Re: carp and arpresolve: route without link local address
OK. There was a static route (from an old loopback interface test not related to the CARP setup) that pointed to the IP of the carp interface. Seems that this is not supported with CARP. Not documented, so let's do it here: The message arpresolve: XX.YY.16.3: route without link local address can be provoked as follows: 1.) Configure a CARP Interface with the IP XX.YY.16.3 2.) Configure a static route that points to the carp interface: route add XX.YY.99.99 XX.YY.16.3 3.) If the machine (router) receives packets for XX.YY.99.99, then the above arpresolve error will show up. - Christian
Re: Anyone from this list at BlackHat or DefCon? And a query...
On Thu, June 26, 2008 12:07 am, Amarendra Godbole wrote: Hi, It would be a pleasure meeting folks on this mailing list, including OBSD developers' at BH or DefCon. Thanks. It is generally said that the BH or DefCon wireless network is hostile, and sane individuals must not use their laptop for the risk of being compromised. My question is: if I use OpenBSD -current, with not much additional configuration (apart from the Intel wifi firmware), will the connection be reasonable secure? (Not sure if this hostility is a publicity stunt). Thanks again. Get a laptop with an Alpha chip and run OpenVMS :-) Also, don't worry about BH. That is the one for types who need to burn company or federal money set aside for training. Mostly just a bunch of clueless douchebags with goatees and vendor schwag. Randy
setting PKG_CACHE stopps pkg_add
(this is i386, 4.3 release) PKG_PATH contains three locations 0) PKG_CACHE dir 1) first http server (mirror.switch.ch) 2) second http server (mirror.startek.ch) # echo $PKG_PATH /pkg_cache/:http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/:http://mirror.startek.ch/OpenBSD/pkg/i386/e17/ e17 packages are only available in 2). Now there is an interesting phenomena: # pkg_add -x e-20071211p3 Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found which is ok, since e17 is neither in 0) nor present on 1). However, e17 is also NOT found on 2), though it is present there - and it stopps (hangs). When I then press CTRL-C: ^CError from http://mirror.startek.ch/OpenBSD/pkg/i386/e17/e-20071211p3.tgz: http fetch aborted. Adding e-20071211p3:sdl-1.2.13p0 . . . (continues normally) Though the above looks like as if the server is just slow (http fetch aborted) it actually isn't fetching anything. Even after hours, it just stays there. Now the fun part comes: When I do NOT set PKG_CACHE then pkg_add works as expected: # echo $PKG_PATH http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/:http://mirror.startek.ch/OpenBSD/pkg/i386/e17/ # pkg_add -x e-20071211p3 Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Error from http://mirror.switch.ch/ftp/pub/OpenBSD/4.3/packages/i386/e-20071211p3.tgz: ftp: Error retrieving file: 404 Not Found Adding e-20071211p3:sdl-1.2.13p0 . . . (no hang, normal installation). In other words: As soon as I set PKG_CACHE, even when not including it in PKG_PATH, I see pkg_add stopping. Any insights are welcome. Maybe I just overlooked something in the archives or man pages? Thanks, Stephan -- --- StarTek - secure by design Tel ++41 44 500 111-0 Postfach 19 Fax ++41 44 500 111-2 CH-8118 Pfaffhausen/ZH Web http://startek.ch RSA public key: http://startek.ch/people/star/publickey.asc ---
Re: OpenOSPF routing and CARP issues (?)
