C++ as a valid choice for *seasoned* programmers.
It is very, very hard to use, and thus I would never recommend it to a
beginner.

Re: Embedding OpenBSD

[Marco Peereboom]

What in the world???

Do you drive a car?  if the answer is yes you have an unconnected
embedded device.  Need more examples?

On Fri, Dec 28, 2007 at 08:34:24AM -0800, Unix Fan wrote:
 This is a neat idea, but personally I think it'll be hard to make the device 
 0 maintenance, problems can always occur...
 
 If you're set on using OpenBSD in this project, remove everything from the 
 base system that isn't needed... and try running the unit non-stop for 
 48/hours... just to be sure it's not going to die days after you leave the 
 country.
 
 If this all seems horribly complex, use one of Doug's suggestions.
 
 (Consider a modem, or a net card... so remote maintenance is possible..)

Re: Linus about C++

[Marc Espie]

On Fri, Dec 28, 2007 at 10:16:08AM -0500, Gary Baluha wrote:
 I'm also not sold on the concept of object oriented programming in general.
 Along the lines of nothing is impossible with enough layers of
 indirection, I think too much abstraction also removes the programmer from
 what he/she is actually doing.  OOP is a nice concept on paper, until you
 realize that most large programming projects are not written by a single
 person, and most people will not be coding the entire tree of abstraction
 they are using.  This leads to errors that may be very difficult (if not
 impossible) to fully track down.

If you are using OpenBSD, you're probably using pkg_add(1) and friends.

Those tools would be completely impossible to write without a fully OOP
approach.

Tracking bugs through them is reasonable, even though there ARE indeed layers
and layers of indirection in the PackageRepository code...

The level of code sharing is at least two orders of magnitude better than
I could ever achieve with traditional C. Considering the complexity of what
the code does, there are surprisingly few bugs that show up in it.

But, of course, there are good designs and bad designs, and this does not
really depend on the OO nature of the design at all. You can write obfuscated
code in a procedural design, or clean code in an OO design.

Re: Linus about C++

[Marco Peereboom]

I disagree with this sentiment.  The quality of programmers these days
is abysmal.  I think that is due to part of being taught wrong in the
first place and then being unable to unlearn bad habits.

By teaching kids in a forgiving language they will never get a feel for
what they are supposed to be thinking about.  I know the marketing says:
focus on the real problem instead of pesky details like memory
management.  I think this is fundamentally wrong.  The programmers I
have hired in the recent past are all EE or CE people.  I have not had a
good candidate in a long time coming from a recent CS program.  The
CE/EE people started on the other side of programming and have very good
skills.  The CS folks are all talk and make way too complex constructs
because they can and their languages let them.  I once had the
pleasure of working on a project that was written in C but compiled
with C++.  I can't even begin to describe how bad and stupid that idea
was.  I spent the better of 3 years working around compiler bugs,
interoperability issues, etc etc.  But you know what, the design was
super complex and made the architects look smart... until we started
fixing bugs and reversing bad decisions and kludges.  It is safe to say
that it didn't go down well on their year-end-review.

All that said, C++ is a complete and total disaster.  I am to this day
shocked at the success of the C++ marketing campaign.  It is identical
to any presidential race, full of promises but none ever kept.  The
difference is that no one dares to defy the decision that C++ was the
wrong language for the problem.  Everybody has a mortgage to pay and
don't want to look like a fool for being part of a bad decision.  The
link Miod pasted is a great resource to get an idea how bad C++ really
is.  The only comment I'll make on java is that it has the capacity to
make a grown man cry.  I still have to see the so called benefit of both
these languages.  It all sounds awesome on paper but when used in the
real world the promises crumble faster than a politicians.


On Fri, Dec 28, 2007 at 11:58:15AM -0500, Gary Baluha wrote:
 On Dec 28, 2007 11:21 AM, Pieter Verberne [EMAIL PROTECTED] wrote:
 
  On Fri, Dec 28, 2007 at 10:16:08AM -0500, Gary Baluha wrote:
   I think that's one of the main problems with programmers today.  All the
   schools I know that teach programming, start by teaching Java to the
   students.
  I'm learning Java at school. I told my teachers that I think it is a
  great pity that I've to learn Java while all my favorite software is
  written in C and and have the code of it! I really would be more
  motivated when we would learn C. But well, I do understand they want us
  to learn a object oriented programming language. And that is -far- more
  practical to use a single PL for all students.
 
 
 There's certainly no problem with using a single programming language to
 teach to first or even second year students, and I have no problem with the
 chosen language being Java, either.  The problem comes up when some students
 think that similar-looking programming languages can be programmed using
 nearly identical programming practices.  But in the end, it doesn't really
 matter which programming language is taught, as there will always be
 students who get the wrong idea, and that was the main thing I was trying to
 convey.
 
 
   It's definitely easier to learn Java with little-to-no prior
   programming experience, than it is to learn C (I struggled for quite
  some
   time to fully understand and realize how C uses pointers, in all its
  various
   ways).
  Oh, I was thinking that C just might be easier since I don't have all
  that class/method/method-call shit. But C has it's own difficulties
  ofcourse.
 
 
 Well, I originally learned in C, so learning Java was fairly easy since you
 didn't have to do all the memory/pointer management that you have to do in
 C, or even C++.  I was also learning C++ around the same time, so by the
 time I got to Java, I already had the basic concepts of OOP.  I guess it's
 all up to the individual which language is easiest to learn as one's first
 programming language.  Still, my opinion is that any advanced programming
 language that has automatic garbage collection and memory allocation is
 easier to learn.
 
 
   I think the problem comes when these same programmers see that Java
   and C have a similar style of syntax, and think that simply learning the
   superficial differences means they now understand the language.  Two
   programming languages can look similar on the surface, but be very
  different
   beneath the skin.
  Sounds like stupid programmers.
 
 
 Indeed.  I don't know about everyone else's experience, but I find it rare
 to come across actual good programmers.  I've met and come across a lot of
 programmers who manage to get through their tasks, but don't fully
 appreciate what it is that their code is actually doing.
 
 
   I'm also not sold on the concept of object 

Re: Linus about C++

[Joe S]

On Dec 28, 2007 7:16 AM, Gary Baluha [EMAIL PROTECTED] wrote:
 On Dec 28, 2007 7:51 AM, Erik Wikstrvm [EMAIL PROTECTED] wrote:

  On 2007-12-28 07:33, Brian Hansen wrote:
 
  [snip]
 
   Is he right?
 
  Yes and no. First of all you should realise that Linus and most other
  other kernel hackers are biased. When it comes down to it C++ is not a
  better or worse language to write a system in than C, it is just a
  question about how you use it.
 
  But as Linus wrote, there are a number of people out there who learned
  to program in Java and then learned C++ and now think that they can do
  some low-level programming. Truth is they can not since they have
  learned to think about programming in a very high-level way. Someone
  once said something like nothing is impossible with enough layers of
  indirection, but none ever claimed that many layers of indirection was
  efficient. If you are down in the kernel writing code that will be run
  while holding a lock every micro-second counts since you are stalling
  the progress of other threads/processes, so you want efficiency.


  I think that's one of the main problems with programmers today.  All the
 schools I know that teach programming, start by teaching Java to the
 students.  It's definitely easier to learn Java with little-to-no prior
 programming experience, than it is to learn C (I struggled for quite some
 time to fully understand and realize how C uses pointers, in all its various
 ways).  I think the problem comes when these same programmers see that Java
 and C have a similar style of syntax, and think that simply learning the
 superficial differences means they now understand the language.  Two
 programming languages can look similar on the surface, but be very different
 beneath the skin.

There is a community college in the San Francisco Bay Area area that
encourages learning C before learning any other language.
I've taken intro to C and intermediate C. I didn't do too well with
pointers either. It's tough working full time and attending class
twice a week and studying and living.

Heh.



 I'm also not sold on the concept of object oriented programming in general.
 Along the lines of nothing is impossible with enough layers of
 indirection, I think too much abstraction also removes the programmer from
 what he/she is actually doing.  OOP is a nice concept on paper, until you
 realize that most large programming projects are not written by a single
 person, and most people will not be coding the entire tree of abstraction
 they are using.  This leads to errors that may be very difficult (if not
 impossible) to fully track down.



  But if you are writing a complicated GUI for an application that will
  run on a 3GHz machine with 2GB RAM a few layers of indirection can be
  very nice, and none will notice the few milliseconds you lose.
 
  It is about choosing the right tool for the job, but also about choosing
  how to use the tool, just because a hammer is the right tool does not
  mean that hammering away is the right way to do things.


 Yes, that's true, but sometimes using that old trusty tool (C) can be just
 as effective as the shiny new tool (Java, C++, etc).

Re: Linus about C++

[L]

Brian Hansen wrote:

Hi.

This is partly not OpenBSD related, and yet again someone pointed out that
perhaps a lot of bug could be avoided using C++. I am writting my big paper
on C and C++ and would like some comments from people who are experts.