On Fri, Jun 20 2008 at 48:12, Chris Naselli wrote: Hi all! Hi, [...] OpenOSPFD have the following configuration: area 0.0.0.0 { interface em0 # carped with carp0 interface em1 # carped with carp1 interface carp2 } In this topology I found a problem: OpenOSPF daemon is configured with interface carpX for any interface with except em0/em1 to announce the connected interface only if master but however there are the announce of all the route learned from other cisco router behind it, thus causing (unwanted) traffic also in the router in backup carp state. How I can make OpenBSD redistribute ospf learned routes only if carp state is master even if in ospfd.conf have configured interface em0 (and not interface carp0)? Is my topology just broken? If you wish to execute commands (for example ospfd) regarding carp states, I recommend you to check ifstated(8) and ifstated.conf(5) Sorry for the long email and thanks in advance. Sorry I shortened it :) Claer
Re: OT: Dissertation ideas for my degree
Hello! On Tue, Jun 24, 2008 at 07:06:53PM +0400, Vadim Zhukov wrote: 20 June 2008 P3. 22:13:12 Julien Cabillot wrote: Le Wed, 18 Jun 2008 23:53:33 +0100, Edd Barrett [EMAIL PROTECTED] a C)crit : Paul Irofti wrote: Or a cli music database collection, that scans your media with given regexp and scans for ID3 Tags and what not, with minimal user interaction. mpd + ncmpc? In ports :) ncmpc is cool but, write password in clear text in arguments is not a good solution. You can set up password in environment variable. In such cases I write wrapper scripts (say, ~/bin/ncmpc.my) and, possibly, add a shell alias like ncmpc=~/bin/ncmpc.my. Writing clear text in the environment is no better than in arguments. See the -e option in ps(1) (look for -e in the manual page). Kind regards, Hannah.
Re: OT: Dissertation ideas for my degree
27 June 2008 c. 13:52:12 Hannah Schroeter wrote: Hello! On Tue, Jun 24, 2008 at 07:06:53PM +0400, Vadim Zhukov wrote: 20 June 2008 P3. 22:13:12 Julien Cabillot wrote: Le Wed, 18 Jun 2008 23:53:33 +0100, Edd Barrett [EMAIL PROTECTED] a C)crit : Paul Irofti wrote: Or a cli music database collection, that scans your media with given regexp and scans for ID3 Tags and what not, with minimal user interaction. mpd + ncmpc? In ports :) ncmpc is cool but, write password in clear text in arguments is not a good solution. You can set up password in environment variable. In such cases I write wrapper scripts (say, ~/bin/ncmpc.my) and, possibly, add a shell alias like ncmpc=~/bin/ncmpc.my. Writing clear text in the environment is no better than in arguments. See the -e option in ps(1) (look for -e in the manual page). Kind regards, Hannah. The more you live, the more you learn. :( Thanks. -- Best wishes, Vadim Zhukov
Re: Net-SNMP segfaults under OpenBSD 4.3
On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? I've seen this, too. But a package made out of the port will work. Stephan
Re: Continuation of OpenBSD's Stop the Blob
On Fri, Jun 27, 2008 at 07:17:34AM +0200, Thilo Pfennig wrote: Theo de Raadt schrieb: Hi Theo, I hope that nothing I ever say holds back our developers or community from doing what is right. I did not realize that the GNU and Linux kernel hackers were such dutiful slaves. Well yeah, the system is called capitalism and many hackers behave like slaves in this or another way. No my friend it is the other way around. GNU makes developers slaves to their users. In my world I develop code for me; if you like it good for you; if you don't equally good for you. I don't owe you anything. Capitalism can only be enabled by the proper amount of freedom (actual freedom, not what GNU calls freedom). You are talking about people that think there is morality in big words without living up to their side of the bargain. If you see a fucked up system, do you want to fight it? Or do you want to defend the people who don't fight it? I think you are an apologist for those who don't fight the system. Many people see me rather as an open source dogmatist. Personally I am trying to get the big picture WITHOUT being a fanboy of ANY OS. You are what I would call an OS intelligent design or creationist. This is exactly the excuse they use too. And also, as you all know, open documentation has gone a long way till today. No. Open documentation has NOT gone a long way at all. I only know that no hardware I used had been supported and there was no documentation for it when I started running Linux - and that now many companies share their information, from companies who did not even know about FLOSS back then or would have declined to open source anything or share any information. So, sure there is still also a long way to go, but to say nothing has happened is also wrong and it would also mean that OpenBSD has not accomplished anything in that matter? You all think this is all about 2 kinds of video cards. Video cards, video cards, video cards, video cards, video cards, video cards, video cards, video cards... cry cry cry. what about all the rest of the things in a machine? I cited that because it was falsely stated that Linux hackers have never tried to change the situation and would do so now for the first time. They sure havent done enough, or focused too much on only a few hardware bits like you pointed out. But that wasnt the point. It is true; the best they have done is say, hey man can you guys please help?, oh where do I sign?. It is like most things GNU, lip service without action. Where do you come up with this load of crap? The eeepc has an UNDOCUMENTED ethernet chip and an UNDOCUMENTED wireless chip. Actually I have to admit that I just assumed that that would be the case. I should have checked that. Exactly, assumptions, assumptions, assumptions! See you fit right in with the other GNU fanboys that believe their spiritual leader: blah blah blah without research. What a load of crap. You don't know what you are talking about. Everything else you said is exactly the same blathering; you are trying to say happy Linux things but there are no facts to support that the Linux crew or FSF has done ANYTHING which has gotten documentation for hardware out there. They have failed to use their dominant position to anyone else, and they have done a damn poor job of even supporting themselves. Just for the records: Does this mean that you either count documentation releases like AMDs, as in fact NOTHING or SOMETHING but has only happened because of OpenBSD? That is it should be! Why are you giving cookies to companies that do what they are supposed to do? And how long did it take for AMD to free up docs? And why? Answer those questions and suddenly you'll see it wasn't out of the goodness of their hearts. Also I thought Coreboot was a good idea. It is not? Sure if you have 1 of the 2 supported motherboards. What did they do? Linux developers and the companies that employ them have spend the last ten years signing NDAs with vendors, and therefore only that very small group of people have the documentation. It's not even lots of Linux developers who have those docs; no, in each case it is typically 1-3 developers who have docs for a particular chipset, and then when a bug is found by an outsider he has to work without docs. ACK It wasnt my intention to anger anybody, but obviously I did. As it turns out this is seen by some as not only a matter of truth but also something very emotional. What I basically was trying to say is that from my recognition this is not the first time Linux hackers have spoken up. I cant make any prove against the cases you have made because I have not investigated the matters in depth and it would take quite some time. They pretend to speak up followed by no action. In fact GNU fanboys come to the rescue of closed source companies
Re: Net-SNMP segfaults under OpenBSD 4.3
On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote: On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? I've seen this, too. But a package made out of the port will work. Repeatable also here. We built net-snmp package from ports. Claer
Re: Continuation of OpenBSD's Stop the Blob
Marco Peereboom wrote: Many people see me rather as an open source dogmatist. Personally I am trying to get the big picture WITHOUT being a fanboy of ANY OS. You are what I would call an OS intelligent design or creationist. This is exactly the excuse they use too. You funny, so there is only two options: Eitehr be a fanbox or if you arent thats the proof you are? How can somebody not be a fanboy then? I dont really get the intelligent design relation. Your reasoning sounds to me like the ones from conspiracy theorists that say that the denial of the government that UFOs exist is the proof that they exist. Just for the records: Does this mean that you either count documentation releases like AMDs, as in fact NOTHING or SOMETHING but has only happened because of OpenBSD? That is it should be! Why are you giving cookies to companies that do what they are supposed to do? And how long did it take for AMD to free up docs? And why? Answer those questions and suddenly you'll see it wasn't out of the goodness of their hearts. I suppose it took so long because AMD is paranoid like many companies. The interesting question in this thread would be why they did open up more at all. Because OpenBSD pushed them to do it? Please share your wisdom and tell me why they did it? It was projects like OpenBSD that showed what bold faced liars they were for them to change their ways. It was action of the unfriendly kind that got stuff done. Get your facts straight. In which cases? Regards, Thilo -- Thilo Pfennig - PfennigSolutions IT-Beratung- Wiki-Systeme Sandkrug 28 - 24143 Kiel (Germany) http://www.pfennigsolutions.de/ XING: https://www.xing.com/profile/Thilo_Pfennig - LinkedIn: http://www.linkedin.com/in/tpfennig