Off-list is okay, but maybe others are interested as well.

I found this statement of Linux Torvalds about C++ online:

snip
C++ is a horrible language. 
  

snip

Is he right?

Best regards, and forgive me if I am to much off topic.


  


Better than the C++ language would be a safer version of C... no need 
for all C++ features. The problem is people abuse the flexibilty of C++.
Or a C with safer compiler. Which has been done and is being done.. Also 
look into TACK (another C compiler with BSD license).


Look into google and research Limbo, Plan 9, Cyclone, Minix.. and some 
safer 'C' languages that are coming about. There are some hilarious 
biased and funny articles on my wiki about limbo/cyclone too which 
explain why modern 'C' is becoming more safe these days and more 
Wirth/modula like.



L505

Re: Embedding OpenBSD

[Douglas A. Tutty]

On Fri, Dec 28, 2007 at 08:34:24AM -0800, Unix Fan wrote:
 
 (Consider a modem, or a net card... so remote maintenance is
 possible..)

The problem with a net card is that then the end-user would have to set
up a dhcp server or some how have the card set up correctly.  With a
modem, its pretty standard.  Either have the device's cron try to access
the modem to call home (and if a phone line is connected, it will
succeed) to set up a ppp link, or just set up the modem to allow you to
dial-in and get a login prompt.  Then the end-user just has to supply a
phone line to the unit and you with a phone number.

Doug.

Re: Embedding OpenBSD

[Tobias Weingartner]

In article [EMAIL PROTECTED], Nick Holland wrote:
 
  What have I forgotten?  Is there anything else I can do to avoid
  slapping my forehead and saying, D'oh! Forgot to ... before I
  ship it out fully detached?  The good news is I'm pretty sure
  there is at least one OpenBSD developer near-by, but that's just
  all the more reason to make sure I don't screw it up, I'll never
  live it down. :)

Unless you have a need to keep state, I'd not bother in any way to write
to the flash.  I'd have a bsd.rd on there that get's loaded on boot.  No
fsck necessary, completely in ram, etc.

-Toby.
-- 
 [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax

Re: Linus about C++

[Gary Baluha]

On Dec 28, 2007 12:36 PM, Marc Espie [EMAIL PROTECTED] wrote:

 Rules for types and operators are fairly complex, granted, but there is
 some actual logic. This is well documented in a few books. The main issue
 with C++ there is that it it a big language. You want to understand those
 rules ? You have to read Scott Meyers.


Well, C++ compilers *do* actually compile the code, so I would assume there
is _some_ logic to them ;-)  However, just because there is some logic
behind the rules, doesn't mean it is easily understandable, and that--I
think--is where the real problem is.


 All of this shows the one thing we already know, which is that C++ is
 a terribly complicated language that is hard to master. When it's used
 properly, by people who know how to program in it, it can be really good
 and really fast. I'm still happily using quite a few apps written in C++,
 like most of kde, and I don't see them getting rewritten in anything else
 yet.


Assembly language programming (let's say x86 for the sake of argument) can
also be really good and really fast, but that too depends on someone knowing
what they're doing.  The problem with programming languages is, there are
often many, many ways of accomplishing the same task.  In some cases, there
may even be more than one correct way to do it, depending on what you're
trying to accomplish.  But there are usually many more _incorrect_ ways to
accomplish the task, than correct ways.  C++, because it can do things
procedurally as well as fully object oriented, gives the programmer even
more options; options that can be very powerful when used correctly, but
also very bad (for maintainability, debugging, etc) when used incorrectly.
As the saying goes, With C, you can shoot your foot off. But with C++, you
don't shoot your foot off, you shoot your whole leg off.


 In the end, I still see C++ as a valid choice for *seasoned* programmers.
 It is very, very hard to use, and thus I would never recommend it to a
 beginner.


Hey, despite the flaws of C++, I too support it.  But as you say, it is
extremely difficult to use properly and most effectively.  I just fear that
there are too many programmers out there that aren't willing to admit to
themselves that they simply aren't skilled enough to use the language
properly.  This can be said for any language, but it is worse for those
languages that provide the most options to the programmer.

Programming Course

[Adrian Fisher]

I have read some (time does not allow me to read it all) of the threads
about C vs.C++ and would like to know if anyone here has worked through the
courses from either of the following people and if so, what did you think?
I read in the thread with Linus's thoughts of C++ but am curious that if he
is correct the bugs have not been fixed as I am sure there are enough
talented people out there.

http://www.coronadoenterprises.com/
http://computer.howstuffworks.com/c.htm

Thanks in advance.

A.

Re: Embedding OpenBSD

[Gary Baluha]

On Dec 27, 2007 10:41 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote:

 I'd wire in a hardware-type heartbeat detector that will power-cycle the
 computer if it stops working.  I'd have a door over the money slot
 powered by the computer so that it only accepts money when its working.
 You could have a Please wait light to be lit during the reboot.

 Or, you could just rewire an MP3 player to play a tune when it is
 powered on, then just hook the money-detector to the power switch.
 Money turns it on, a timer just longer than the tune turns it off.  No
 computer needed (just a 556-dual-555 timer IC and some spare parts).


I second the idea of something as simple as an MP3 player connected to a
money detector, if that's all it will be doing.  Seems a little over-kill to
get a whole computer, even if it is something as simple as a Soekris (
http://www.soekris.com/, which by the way, is a very nice device).

However, if you do decide you still want an embedded OBSD device, it
certainly is doable.  I have a Soekris net4801 that I am using as my
firewall/router, and it is working like an appliance.  I'm using a 1GB CF
card; it's mounted RW, but for the most part it is really only writing data
to an mfs mount point.  In this case, it's obviously connected to a network,
and I have a monitoring tool running to report back on disk space usage, but
it could easily do without this.

I have a cron job that periodically checks to make sure the mfs mount points
don't fill up, and cleans them out as appropriately.  I have also highly
tuned the log rotation to further ensure mount points don't get filled out.

Should a problem arise, since the CF card is effectively read-only, a reboot
is as simple and unplugging the device and then plugging it back in.  Unless
there is a hardware fault, it will come back up on its own.  For further
protection, you should mount the CF read-only so no mount points there can
accidentally fill up.

Re: Linus about C++

[Ted Unangst]

On 12/27/07, Miod Vallat [EMAIL PROTECTED] wrote:
 Ah, but no C++ bashing thread can be complete until someone mentions the
 excellent FQA site: http://yosefk.com/c++fqa/

this one alone was priceless: http://yosefk.com/c++fqa/io.html#fqa-15.1
and i've even written more c++ code than c code.

Re: Embedding OpenBSD

[Douglas A. Tutty]

On Fri, Dec 28, 2007 at 11:13:18AM -0600, Marco Peereboom wrote:
 Do you drive a car?  if the answer is yes you have an unconnected
 embedded device.  Need more examples?

Well, actually, my car doesn't include a digital computer.  It has an
ignition module that is analog but no sensors.  Nice complicated
carburrator instead of a nice simple fuel injector(s).

Of course, the car is older than any of the mechanics that work on it.
However, I spend under $200 per year on maintenance for the engine.
I've seen the odometer go around twice since I bought it 5 years ago;
it's probablly at the 500,000.  

So be carefull with generalities...

:)

Doug.

Re: Embedding OpenBSD

[James Records]

Use something like flashboot (www.mindrot.org/projects/flashboot)   
perfect for this kind of application, take a look at the package  
managment stuff


J
On Dec 28, 2007, at 10:18 AM, Tobias Weingartner wrote:

In article [EMAIL PROTECTED], Nick Holland  
wrote:


What have I forgotten?  Is there anything else I can do to avoid
slapping my forehead and saying, D'oh! Forgot to ... before I
ship it out fully detached?  The good news is I'm pretty sure
there is at least one OpenBSD developer near-by, but that's just
all the more reason to make sure I don't screw it up, I'll never
live it down. :)


Unless you have a need to keep state, I'd not bother in any way to  
write
to the flash.  I'd have a bsd.rd on there that get's loaded on  
boot.  No

fsck necessary, completely in ram, etc.

-Toby.
--
[100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1! 
=b]salax

Re: Embedding OpenBSD

[Pete Vickers]

step 1.  get a any old ipod on ebay
step 2. put a single mp3 tune on it
step 3. place it in a big box, with the play button located right  
under a coin sized slot


openbsd is great, but it's not the hammer for all nails...

/Pete


On 28 Dec 2007, at 3:34 AM, Nick Holland wrote:

 I've got a little project I'm working on here.
 It involves stuffing a computer in a donation box with a
 money detector, so every time someone tosses money in the box,
 it plays an MP3 file.

 (no, you can't make a living at this.  At least, *I* can't)

 The first two of these I did were many years ago, and we used a
 486 running a simple DOS app.  Well, computers that run DOS well
 are gone, and trying to bring up a new program to play sound
 files on any of the modern sound chips would be (not) fun...and
 annoying the next time the hardware all changes again.