Les Dangers de l'Aspartame
Bonjour ` vous toutes et tous.. Information ` transmettre.. c'est trhs important. Je vous icris ce message afin de vous remettre une information de taille.. sur l'aspartame et du danger de ce produit sur notre santi... Je vais vous demander une chose de faire tout simplement suivre ce message ` votre entourage, votre famille, vos amis... cliquez sur ce lien vous aurez toutes les informations sur les dangers que reprisentent l'aspartame. Voir les TOUS les Dangers de l'Aspartame L'aspartame se trouve surtout dans tous les produits ` 0%, coca cola, soda, yaourts etc.. vous en achetez mjme pour mettre dans votre cafi du sucre chimique.. Le risque est inorme ce sucre chimique c'est en fait un mini-cyanure.. et au fur et ` mesure du temps, vous vous empoisonnez.. Aux Usa... il y a dija beaucoup de digats. Pour plus d'infos.. regardez ce diaporama que j'ai mis sur site, ce qui ivite pour certains d'entre vous, ` ne pas ` avoir ` acheter de logiciel pour le lire. II nous vient tout droit d'une association qui difend nos intirjts ` tous. Cette information doit faire le tour du monde.. Merci et ` trhs bientot Corinne
isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Hi folks, I am trying to setup an IPsec connection between OpenBSD and WindowsXP (NCP IPsec client). ipsec.conf is just a single line: ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the Windows PC.) Phase I seems to work, but in Phase II isakmpd complains: Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.dump Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Looking into the negotiation packets I see at the beginning of Phase II: 14:56:30.370925 192.168.1.249.500 192.168.5.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 45305a4f len: 220 payload: HASH len: 24 payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8b62522d payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 256 payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xdc14778f payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 128 payload: NONCE len: 44 payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248) 14:56:30.371301 192.168.5.1.500 192.168.1.249.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 93170a11 len: 64 payload: HASH len: 24 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92) Obviously isakmpd doesn't like something in the negotiation packet sent by the NCP IPsec client on Windows. Anybody got an idea? Regards Harri
Question about tags and ipsec.conf
Hi list, I have a firewall using the - very elegant - ipsec.conf to build tunnels to various Cisco's, Watchguards and other OpenBSD machines. My /etc/ipsec.conf is autogenerated and contains lots of: # bla-bla.router.company.example - router for location bla-bla ike esp from 192.168.100.0/24 to 192.168.145.0/24 peer xxx.xxx.xxx.xxx \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk IWouldLoveTheGoatThankYouVeryMuch tag bla-bla.router.company.example To identify the packets belonging to a particular VPN we assign a tag to each connection corresponding to its location name. Recently I had an IP address of a location change so I modified the IP address in ipsec.conf, carefully checked with -n and reloaded. This did not cause a new SA to be created to the new IP address. After much head-scratching I eventually changed the tag to something else and the tunnel was created right away. I thought tags were just tacked onto a packet by PF to facilitate further internal handling but apparently there is more to it than that. Is this by design and am I missing some important point about either ipsec.conf or tagging? (or states?) On a related note, it would be nice to have had a -K flow switch for ipsecctl to delete specific flows. But I imagine there is a good reason for its absence due to the change of requiring -k to show secret keying material. IPSec on this firewall has been absolutely rock-solid by the way, about 60 flows using a mix of 3DES and AES. Much better than the fancy Watchguard box that it replaced. -- Michiel van der Kraats
Re: Continuation of OpenBSD's Stop the Blob
Thilo Pfennig wrote: The popularity of Linux has helped to create a market that has better and more open documentation - and machines that are made to work perfect with Linux (like eeepc) are more easily made to work perfectly for OpenBSD and other free OSes. Hehe, thanks for the good laugh ! Thilo you already look like a fool. Please do yourself a favor and get some education before spreading bullshits on this list. It's clear you don't know what you are talking about. Regards, Mark.