 So, for this generation, I'm using OpenBSD, mpg321, and a 1G
 CF flash device attached to an CF- IDE interface.

 However, this is the first time I've ever done an OpenBSD system
 that wasn't going to be attached to some kind of network for
 (hopefully) years at a time.  In fact, hopefully, it will NEVER
 be attached to a network.  And, while I got a 1G CF device, I
 could imagine doing something stupid and having it slowly fill
 the CF media and six months from now getting a call saying, It
 died.  Come fix it, and since it will be in another country and
 probably a ten hour drive away, I'd like to avoid that. :)
 Once this thing is deployed, I won't have access to it at all,
 so I'll have no ability to spot a potential problem or fix it.

 SO, to try to keep things quiet, I've disabled the daily, weekly,
 and monthly scripts, I've disabled sendmail in /etc/rc.conf.local.
 Before I ship it out, I'll move /var/log and /var/tmp to point to
 a mfs system, so hopefully, if something starts logging, a power
 cycle will dump everything.  Only 60M is mounted RW, so it fsck's
 very quickly, and my app writes only to the MFS.

 What have I forgotten?  Is there anything else I can do to avoid
 slapping my forehead and saying, D'oh! Forgot to ... before I
 ship it out fully detached?  The good news is I'm pretty sure
 there is at least one OpenBSD developer near-by, but that's just
 all the more reason to make sure I don't screw it up, I'll never
 live it down. :)

 Nick.

Re: When spammers get whitelisted...

[Darrin Chandler]

On Thu, Dec 27, 2007 at 09:13:33PM -0800, Allie D. wrote:
 I have had to wipe my spamdb twice in the last month because spammers
 get past my blacklists (I run the ones that come in spamd.conf) and my
 greylisting and just hammer a few of my customers. The spam comes from
 multiple IP's so it's a bitch to block by hand...anyone have any tips on
 blocking these bastards ???

To combat this I use SpamAssassin/bmf (in different scenarios), plus
some procmail rules and relaydb. Good news: it's all in ports/packages.
More good news: Daniel Hartmeier has written this up nicely at
http://www.benzedrine.cx/relaydb.html, which is where I got it from to
begin with.

For me this has reduced spam to the point where it's not worth the extra
effort to reduce it further.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Embedding OpenBSD

[L. V. Lammert]

On Fri, 28 Dec 2007, Marco Peereboom wrote:

 What in the world???

 Do you drive a car?  if the answer is yes you have an unconnected
 embedded device.  Need more examples?

Indeed! How many Soekris routers are there in 'production', operating with
a config just as suggested?

Lee

building xenocara: configure: error: You must have freetype installed

[Juan Miscaro]

Hi,

I am having trouble building xenocara after updating my sources via
cvsup.

I have built non-X world and their release sets but when I come to
building X world:


export XSRCDIR=/usr/xenocara
export XOBJDIR=/usr/xobj

if [ -d $XOBJDIR ]; then
  rm -rf $XOBJDIR
fi

mkdir $XOBJDIR

cd $XSRCDIR

make bootstrap
make obj
make build


After a few minutes it crashes:

checking for freetype-config... no
configure: error: You must have freetype installed; see
http://www.freetype.org/
*** Error code 1

What should I do here?

Thanks for any guidance,

--
juan


  Connect with friends from any web browser - no download required. Try the 
new Yahoo! Canada Messenger for the Web BETA at 
http://ca.messenger.yahoo.com/webmessengerpromo.php

Trouble Installing OpenBSD 4.2 stable

[Alan Hamlett]

Currently running OpenBSD i386 3.8 with one 20GB IDE drive at wd0a and
one 250gb IDE drive all partitioned for bsd.

Trying to install OpenBSD i386 4.2 from install42.iso by trading the
250gb drive for a cd-rom drive.

I keep getting this error message and I believe it has to do with the
missing 250gb drive:

/dev/rwd0a: file system is clean; not checking
Can't open /dev/rwd1d: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rwd1d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Automatic file system check failed; help!

My dmesg output:

OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 498 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 199860224 (195176K)
avail mem = 175497216 (171384K)
using 2465 buffers containing 10096640 bytes (9860K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(0e) BIOS, date 01/14/99, BIOS32 rev. 0 @ 0xeca00
pcibios0 at bios0: rev 2.1 @ 0xeca00/0x3600
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfe740/96 (4 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xe/0x1!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 8Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03:
aperture at 0x4400, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
fxp0 at pci1 dev 1 function 0 Intel 82557 rev 0x08, i82559: irq 11,
address 00:03:47:13:bf:2c
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC WD200EB-00CSF0
wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LITE-ON, DVDRW SOHW-1633S, BS0C SCSI0
5/cdrom removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
auich0 at pci0 dev 31 function 5 Intel 82801AA AC97 rev 0x02: irq 11, ICH AC97
ac97: codec id 0x41445348 (Analog Devices AD1881A)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff6d netmask ff6d ttymask ffef
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

I tried upgrading to OpenBSD 3.9 and got the same error message.

Thanks for helping!

-- 
Alan Hamlett
http://83p.unitedti.org

Re: Trouble Installing OpenBSD 4.2 stable

[Brian A. Seklecki]

On Fri, 2007-12-28 at 17:16 -0600, Alan Hamlett wrote:
 Currently running OpenBSD i386 3.8 with one 20GB IDE drive at wd0a and
 one 250gb IDE drive all partitioned for bsd.
 
 Trying to install OpenBSD i386 4.2 from install42.iso by trading the
 250gb drive for a cd-rom drive.
 
 I keep getting this error message and I believe it has to do with the
 missing 250gb drive:
 
 /dev/rwd0a: file system is clean; not checking
 Can't open /dev/rwd1d: Device not configured
 CAN'T CHECK FILE SYSTEM.
 /dev/rwd1d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.

The upgrade script tries to read your old fstab(5) and fsck(8) your
existing file systems.

wd1* is attached when your drive is there.  when you replace it with a
ROM it goes away.

The same error would happen if you booted the system w/o the 250
attached in 3.8.

Just comment out wd1* entries in your fstab(8) before you boot into the
install CD.

We're assuming here that wd1* contains data-only and no system
partitions.

~BAS

 Automatic file system check failed; help!
 
 My dmesg output:
 
 OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 498 MHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
 real mem  = 199860224 (195176K)
 avail mem = 175497216 (171384K)
 using 2465 buffers containing 10096640 bytes (9860K) of memory

Re: sparc64 on Sun Netra T1 with external CD Drive

[Darrin Chandler]

On Fri, Dec 28, 2007 at 07:04:10AM -0800, new_guy wrote:
 Sorry for all the posts. I figured it out. I dd'ed floppy42.fs to one of the
 unused drives and booted that way. 

It's been a while, but iirc you can just do boot cd instead of all the
other happy horseshit.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Linus about C++

[Gerardo Santana Gómez Garrido]

On 12/28/07, Marc Espie [EMAIL PROTECTED] wrote:
 - python or perl, which work just fine... perl has about the same set of
 defects as C++ (except for speed and reflection). python is probably about
 the same, I don't use it enough to comment.

or Ruby (of Smalltalk heritage), which I suppose you haven't used
enough to comment. It is said to be more OO than Python and Perl.

-- 
Gerardo Santana

Re: Embedding OpenBSD

[Unix Fan]

Marco Peereboom wrote:

 What in the world???

 

 Do you drive a car?  if the answer is yes you have an unconnected

 embedded device.  Need more examples?



No, I walk.. batteries not included..



Seriously, I was simply giving my opinion... unfortunately I walked under a 
bridge and got attacked by a troll..



Bad troll.



-Nix Fan.

OpenBSD as DSL Router using hostname.pppoe0?

[sebastian . rother]

Hello guys,

I set up OpenBSD as DSL router using the kernel pppoe.
Because my DSL connection is faster then 10 MBit I'm using the kernel
pppoe to use the bandwith.

I've noticed that pf fails to do the routing/nat in such scenarios:

1. OpenBSD Router boots
- It takes some seconds until pppoe0 gets a IP from the ISP!
- pf gets enabled during boot, pppoe0 has no IP yet, NAT wont work

2. OpenBSD is already booted
- I used pfctl -f /etc/pf.conf after pppoe0 got an IP and everything works
- then the bad ISP does a 24h disconnect (~23.59 and 58 secs)
- then NAT breaks again (because pppoe0 got a new ip and the old
   one is still used by pf?!)

Those problems don't appear if I use tun0 (but userland pppoe is far to
slow for this DSL link).

Is there any solution for this problem (for now a cronjob just reloads the
pf every 23:50 after enforcing ifconfig pppoe0 down  ifconfig pppoe0 up
  wait 5 secs to ensure it got a IP).

How do other people (you) solved this without using the userland
implementation? :-/

Kind regards,
Sebastian

Re: kernel/5690: system crash when running rtorrent

[sebastian . rother]

 I don't give care.

 Get lost, little boy.

I didn't made this bug report. I just told you weeks ago that people will
hit thit bug. And you may please explain me the sense of submitting
bug-reports if you've such a attitude?

Well as I told you: People will hit thit bug.
But please forward at least the reports I sended you weeks ago to any
developer who might care. They might could be helpfull. Thanks Theo :)


Kind regards,
Sebastian

p.s.
Have a nice day, still :)

Re: Linus about C++

[Tony Abernethy]

Ted Unangst wrote:
 On 12/27/07, Miod Vallat [EMAIL PROTECTED] wrote:
  Ah, but no C++ bashing thread can be complete until someone 
 mentions the
  excellent FQA site: http://yosefk.com/c++fqa/
 
 this one alone was priceless: 
 http://yosefk.com/c++fqa/io.html#fqa-15.1
 and i've even written more c++ code than c code.

Oh, now I get it - type safety is supposed to help the 
compiler catch errors.  This is very important for people 
who never actually look at what they print.
--Priceless.

Re: kernel/5690: system crash when running rtorrent

[Theo de Raadt]

Years ago we told Sebastian Rother that we think he's a pest, and
we'll ignore everything he says.

Go away, Sebastian.  The minute you report a bug, everyone else
will suffer for it.

  I don't give care.
 
  Get lost, little boy.
 
 I didn't made this bug report. I just told you weeks ago that people will
 hit thit bug. And you may please explain me the sense of submitting
 bug-reports if you've such a attitude?
 
 Well as I told you: People will hit thit bug.
 But please forward at least the reports I sended you weeks ago to any
 developer who might care. They might could be helpfull. Thanks Theo :)
 
 
 Kind regards,
 Sebastian
 
 p.s.
 Have a nice day, still :)

Re: OpenBSD as DSL Router using hostname.pppoe0?

[Vijay Sankar]

Quoting [EMAIL PROTECTED]:


Hello guys,

I set up OpenBSD as DSL router using the kernel pppoe.
Because my DSL connection is faster then 10 MBit I'm using the kernel
pppoe to use the bandwith.

I've noticed that pf fails to do the routing/nat in such scenarios:

1. OpenBSD Router boots
- It takes some seconds until pppoe0 gets a IP from the ISP!
- pf gets enabled during boot, pppoe0 has no IP yet, NAT wont work

2. OpenBSD is already booted
- I used pfctl -f /etc/pf.conf after pppoe0 got an IP and everything works
- then the bad ISP does a 24h disconnect (~23.59 and 58 secs)
- then NAT breaks again (because pppoe0 got a new ip and the old
   one is still used by pf?!)

Those problems don't appear if I use tun0 (but userland pppoe is far to
slow for this DSL link).

Is there any solution for this problem (for now a cronjob just reloads the
pf every 23:50 after enforcing ifconfig pppoe0 down  ifconfig pppoe0 up
  wait 5 secs to ensure it got a IP).

How do other people (you) solved this without using the userland
implementation? :-/

Kind regards,
Sebastian




Hi,

My ADSL is only 8Mb download and and 640K upload. I have three
interfaces on my OpenBSD 4.2 router and the DSL provider assigns a
static address, so not sure whether the comparisons here are valid.

I haven't had any problems so far with pf interfering with xDSL and
NAT. In case it is of any help this is what I have in my settings:

hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE pppoedev dc0 authproto pap authname
'username' authkey 'passwd' up dest 0.0.0.1
!/sbin/route add default 0.0.0.1

The server was upgraded from 4.1 to 4.2 using the CD and it has been
in service since OpenBSD 3.2 (userland pppoe till OpenBSD 3.8 and
kernel pppoe since OpenBSD 3.9) without any problems.

My pf.conf has the following entries related to pppoe

scrub out on $ext_if max-mss 1440


HTH,

Vijay



This message was sent using IMP, the Internet Messaging Program.

Re: OpenBSD as DSL Router using hostname.pppoe0?

[sebastian . rother]

Well with static IPs I've no problem either.
It's just after the forced disconnect of the ISP and after pppoe0 got a
new IP. Then NAT and routing fails. I solve this via a rule reload (after
pppoe0 got a new IP) but that looks like some stonge-age method
(seriously.. ).

I just wonder if somebody else noticed this and if somebody may solved
this in a different way.


Kind regards,
Sebastian

Re: Embedding OpenBSD

[Marco Peereboom]

Well thank you for your valuable input captain obvious. 

On Fri, Dec 28, 2007 at 05:13:41PM -0800, Unix Fan wrote:
 Marco Peereboom wrote:
  What in the world???
  
  Do you drive a car?  if the answer is yes you have an unconnected
  embedded device.  Need more examples?
 
 No, I walk.. batteries not included..
 
 Seriously, I was simply giving my opinion... unfortunately I walked under a 
 bridge and got attacked by a troll..
 
 Bad troll.
 
 -Nix Fan.

Re: OpenBSD as DSL Router using hostname.pppoe0?

[NetOne - Doichin Dokov]

[EMAIL PROTECTED] P=P0P?P8Q
P0:

Well with static IPs I've no problem either.
It's just after the forced disconnect of the ISP and after pppoe0 got a
new IP. Then NAT and routing fails. I solve this via a rule reload (after
pppoe0 got a new IP) but that looks like some stonge-age method
(seriously.. ).

I just wonder if somebody else noticed this and if somebody may solved
this in a different way.


Kind regards,
Sebastian
I guess you use ($ext_if) - with brackets - instead of the IP address 
manually entered (which you obviously don't know). This way PF monitors 
the interface for changes of it's IP address and adjusts rules 
accordingly. You can verify if it does by doing a 'pfctl -s rules' after 
a reconnection, without first reloading the ruleset.


The problem, though, is probably the states which were already created - 
they keep matching the old IP. Clearing of the state table should be 
sufficient, and I think this could be done with a macro in your 
hostname.pppoe0, like this:

!pfctl -F state

I've personally never had to do such things, so consider everything I 
say just as suggestions.


Kind regards,
Doichin

Re: kernel/5690: system crash when running rtorrent

[sebastian . rother]

 Years ago we told Sebastian Rother that we think he's a pest, and
 we'll ignore everything he says.

Wonderfull. It just wasn't me who reported this bug (please read the
original Bug report). So please stop ignoring it. :]
Sure I reported it weeks ago but that doesn't matter right now, right?

 Go away, Sebastian.  The minute you report a bug, everyone else
 will suffer for it.

Well funny. I may should send you some other (~30) DoS conditiosn so inc
ase somebody else hits this his report gets ignored as well?
That's a great idea if I think about it. Can I count on you Theo? :-]

Well please explain me how our personal differences affect the validity of
my bug reports wich are there anyway no matter if you would love or hate
me?
Well it is of course your choice if you ignore my reports or not.
The Bug remains no matter if you ignore me or marry me. It's your
(project, not personal) code, not my.
So if we now could leave the kindergarten and get at least back to the
fundamental school we may could come to the conclusion that the mpi-Bug
and the rtorrent-Bug are kinda affilated.

Anyway it's your code, your spare time and your project.
And of course.. your bugs. :-)

But don't let other users suffer because we have problems.
I told you weeks ago this bug is there and it will get hit. So what now?
Ignoring everybody who hits the bug and reports it?
I hope you spend some attention to viq after he noticed the bug as well.

Have still a nice day Theo and hopefully a happy new year. :-]

Kind regards,
Sebastian

Hazy top of mind questions on spam control with OpenBSD

[Girish Venkatachalam]

Dear friends,

Please excuse the silly subject line. I am unfortunately not qualified
enough to come up with a better one.

First my assumptions, then my questions. Request inputs on both.

Assumptions
-

a) Most of the spam originates in USA. And high bandwidth links and busy
mail servers are common targets. 

b) Spam control strategies differ depending upon which leg of the spam
propagation cycle we are in. Let me explain.

*) Spammers have some kind of 'radar' that looks for vulnerable
hosts/networks and they abuse them for carrying their traffic. Sometimes
ISPs connive with spammers and let them use their networks. At this
point, the spam is in the egg form.

*) Once the spammer gets a foothold to munge his mail ID and
originating IP/network, then he looks for bandwidth guzzler techniques
involving smart programming involving a combo of IP and TCP techniques
to deliver millions of mails in a jiffy

*) The final leg is when the spam reaches the destination MTA/
user's mailbox

c) We have to necessarily use a combination of spam control strategies
for combating this disease.

Okay now for my questions. First please correct my assumptions. Thanks.

Questions
-

1) Since my field of activity is neither USA nor do I have access to
high bandwidth what effect will greylisting have on me? Is there a point
in using greylisting since it is highly unlikely that someone is going
to use me/my networking/my MTA as scapegoat for sending spam

2) case b) also does not apply since very few routers here run BGP or
give spammer enough ammo for his job. Should I still go in for clever
tricks with pf and spamd like greytrapping, source tracking,
blacklisting etc.?