BA-Con 2008 CFP - Buenos Aires Sept. 30 / Oct. 1 (closes July 11 2008)
BA-Con 2008 CALL FOR PAPERS BUENOS AIRES, Argentina -- The first annual BA-Con applied technical security conference - where the eminent figures in the international and South American security industry will get together and share best practices and technology - will be held in Buenos Aires on September 30 and October 1st. 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The BA-Con meeting provides local and international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of South America's largest metropolises. All material will be translated into both Spanish and English. Evening social activities will be planned to provide personal networking opportunities. The BA-Con conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals for selection by the international BA-Con technical review committee. Please make your paper proposal submissions before July 11th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest08 [at] ba-con.com.ar . Only slides will be needed for the September paper deadline, full text does not have to be submitted - but will be accepted and translated on a best effort basis if available. The BA-Con 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. 10. Do you have any special demo or network requirements for your presentation? Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest08 [at] ba-con.com.ar to be considered for placement on the speaker roster, have your lightning talk scheduled. We would like to extend a special thanks to our local partners at Core Security Technologies, and the gracious sponsorship of Microsoft, and Symantec for making this event possible and letting us keep the registration fee lower in local currency while letting us cover the costs of international speakers. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Buenos Aires, ArgentinaSept. 30 / Oct. 1 - 2008
Re: Continuation of OpenBSD's Stop the Blob
On Fri, Jun 27, 2008 at 8:21 AM, Thilo Pfennig [EMAIL PROTECTED] wrote: Marco Peereboom wrote: It was projects like OpenBSD that showed what bold faced liars they were for them to change their ways. It was action of the unfriendly kind that got stuff done. Get your facts straight. In which cases? You will have to do some research, but it's in misc's archives. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Jos uvek imas vremena za pobedu
Top Shop Fudbalska groznica se približava kraju. Da li ÄeÅ¡ i ti biti pobednik? Top Shop Danas je tvoja poslednja prilika da sakupiÅ¡ joÅ¡ poena â zato požuri da odgovoriÅ¡ na poslednje pitanje nagradnog kviza Euro 2008. Za taÄan odgovor na ovo pitanje dobijaÅ¡ joÅ¡ 10 dodatnih poena. PodseÄamo Te - svaki poen je važan! Do sada, imaÅ¡ 10 poena. I joÅ¡ uvek imaÅ¡ vremena za pobedu. Ne zaboravi! Do 30. 6 .2008. kada Äe nagradna igra Moj favorit - Euro 2008 biti zavrÅ¡ena - imaÅ¡ Å¡anse da osvojiÅ¡ glavnu nagradu: Samsung LCD TV ili neku od drugih vrednih nagrada. Klikni ovde da osvojiÅ¡ dodatne poene i da preporuÄiÅ¡ igru joÅ¡ nekome od prijatelja! Ukoliko ne želite viÅ¡e da primate naÅ¡e elektronske poruke, kliknite ovde. U obrazac na web stranici upiÅ¡ite svoju taÄnu e-mail adresu i odjavu potvrdite. Studio Moderna d.o.o., Laze NanÄiÄa 50, 21000 Novi Sad, Tel: 021 489 26 60, Fax: 021 489 26 08, E-mail: [EMAIL PROTECTED] [IMAGE]If you would no longer like to receive our emails please unsubscribe by clicking here.
Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
I do not know whether Windows XP native IPsec stack supports AES, I know it only supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or md5 may be) and you would get quick mode working. Prabhu - Harald Dunkel wrote: Hi folks, I am trying to setup an IPsec connection between OpenBSD and WindowsXP (NCP IPsec client). ipsec.conf is just a single line: ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the Windows PC.) Phase I seems to work, but in Phase II isakmpd complains: Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.dump Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Looking into the negotiation packets I see at the beginning of Phase II: 14:56:30.370925 192.168.1.249.500 192.168.5.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 45305a4f len: 220 payload: HASH len: 24 payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8b62522d payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 256 payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xdc14778f payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 128 payload: NONCE len: 44 payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248) 14:56:30.371301 192.168.5.1.500 192.168.1.249.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 93170a11 len: 64 payload: HASH len: 24 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92) Obviously isakmpd doesn't like something in the negotiation packet sent by the NCP IPsec client on Windows. Anybody got an idea? Regards Harri
strange pf problem with 4.3 and vlans
I use openbsd 4.3 i386 with vlans over a bridge and traffic is filtered. When I add the vlan116 after vlan120 to the bridge, traffic on the vlan120 will be filtered by pf on the vlan116. In pf.conf I need pass in on vlan116 for incoming traffic on vlan120. If I add the vlans in the correct order, first vlan116 and then vlan120 all is working fine and in pf.conf traffic on vlan120 can be filtered by pass in on vlan120. is that a bug or feature ? -Thomas
Xenocara patch
Yesterday, I upgraded from 4.2 to 4.3 release and icewm freezes when I hit Alt-tab. I found this reference to a patch: http://groups.google.com/group/comp.unix.bsd.openbsd.misc/browse_thread/thread/9de493f8bbab33a9 Avoiding keyboard shortcuts seems to be a workaround so far. I'm not a source/patch kind of guy; so I'm wondering if I upgrade to -snapshot now; will this patch be included? Might I then consider an upgrade to 4.4 release in the fall to be supported? Is there another way to get just this binary patch?