3) I hate spamassassin and I love dspam and its statistical filtering
math. But alas, the project is largely unmaintained and dying. What
alternative do I have in combating spam by textual analysis, context
sensitive Bayesian techniques and so on?

Finally I have the choice of using hackish solutions like tagging mails
with X-spam-* scores with procmail or other filters with collaborative
user feedback from shared databases. Kind of like the DCC stuff by
Vipul's razor or gmail.

I also believe that without user feedback and individual training spam
cannot be combated effectively. Each user has his own behavioral
patterns when it comes to mail.

How should I design my spam control 'fishing net'?

I don't want to make the holes in my net too small thereby catching
small fish (false positives), at the same time I should catch big
fishes.

Thanks for your inputs and pardon my ignorance and this lengthy mail.

Happy new year folks! ;)

- Girish

Re: sparc64 on Sun Netra T1 with external CD Drive

[new_guy]

Darrin Chandler wrote:
 
 It's been a while, but iirc you can just do boot cd instead of all the
 other happy horseshit.
 

There was no internal IDE CD drive. So boot cd would not work... failed to
find boot device So that extra horse shit (and I agree 100% that it is
horse shit) was, unfortunately required. I ended-up RTFM and dd'ing
floppy42.fs (which could not see the SCSI drives) but miniroot42.fs could. I
got OpenBSD installed and it was *so* sane compared to Solaris. God I love
this OS. Thanks for all the hard work guys! My apologies again for being so
verbose!

-- 
View this message in context: 
http://www.nabble.com/sparc64-on-Sun-Netra-T1-with-external-CD-Drive-tp14518767p14534622.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD as DSL Router using hostname.pppoe0?

[sebastian . rother]

I guess you use ($ext_if) - with brackets - instead of the IP address
manually entered (which you obviously don't know). This way PF monitors
the interface for changes of it's IP address and adjusts rules
accordingly. You can verify if it does by doing a 'pfctl -s rules' after
a reconnection, without first reloading the ruleset.

The problem, though, is probably the states which were already created -
they keep matching the old IP. Clearing of the state table should be
sufficient, and I think this could be done with a macro in your
hostname.pppoe0, like this:
!pfctl -F state

I've personally never had to do such things, so consider everything I
say just as suggestions.

Kind regards,
Doichin

Well I added your macro right now but I'm unsure if hostname.pppoe0 is
read everytime pppoe0 gets a disconnect (and later a new IP). I think
hostname.pppoe0 is read once on boot and the rest is all in kernelspace
then (Oh a disconnect! No worries lets try to reconnect...!).

I might be wrong and I might understood the concept in a wrong way but
hostname.pppoe0 gets called once (and just once) at boot. So how could
this macro help after pppoe0 got a new IP?
Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?!

So far I never used such a macro because of my understanding it would have
no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
IP (the OS boots further, pf gets enabled) and then it has).

If I might misunderstood something please correct me.

Kind regards,
Sebastian

p.s.
Thanks for the suggestion with the macro!
Combined with a little 'sleep' that may solves the issue for the intial
booting propably. Never thougth (again) about a macro in the
hostname.pppoe0 'course it may wont solve the real problem I face

Re: OpenBSD as DSL Router using hostname.pppoe0?

[NetOne - Doichin Dokov]

[EMAIL PROTECTED] P=P0P?P8Q
P0:

I guess you use ($ext_if) - with brackets - instead of the IP address
manually entered (which you obviously don't know). This way PF monitors
the interface for changes of it's IP address and adjusts rules
accordingly. You can verify if it does by doing a 'pfctl -s rules' after
a reconnection, without first reloading the ruleset.

The problem, though, is probably the states which were already created -
they keep matching the old IP. Clearing of the state table should be
sufficient, and I think this could be done with a macro in your
hostname.pppoe0, like this:
!pfctl -F state

I've personally never had to do such things, so consider everything I
say just as suggestions.

Kind regards,
Doichin



Well I added your macro right now but I'm unsure if hostname.pppoe0 is
read everytime pppoe0 gets a disconnect (and later a new IP). I think
hostname.pppoe0 is read once on boot and the rest is all in kernelspace
then (Oh a disconnect! No worries lets try to reconnect...!).

I might be wrong and I might understood the concept in a wrong way but
hostname.pppoe0 gets called once (and just once) at boot. So how could
this macro help after pppoe0 got a new IP?
Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?!
  
I'm unsure of this, too, and the man pages of hostname.if and pppoe seem 
unclear about this. But I guess you're right - commands will be executed 
only on system boot or network restart.

So far I never used such a macro because of my understanding it would have
no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
IP (the OS boots further, pf gets enabled) and then it has).
  
You set $ext_if to pppoe0. Then by using ($ext_if) PF nows it has to 
lookup the IP address of the interface, and reflect changes to it back 
in the ruleset. So I guess at least at boot time it should be of help.
The ! command in the hostname.pppoe0 file is irrelevant at boot - you 
don't have any states to flush.


Regards,
Doichin

Re: OpenBSD as DSL Router using hostname.pppoe0?

[sebastian . rother]

*cut*
 I'm unsure of this, too, and the man pages of hostname.if and pppoe seem
 unclear about this. But I guess you're right - commands will be executed
 only on system boot or network restart.

Yes that's kinda true. I just wonder that nobody asked about a solution
before. Does everybody uses a hack familiar to pfctl -F all each 23hrs, 58
minutes and n seconds? :)

Either no developer uses aDSL at home (with a ISP forcing him to reconnect
every 24 hours) or nobody uses OpenBSD as router or nobody uses the
connection permanently. :-/

It's hard to imagine that there's no other solution.

 You set $ext_if to pppoe0. Then by using ($ext_if) PF nows it has to
 lookup the IP address of the interface, and reflect changes to it back
 in the ruleset. So I guess at least at boot time it should be of help.
 The ! command in the hostname.pppoe0 file is irrelevant at boot - you
 don't have any states to flush.

Well but why does it work with tun0?
In fact pf should do exactly the same but with pppoe0 it just doesn't work
(with tun0 it's all uberslow but works, no pfctl-execution needed).

Is that a behavior wich is totaly kernel related and do I've realy no
other option then using pfctl via cron to reactivate nat/routing because
the IP of pppoe0 changed (that's realy stone age bs...)? :-/

I'm no pppoe nor a kernel expert so I'm happy about every piece of
clarification. :-)

Kind regards,
Sebastian

Re: Hazy top of mind questions on spam control with OpenBSD

[Daniel Ouellet]

Girish Venkatachalam wrote:

a) Most of the spam originates in USA. And high bandwidth links and busy
mail servers are common targets. 


You haven't looked at China and Korea in a long time looks like. USA is 
not a clean place, but not the major source of it either. Definitely not 
in my logs anyway.


As for the rest of your email. If you want to stop spam from getting to 
you and your mail server, there isn't anything related to BGP, high 
bandwidth, etc. They will send spam to any mail box that will accept it 
regardless where, who and how connected it is.


It is very easy, simple and fast to setup spam trap, specially these 
days with OpenBSD.


1. Put 4.2 on a box, setup spamd on it, that's real easy. For that, look 
at your pf configuration and follow the man page.


2. Then use Bob lists in spamd-setup, updated every hours, for add to 
your filter. You don't need to update it each hours if you want to be 
nice to Bob, but I guess you can. Just don't do it more often then once 
per hours however. There isn't any point.


* Make sure to increase the table limit entry if you use it as you 
run out of space for them. 


3. Then unless you have reason to receive emails from China and Korea, 
just block that too. And I also use the nixspam list also provided 
nicely. (;


my /etc/mail/spamd.conf looks like below for spamd.conf

4. I also use /var/db/whitelist.txt as well in my configuration for some 
special cases if needed, but there isn't much there and not really any 
changes happen to often either. I created it once to allow some mail 
server with the SPF records for them, witch is not needed, but does help 
some sending one. You can find a list here:


http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt

And again, I put my list below, not that you need to use it, but for the 
details. If you don't need it, don't use it.


5. Then add the even better greyscanner also from Bob that you can find 
here:


http://www.ualberta.ca/~beck/greyscanner/

Obviously, put the 4.1 version on your 4.2 box and there was changes 
between  4.1 and 4.1 and up. I only needed the greyscanner.41.


You set that up and it's really easy to do. All the default work as is, 
nothing special needed, but you can add some unuse domain for even more 
fun and efficiency. See later for this, but in short, you read the PERL 
script use and you need minimal addition for your setup if you go that 
route.


You will need to install a few packages, all ready to go anyway, so not 
a big deal to do. I run current, so your may need different version for 
yours, but the list is below.


# pkg_info
p5-Digest-HMAC-1.01p0 interface to HMAC Message-Digest Algorithms
p5-Digest-SHA1-2.11p0 module to calculate SHA1 digests
p5-Email-Valid-0.176p0 Check validity of Internet email addresses
p5-Mail-Tools-1.77  modules for handling mail with perl
p5-Net-DNS-0.61 module to interface the DNS resolver
p5-Net-IP-1.25p0perl module for IPv4/IPv6 address parsing
p5-Time-TimeDate-1.16p0 library for parsing and formatting dates and times

I run my greyscanner in a special user for that as to keep it safer and 
more restricted as well, witch you can go without but then why not.


So, in /etc/rc.local, I have this added to it:

# Grey Scanner
if [ -x /usr/local/sbin/greyscanner ]; then
echo -n 'Start Bob Becks Grey Scanner';  su _greyscanner -c 
/usr/local/sbin/greyscanner

fi

and obviously I have Bob script install in /usr/local/sbin/greyscanner

# ls -al /usr/local/sbin/greyscanner
-rwxr-xr-x  1 root  bin  11711 Sep  4 17:18 /usr/local/sbin/greyscanner

I also added a user _greyscanner without login and that I run also under 
the _spamd group. That's my choice, but you can do differently if you 
want, but as greyscanner interact with _spamd, then it was logical for 
me to use the same group here.


# cat /etc/master.passwd | grep _greyscanner
_greyscanner:*:1000:62:daemon:0:0:Grey Scanner Daemon:/var/empty:/bin/ksh

# cat /etc/group | grep _greyscanner
_spamd:*:62:_greyscanner

And by the way, in case it wasn't obvious, I also do a spand-setup at 
startup as well, so my /etc/rc.local also include:


# spamd black list building
if [ -x /usr/libexec/spamd-setup ] ; then
/usr/libexec/spamd-setup  echo -n ' building spamd blacklist'
fi

And then you can see the greyscanner running and doing it's stuff, under 
a limited users as well:


# ps -auxw | grep _greyscanner
_greyscanner 17011  0.0  0.9  6480  4872 00- I  9Dec070:30.72 
/usr/bin/perl /usr/local/sbin/greyscanner


6. If you are welling to add unuse domain that you may already have, 
then edit the greyscanner and put them here:


@BADRERCPT = (
[EMAIL PROTECTED],
);

The short of this is that it will look for them and trap senders to 
these unuse domains and trap them for 24 hours. Worth the addition of 
new domains just for that.


7. Then obviously, your trap domain, add any email address to a web page 
for the various low life to grab 

Re: Hazy top of mind questions on spam control with OpenBSD

[Daniel Ouellet]

Also, in case it wasn't obvious either.

Make sure to add your spamd-setup to your cron job to update them.

And obviously and additional domains will need MX records in DNS 
obviously too.


Not sure if one day the greyscanner will be part of the default install 
anytime soon? May be they want it in C before putting it in the default 
install, not sure. It would be a very nice addition to the spamd setup 
already. But it's not that hard to install anyway until that day come. (;


Best,

Daniel

Re: Hazy top of mind questions on spam control with OpenBSD

[Daniel Ouellet]

Just for the records and for fun as well.

Here is how many spammer were trap by greyscanner ONLY in the last ~9 
hours only. Also one thousand are trap per hours.


# head -n1 maillog
Dec 28 15:00:02 smtp1 newsyslog[2273]: logfile turned over

# tail -n1 maillog
Dec 28 23:55:25 smtp1 .

# cat maillog | grep Trapped | wc -l
8552

and in the last few days only between the rotations of the logs:

# zcat maillog.?.gz | grep Trapped | wc -l
  105064

So, if you think spamd is good, just add to it greyscanner as well and 
you will reduce your spam.


No other mean needed here and spam is really a very rare case.

Best,

Daniel

Re: Hazy top of mind questions on spam control with OpenBSD

[Daniel Ouellet]

OK,

I am having to much fun I guess, but that will be my last one.

When I say spammer trap, I really mean spammer trap by greyscanner, not 
only the number of emails block.


As examples I see many like this in the logs:

Dec 27 16:15:26 smtp1 greytrapper[10139]: Trapped 84.165.240.170: Host 
sending from 52 domains ( 3)


Dec 27 17:41:56 smtp1 greytrapper[29993]: Trapped 83.55.229.206: Host 
sending from 30 domains ( 3)


Dec 27 18:03:28 smtp1 greytrapper[29260]: Trapped 78.98.223.237: Host 
sending from 46 domains ( 3)


Dec 27 20:55:05 smtp1 greytrapper[16486]: Trapped 85.176.179.15: Host 
sending from 20 domains ( 3)


etc...

So, a single one for example that counted as only one before in my 
previous email, would have pass 52 spam.


And it is not the worst by any mean!

Now draw your own conclusions.

Best,

Daniel

file error: http://www.openbsd.org/art/blow_col_only.jpg

[Bibby]

Hi, all.

There is a error msg while i access the URL:
http://www.openbsd.org/art/blow_col_only.jpg

The url can be found in:
http://www.openbsd.org/art2.html

-- 
Best Regards.

Michael Bibby(Huangbin Zhang)

- RedHat Enterprise Linux 5 Client
- OpenBSD 4.2 -release

ASUS m2a-vm and 4.2

[Pawel Veselov]

Hi,

Just had some experience installing 4.2 on ASUS m2a-vm... Wasn't pleasant.

3Gbs drive shows max of 0.2MBs tranfer rate (according to iostat). My
old drive shows appx 30MB on IDE bus. Tested using dd if=/dev/zero
of=file. Any disk access takes forever.

Selecting SATA interface as AHCI doesn't work (doesn't show up, or
reboots the system when discovery attepmted).

Installing 64bit version reboots the installer at the time disks were accessed.

There seem to be some problems with built-in card, as in it won't send
any packets, at least with 10MB media (re driver).

Dunno if I'm doing something wrong, but I'm shutting it down and
trying an NVidea based one instead.

Thanks,
  Pawel.

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ (AuthenticAMD
686-class, 512KB L2 cache) 2.51 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
real mem  = 2011656192 (1918MB)
avail mem = 1937293312 (1847MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/07/07,BIOS32 rev. 0 @
0xf1d90, SMBIOS rev. 2.4 @ 0xf (58 entries)
bios0: vendor Phoenix Technologies, LTD version ASUS M2A-VM ACPI BIOS
Revision 0302 date 03/07/2007
bios0: ASUSTeK Computer INC. M2A-VM
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0xdc54
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdb40/272 (15 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 15 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 3 5 10 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xd400
cpu0 at mainbus0
cpu0: PowerNow! K8 2501 MHz: speeds: 2500 2400 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor ATI, unknown product 0x7910 rev 0x00
ppb0 at pci0 dev 1 function 0 vendor ATI, unknown product 0x7912 rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 vendor ATI, unknown product 0x791e rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 7 function 0 vendor ATI, unknown product 0x7917 rev 0x00
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x01: RTL8168 2
(0x3800), irq 5, address 00:1b:fc:1a:20:21
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
pciide0 at pci0 dev 18 function 0 ATI IXP600 SATA rev 0x00: DMA
(unsupported), channel 0 configured to native-PCI, channel 1
configured to native-PCI
pciide0: using irq 11 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: Hitachi HDS721075KLA330
wd0: 16-sector PIO, LBA48, 715404MB, 1465149168 sectors
pciide0: channel 1 ignored (not responding; disabled or no drives?)
ohci0 at pci0 dev 19 function 0 ATI IXP600 USB rev 0x00: irq 11,
version 1.0, legacy support
ohci1 at pci0 dev 19 function 1 ATI IXP600 USB rev 0x00: irq 10,
version 1.0, legacy support
ohci2 at pci0 dev 19 function 2 ATI IXP600 USB rev 0x00: irq 3,
version 1.0, legacy support
ohci3 at pci0 dev 19 function 3 ATI IXP600 USB rev 0x00: irq 10,
version 1.0, legacy support
ohci4 at pci0 dev 19 function 4 ATI IXP600 USB rev 0x00: irq 3,
version 1.0, legacy support
ehci0 at pci0 dev 19 function 5 ATI IXP600 USB2  rev 0x00: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: ATI EHCI root hub, rev 2.00/1.00,addr 1
piixpm0 at pci0 dev 20 function 0 ATI IXP600 SMBus rev 0x13: SMI
iic0 at piixpm0
pciide1 at pci0 dev 20 function 1 ATI IXP600 IDE rev 0x00: DMA,
channel 0 configured to compatibility, channel 1 wired to
compatibility
azalia0 at pci0 dev 20 function 2 ATI IXP600 HD Audio rev 0x00: irq 11
azalia0: host: High Definition Audio rev. 1.0
azalia0: codec: Realtek ALC883 (rev. 0.2), HDA version 1.0
audio0 at azalia0
pcib0 at pci0 dev 20 function 3 ATI IXP600 LPC rev 0x00
ppb2 at pci0 dev 20 function 4 ATI IXP600 PCI rev 0x00
pci3 at ppb2 bus 3
rl0 at pci3 dev 5 function 0 Realtek 8139 rev 0x10: irq 10, address
00:0e:2e:5b:45:90
rlphy0 at rl0 phy 0: RTL internal PHY
pchb1 at pci0 dev 24 function 0 AMD AMD64 Hyper Transport rev 0x00
pchb2 at pci0 dev 24 function 1 AMD AMD64 Addre ss Map rev 0x00
pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb4 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: ATI OHCI root hub, rev 1.00/1.00, addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2: ATI OHCI root hub, rev 1.00/1.00, addr 1
usb3 at ohci2: USB revision 1.0
uhub3 at usb3: ATI OHCI root hub, rev 1.00/1.00, addr 1
usb4 at ohci3: USB revision 1.0
uhub4 at usb4: ATI OHCI root hub, rev 1.00/1.00,
usb5 at ohci4: USB revision 1.0
uhub5 at usb5: ATI OHCI root hub, rev 1.00/1.00, addr 1
isa0 at pcib0
isadma0 at isa0