Re: Xenocara patch
On Fri, 27 Jun 2008, Frank Bax wrote: Yesterday, I upgraded from 4.2 to 4.3 release and icewm freezes when I hit Alt-tab. I found this reference to a patch: http://groups.google.com/group/comp.unix.bsd.openbsd.misc/browse_thread/thread/9de493f8bbab33a9 Avoiding keyboard shortcuts seems to be a workaround so far. I'm not a source/patch kind of guy; so I'm wondering if I upgrade to -snapshot now; will this patch be included? Might I then consider an upgrade to 4.4 Yes, I fixed this in -current a while ago. -- Antoine
Re: Net-SNMP segfaults under OpenBSD 4.3
Thanks, took this route and things are working just fine now. -HKS On Fri, Jun 27, 2008 at 8:19 AM, Claer [EMAIL PROTECTED] wrote: On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote: On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? I've seen this, too. But a package made out of the port will work. Repeatable also here. We built net-snmp package from ports. Claer
getpwnam_r() missing on OpenBSD 4.3
Not sure if this is the right list for this question, so let me know if it needs to go somewhere else. My OpenBSD box is missing the getpwnam_r() function described in the getpwent(3) man page. At least, it's described at this URL: http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html My man page doesn't have any reference to getpwnam_r() - only the non-threadsafe getpwnam(). Likewise with getpwuid_r(). I assume this isn't normal (correct me if I'm wrong), but this is happening on a generic installation. Is there something I need to do/undo to enable these functions? Thanks for the help. -HKS
Re: Continuation of OpenBSD's Stop the Blob
Hehe, thanks for the good laugh ! Thilo you already look like a fool. On the contrary, Mark, right now I personally have a higher regard for Thilo, who actually posted an opinion. All you've done is posted a typical fanboi response to Theo's reply to Thilo. Who are you trying to impress? Please do yourself a favor and get some education before spreading bullshits on this list. It's clear you don't know what you are talking about. Perhaps you would do well to heed your own advice... -Andre
Re: getpwnam_r() missing on OpenBSD 4.3
On 2008-06-27, (private) HKS [EMAIL PROTECTED] wrote: Not sure if this is the right list for this question, so let me know if it needs to go somewhere else. My OpenBSD box is missing the getpwnam_r() function described in the getpwent(3) man page. At least, it's described at this URL: http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html My man page doesn't have any reference to getpwnam_r() - only the non-threadsafe getpwnam(). Likewise with getpwuid_r(). I assume this isn't normal (correct me if I'm wrong), but this is happening on a generic installation. Is there something I need to do/undo to enable these functions? Thanks for the help. -HKS You're running 4.3, but the online manpages (unless you change to a different release) are for -current. http://marc.info/?m=121431788521537
can't remove greytrapped entry from spamdb
(On 4.3 recent snapshot) I began receiving mail for a certain email address and forgot to adjust my /etc/mail/spamd.alloweddomains file (where I have a list of all valid email addresses). So I found the following spamd logging reasonable: spamd[5771]: 10.10.10.10: disconnected after 386 seconds. lists: spamd-greytrap Along with its spamdb entry: TRAPPED|10.10.10.10|1214679171 However, after including the offending email address and stopping and restarting spamd; and removing the greytrapped/blacklisted host from spamdb like so $ sudo spamdb -T -d 10.10.10.10 I continue to get the same logging message and the address is again found in spamdb: $ sudo spamdb | grep 10.10.10.10 Password: GREY|10.10.10.10|... Granted that the last time it showed up as TRAPPED and now it shows GREY. But why does the log message say greytrap? /juan