Re: Embedding OpenBSD

[user]

Gary Baluha wrote:
 On Dec 27, 2007 10:41 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote:
 
 I'd wire in a hardware-type heartbeat detector that will power-cycle the
 computer if it stops working.  I'd have a door over the money slot
 powered by the computer so that it only accepts money when its working.

uh, the point is to get their money.  The fact that it does something in
return is just a bonus.  It might prompt them to say, Hey, did that
just talk to me?? and they stick another coin in to find out.  At that
point, it says something different, and by now, the kids all want in on
it.  Soon enough, a dollar or two worth of coins has just gone down the
toad's mouth.  Failure mode should still to be accept the first coin,
not reject it.  Not desired, sure, but no worse than the cookie jar
collection box.  We've done a couple others of these things, the owners
tell us they do considerably better than just the traditional can with
slot cut in it donation box.

 You could have a Please wait light to be lit during the reboot.

This is precisely why I asked this question, to make sure this doesn't
happen.  While having a self-cleaning mess beats having a persistent
mess, I'd rather just avoid the mess. :)

 Or, you could just rewire an MP3 player to play a tune when it is
 powered on, then just hook the money-detector to the power switch.
 Money turns it on, a timer just longer than the tune turns it off.  No
 computer needed (just a 556-dual-555 timer IC and some spare parts).

 I second the idea of something as simple as an MP3 player connected to a
 money detector, if that's all it will be doing.   Seems a little over-kill to
 get a whole computer, 

Getting an off-the-shelf MP3 player to play one sound file is not too
difficult.  Ah, heck, a tape loop would work fine, too.

Getting it to play one of a pile of different sound files, not trivial.

That idea was considered, but the reverse engineering of the things would
be very difficult, both because they are mostly sealed blobs and anything
developed on Model X would have to be repeated next year, when Model X is
discontinued, and model Y is out.  Further, while at my peak, I could
solder a 16 pin IC with a 400W unregulated soldering gun in about five
seconds (and make it work!) (for those not into soldering, that's way too
big a soldering tool and way too fast), I'm a bit out of practice, and I'm
not even sure I could see what I was soldering on with a modern MP3 player.
They aren't designed for hacking.

One would have to come up with a way to sequence the buttons on the thing
to play one sound file, detect the end of the sound file, stop the play back,
then resume the playback on the next sound file...ick.  If it isn't obvious,
the files WILL be of wildly differing lengths, some a couple seconds, some
maybe close to a minute long.  I have no idea why so many people assumed it
would play back only ONE sound file..note the use of the plural files in
my original posting.

I actually considered doing something like the old DuKane filmstrip
projectors did, embed a tone in the file, detect the tone, filter it out
at the amp.  Detect money? Press play.  Hear tone? press Pause.  That makes
creating/editing/revising the sound files got a lot more complex, so it
would no longer be owner-maintainable.

As it is, 1/3 of the storage device (I'm not gonna use the 'f' word here,
as people apparently keyed off it and have been answering questions I didn't
ask, so just pretend it is a little, slow disk) is a DOS FAT partition, so
someone (anyone!) could remove the storage device, plug it into their
Windows computer, and add, remove, replace, or re-order the message files.
(I've also set it up that if someone plugs a USB storage device in at boot,
it uses that for sound files rather than the on-board files.)

I can assure those who thought I jumped to an OpenBSD-based computer as
my first choice for the design are very wrong.  A lot of brainstorming
took place.  Considerations included cost, parts availability, long term
maintainability, development ease, field maintenance, etc.  I'm pretty
thorough and pretty creative in my designs, and quite aware of the When
all you have is a hammer, all the world looks like a nail.  Using a
computer for this app sucks, but not as badly as the alternatives that I
could think of.

About the only compromise I took that I really didn't like was not using
the parallel port for the input on the thing.  I wasn't having much luck
doing that when the idea of using a mouse as an input device was suggested
to me by the artist I'm working with.  My first thought was, that's crazy,
but then I realized I could simply hack wsmoused to execute a program
whenever the mouse is clicked, and ta-da, we got ourselves a solution.  I
don't think I spent more than a couple hours doing that before I had
a demonstrator program running.  When I got the opportunity to get the
iPaq desktops, I grabbed one, flipped it over, saw PS/2, parallel and
serial ports, 

sparc on Tatung COMPstation U10

[Predrag Punosevac]

Dear All,

A friend of mine is moving out of town and has a couple Tatung 
COMPstations U10 in mint condition
(they come with the original monitors , keyboards, and the mouses ) that 
can be mine for $10 a piece.
He claims that he is running Debian sparc 64 (with X ) but I believe 
they are actually sparc architecture not sparc 64.


I looked at the hardware notes for sparc and I see some of Tatung made 
SUN clones listed but not this particular model (there is also a 
disclaimer that the list is not complete). Does anyone have any 
experience in running OpenBSD on them?


Best,
Predrag

Re: Linus about C++

[L]

Tony Abernethy wrote:

Ted Unangst wrote:
  

On 12/27/07, Miod Vallat [EMAIL PROTECTED] wrote:

Ah, but no C++ bashing thread can be complete until someone 
  

mentions the


excellent FQA site: http://yosefk.com/c++fqa/
  
this one alone was priceless: 
http://yosefk.com/c++fqa/io.html#fqa-15.1

and i've even written more c++ code than c code.



Oh, now I get it - type safety is supposed to help the f
compiler catch errors.  This is very important for people 
who never actually look at what they print.

--Priceless.


  


Oh, now I get it - procedures and functions are supposed to help the 
programmer structure code. This is very important for retarded people 
who don't know how to use GOTO statements and assembly code.


Oh,  now I get it - stop signs are supposed to help the driver not get 
into collisions. This is very important for people who are blind and 
don't know how to shoulder check and floor it.


Oh,  now I get it - dotted lines on the road are supposed to help the 
driver pass people easier. This is very important for people who can't 
get out and measure each moving car with a tape measure before passing.


Oh,  now I get it - the hours posted on the store window are supposed 
to help people find out when the store is open. This is very important 
for incapable people can't bash their fist on the glass window yelling 
ARE YOU OPEN YOU IDIOTS LET ME IN RIGHT NOW OR I'LL BREAK THE DOOR.


Oh, now I get it - English dictionaries are supposed to help English 
people. These are very important for people who never actually took the 
time to learn English.


Everything irrational can be summed up and proven in a single quote.

Oh, now I get it - computers are for people who can't learn how to use 
a pencil and paper.


Regards,
L505

diff of the official FAQ

[Chris]

I haven't read the FAQ for a while and realize a lot has been changed.
Is there any way I could get a diff on the FAQ for the last 1 year and
read only the parts that has been changed?

Thanks for any help.

Re: Hazy top of mind questions on spam control with OpenBSD

[Nick Holland]

Girish Venkatachalam wrote:
 Dear friends,
 
 Please excuse the silly subject line. I am unfortunately not qualified
 enough to come up with a better one.
 
 First my assumptions, then my questions. Request inputs on both.
 
 Assumptions
 -
 
 a) Most of the spam originates in USA.

Either incorrect or close to incorrect.  IF it is correct, it is due
to the number of computers in the USA, and most would mean more than
others.  Avoiding US computers won't change your spam situation much
at all (i.e., lopping off 30% of a problem still means you have a
problem).

The internet is truly global.  Where you are really doesn't matter much.
It costs the spammer the same to send to their next door neighbor as it
does to send across the world (nothing!), so they don't discriminate by
geography.

 And high bandwidth links and busy
 mail servers are common targets. 

totally incorrect, both as targets to send spam to and to get spam from.
Sure, spammers love to plant their sending boxes in high-bandwidth places,
but they happily use nets of home computers, too, and they are much easier
to get.  They don't care at all what your connection is at the receiving
end.

 b) Spam control strategies differ depending upon which leg of the spam
 propagation cycle we are in. Let me explain.

 *) Spammers have some kind of 'radar' that looks for vulnerable
 hosts/networks and they abuse them for carrying their traffic. Sometimes
 ISPs connive with spammers and let them use their networks. At this
 point, the spam is in the egg form.

Irrelevant.  You can't stop it at the source unless you really screwed
up. :)  (the radar is really trivial, look for machines that try to
infect you with a virus, you know that machine is infected, you know how
it got infected, you can now compromise it the same way.  Yawn.  That's
just one way).

   *) Once the spammer gets a foothold to munge his mail ID and
 originating IP/network, then he looks for bandwidth guzzler techniques
 involving smart programming involving a combo of IP and TCP techniques
 to deliver millions of mails in a jiffy

no.
I am not sure what you are trying to say, but there is no magic.  Just
compromised and improperly managed computers, and simplistic delivery
software.  The delivery software almost never shows any real smart
programming.  A step up from the crap code of your typical virus, but
hardly robust or skilled code, or they just use sendmail/postfix/qmail/
whatever.  Any of these programs send mail as fast as most pipes will
allow, there is no magic that lets you send millions of messages on a
slow link in a couple seconds.

   *) The final leg is when the spam reaches the destination MTA/
 user's mailbox

yeah, but not sure what your point is, other than this is where you
get to try to deal with it, assuming you control the MTA or your
mailbox.

 c) We have to necessarily use a combination of spam control strategies
 for combating this disease.

eh.  Not really.  Depends.
I guess I use three systems, myself:
1) spamd greylisting.
2) Thunderbird's spam filtering system
3) the delete key.

So, I guess I do use more than one, but all are set and forget.

My e-mail address is all over the 'net, so it isn't hard to find me, yet
MOST of the spam I get is coming through OpenBSD mail servers.  Spamd
takes care of the vast majority of the rest. I'm amazed how effective
it is for basically being set up and forget.

A friend of mine uses the you can't find me method for spam control.
He gets a domain, gives an address to a very few people, and after a
a few years when the address escapes, he abandons the domain and
uses a new one.  Not my style. :)

If you have low traffic and a small number of users, you can probably
get by very well with one high-end spam control app.  The problem
there is scaling to huge numbers of users and messages.

 Okay now for my questions. First please correct my assumptions. Thanks.
 
 Questions
 -
 
 1) Since my field of activity is neither USA nor do I have access to
 high bandwidth what effect will greylisting have on me? Is there a point
 in using greylisting since it is highly unlikely that someone is going
 to use me/my networking/my MTA as scapegoat for sending spam

they will be sending spam TO you.  That's what greylisting is going
to help you with.

 2) case b) also does not apply since very few routers here run BGP or
 give spammer enough ammo for his job. Should I still go in for clever
 tricks with pf and spamd like greytrapping, source tracking,
 blacklisting etc.?

doesn't hurt, will help.
I have no idea why you think what your routers run will influence the
spam sent to you.

You posted a message to a public e-mail list, spammers will figure out
you exist.  You have friends that stick your name along with hundreds of
other names on a stupid send to everyone you know human-propelled

Re: diff of the official FAQ

[Antti Harri]

On Fri, 28 Dec 2007, Chris wrote:


I haven't read the FAQ for a while and realize a lot has been changed.
Is there any way I could get a diff on the FAQ for the last 1 year and
read only the parts that has been changed?


Yep use the CVS.

--
Antti Harri

Re: diff of the official FAQ

[Nick Holland]

Chris wrote:
 I haven't read the FAQ for a while and realize a lot has been changed.
 Is there any way I could get a diff on the FAQ for the last 1 year and
 read only the parts that has been changed?
 
 Thanks for any help.

cvs web:
http://www.openbsd.org/cgi-bin/cvsweb/www/faq/
will let you look at the diff between any two versions of any page.

The main page of the FAQ has a recent changes section.

And...just start at chapter 1 and start reading. :)  Odds are, you
didn't catch it all the first time, even things that didn't change
will mean something to you now when it didn't the last time you
looked.

(and while reading, make notes of things you think need to be
improved! :)

I refer to it all the time, and I *wrote* much of what I'm going
back to, so if you never have reason to look, either you have a
much better memory than me (entirely possible) or you are missing
out on some good stuff, and not just things that changed.

(I have had people say to me, Hey, you are just looking at the
docs, I thought you knew this?  I WROTE the docs.  Doesn't mean
I remember anything more than 'where to look'.)

Nick.

Re: sparc on Tatung COMPstation U10

[Miod Vallat]

 A friend of mine is moving out of town and has a couple Tatung 
 COMPstations U10 in mint condition
 (they come with the original monitors , keyboards, and the mouses ) that 
 can be mine for $10 a piece.
 He claims that he is running Debian sparc 64 (with X ) but I believe 
 they are actually sparc architecture not sparc 64.
 
 I looked at the hardware notes for sparc and I see some of Tatung made 
 SUN clones listed but not this particular model (there is also a 
 disclaimer that the list is not complete). Does anyone have any 
 experience in running OpenBSD on them?

Although Tatung is known to have produced clones of sparc (not sparc64)
designs in the past, this name sounds like an Ultra 10 (hence sparc64)
clone.

Miod

Re: OpenBSD as DSL Router using hostname.pppoe0?

[Dieter Rauschenberger]

On Sat, Dec 29, 2007 at 05:16:11AM +0100, [EMAIL PROTECTED] wrote:
 Either no developer uses aDSL at home (with a ISP forcing him to reconnect
 every 24 hours) or nobody uses OpenBSD as router or nobody uses the
 connection permanently. :-/

I use the following hostname.pppoe:

inet 0.0.0.0 255.255.255.255 NONE \
pppoedev xl0 authproto pap \
authname '[EMAIL PROTECTED]' authkey 'sEcReT' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

with xl0 as external interface (the one to which the adsl modem is
connected) and the following lines in pf.conf to do NAT:

ext_if=pppoe0
int_if=rl0
nat on $ext_if from !($ext_if) - ($ext_if:0)

It's exact the setup mentioned in the pppoe(4) EXAMPLES and the pf faq
http://www.openbsd.org/faq/pf/example1.html#allrules

Also my ISP disconnects after 24h, but I have no problem with NAT.
It works perfect!

OT: You did not ask this, but if someone want's to use dyndns in such
a setup ddclient has to run as daemon and do IP detection via pppoe0:

daemon=300  # check all 5 minutes
use=if  # use interface to check for changes (not web, not ip)
if=pppoe0   # use pppoe0 interface for this


Regards
  Dieter

PF, limit remote clients by total bandwidth used over time

[Calomel]

Good morning,

Can PF be written to filter client connections based on the total amount of
bandwidth a remote client uploads/downloads over a given time frame?  As
far as I know PF does _NOT_ have this ability.
 

Pf can flush the states of a client ip that has connected too many times in
a given time frame. What I am proposing is an extension to this behavior.

One would be able to write a rule looking at the total amount of
bandwidth the remote client has used and add them to a table if they exceed
this amount in a given time.

For example:   max-src-bandwidth-amount 2000/60

This could be the stateful tracking option to limit a client to 2000
Kilobytes per 60 seconds. The ip could then be dynamically added to a
table, its states flushed and put into a slower queue with limited
bandwidth or blocked completely.

Does anyone else find the ability to limit connections by total bandwidth
used over time to be useful? Perhaps this can be an option request in a
later version of PF.



( Background )

For those wondering how this can be used in the real world it would help...

...a wireless public network. Using the wireless network connection of a
local cafe we offer free Internet access to cafe patrons and people in the
park across the street. The access rules specify a limit of 500meg per
visit per day. Most people are well under this amount and others abuse the
service. 

...limiting a child's downloads on the local LAN at a public school. Some
ISP's will send out warning letters to their customers who use more than
their fair share of bandwidth (100Gig/month). By limiting a local LAN ip
to one gig per day we can make sure to stay under this limit for example.

...stopping people from abusing a ftp or web server on a metered
connection. If you know exactly how much data a normal user is expected to
download then you can set upper limits. If you need to pay for that
bandwidth then there is a financial incentive to stop abusers or broken
clients. For example, if we expect an automated bot to get 15 meg per hour
from the ftp server. If we then see clients connect and download 100 meg
per minute there is a problem and the ips can be blocked or slowed.


Thanks for your time,

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: PF, limit remote clients by total bandwidth used over time

[Peter N. M. Hansteen]

Calomel [EMAIL PROTECTED] writes:

 Can PF be written to filter client connections based on the total amount of
 bandwidth a remote client uploads/downloads over a given time frame?  As
 far as I know PF does _NOT_ have this ability.

Well, you already have the possibility of using variables such as
$srcaddr to construct your labels, creating essentially per-client
statistics.  If you write a program that's able to read those
statistics and act upon them, you could for example have your program
move addresses from one table to another based on the accumulated
statistics such as total bytes or packets passed from a specific
address.  The next and final step would be to write your rules with
various-sized queues and logic to assign traffic to queues based on
table membership.

Supply that well-written program and easy to use program (for
PF/OpenBSD values of), and I would think you're a lot closer to a
solution that would fit the basic requirements, ie adding flexibility
without adding clutter to the system at the same time.

Just my EUR 0.02, and maybe better ideas will be had by morning.

All the best,
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.