Re: Xenocara patch
Frank Bax ha scritto: Yesterday, I upgraded from 4.2 to 4.3 release and icewm freezes when I hit Alt-tab. I found this reference to a patch: http://groups.google.com/group/comp.unix.bsd.openbsd.misc/browse_thread/thread/9de493f8bbab33a9 Avoiding keyboard shortcuts seems to be a workaround so far. I'm not a source/patch kind of guy; so I'm wondering if I upgrade to -snapshot now; will this patch be included? Might I then consider an upgrade to 4.4 release in the fall to be supported? Is there another way to get just this binary patch? Snapshot follow the -current, so if you know that this patch it's already done you can find in snapshot, if snapshot was builded after the patch release, if obviously it's an official patch.
Re: getpwnam_r() missing on OpenBSD 4.3
On Fri, Jun 27, 2008 at 05:23:54PM -0400, (private) HKS wrote: Not sure if this is the right list for this question, so let me know if it needs to go somewhere else. My OpenBSD box is missing the getpwnam_r() function described in the getpwent(3) man page. At least, it's described at this URL: http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html ^^^ Have a closer look at that url. ;-)
Re: can't remove greytrapped entry from spamdb
2008/6/27 Juan Miscaro [EMAIL PROTECTED]: (On 4.3 recent snapshot) I began receiving mail for a certain email address and forgot to adjust my /etc/mail/spamd.alloweddomains file (where I have a list of all valid email addresses). So I found the following spamd logging reasonable: spamd[5771]: 10.10.10.10: disconnected after 386 seconds. lists: spamd-greytrap Along with its spamdb entry: TRAPPED|10.10.10.10|1214679171 However, after including the offending email address and stopping and restarting spamd; and removing the greytrapped/blacklisted host from spamdb like so $ sudo spamdb -T -d 10.10.10.10 I continue to get the same logging message and the address is again found in spamdb: $ sudo spamdb | grep 10.10.10.10 Password: GREY|10.10.10.10|... Granted that the last time it showed up as TRAPPED and now it shows GREY. But why does the log message say greytrap? Disregard, it was greyscanner.pl that didn't like the private address and greytrapped it. /juan
vnconfig: using a block-device 10x slower then using a file?
Hello everybody, I right now face a for me kinda interesting situation. After a interupt storm wich I thought was related to the hw setup I noticed that using encrypted partitions created with vnconfig is simply damn slow. I used vnconfig -cK keysize -S saltfile /dev/svnd1c /dev/wd1c So I used directly the block device. If I then copy files to the svnd1c (wich was formated using newfs and then mounted using mount -o noatime,softdep /dev/svnd1c /mnt) I face transfer speeds of 1MB/s MAX in a local network!!!) I did the same test with the same file and everything else the same too with: - A dedicated partition (wd1a) but nothing changed - A file dd if=/dev/zero of=/mnt/test count=VALUE bs=1k vnconfig -cK keysize -S saltfile /dev/svnd1c /mnt/test newfs /dev/svnd1c mount -o noatime,softdep /dev/svnd1c /mnt If I use a dedicated file for the svnd1 I get 10 (9.7MB/s) times higher speeds then using the block device. Is there any reason for this? Also if I do use the file-based svnd I do not see any interupt storms anymore. Related to the manpage vnds can handle block devices and this was introduced before 4.3. My box is a 4.3 STABLE so far and I just was kinda happy that I do not need to create files anymore. :] So if you might have a hint pls. tell me, thanks! Kind regards, Sebastian