Re: Missing security announcements

[Martin Schröder]

2008/11/13 Theo de Raadt [EMAIL PROTECTED]:
 I think that would work better.  I am not here saying this because
 I have answers.  I don't.  I think that people running old software
 quite frankly cannot rely on a mailing list run by people who don't
 run -stable.  So how can any of you hope we will solve your problems?

Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin

cvs, cvsup and xenocara advice

[Ansen Lloyd]

Let me first say that I looked over all the man pages, the official faqs and
I searched over the archived mailing lists before sending out these
questions ... and I'm still a little confused. So:

1. What are the main differences between cvs and cvsup when updating sources
to stable?

2. I'm just the typical home user of obsd, so which should I use, cvs or
cvsup?

3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the
xenocara repository?
( according to this list: http://www.openbsd.org/cvsup.html )


Any advice or words of wisdom pertaining to the above questions would be
greatly appreciated.

Thanks in advance,

Ansen

Re: Can't SSH into CARP'd system from the outside

[Marco Pfatschbacher]

On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

say you have a carp configured like:

carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
groups: carp
inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255

As you can see, carp0 is using em0 as its carpdev.
A pf rule to pass ssh to the carp address would be:

 pass in on em0 inet proto tcp to (carp0) port 22

and NOT:

 pass in on carp0 inet proto tcp to (carp0) port 22
 
HTH,

   Marco

Re: cvs, cvsup and xenocara advice

[Stuart Henderson]

On 2008-11-13, Ansen Lloyd [EMAIL PROTECTED] wrote:
 Let me first say that I looked over all the man pages, the official faqs and
 I searched over the archived mailing lists before sending out these
 questions ... and I'm still a little confused. So:

 1. What are the main differences between cvs and cvsup when updating sources
 to stable?

using cvs you can view the commit log, diffs between random version,
etc. all while working from a remote repository with just the source
tree on your machine.

you can also do these operations if you use CVSup, but you have to
mirror the whole repository, not just take a single working checkout.

 2. I'm just the typical home user of obsd, so which should I use, cvs or
 cvsup?

probably cvs, very easy setup, it's all in base and the instructions
(anoncvs.html) are straightforward.

if you need a local mirror of the full repository, cvsync is another
option, it's fairly straightforward. I prefer this over CVSup.

there are one or two mirrors which also make the repository available
by rsync but this is uncommon. (quite possibly due to the enormous
memory load of serving a large tree via rsync to pre-v3 clients).

 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the
 xenocara repository?
 ( according to this list: http://www.openbsd.org/cvsup.html )

the list is probably out-of-date, it's difficult to check CVSup
mirrors (partly because it's i386-only, partly because there's no
easy way to list the files on the server as there is with most
other protocols).

diffs to update it are very welcome :-)

Re: cvs, cvsup and xenocara advice

[Girish Venkatachalam]

On 01:28:57 Nov 13, Ansen Lloyd wrote:
 1. What are the main differences between cvs and cvsup when updating sources
 to stable?
 

cvs is the revision control technology. You can use cvs to check out the
main OpenBSD repository to your local machine by which you only get the
files pertaining to the revision you ask.

Whereas cvsup and cvsync are tools that fetch the entire cvs
repository to your local machine.

So you have to necessary run a cvs checkout on your local repository to
obtain the sources.

 2. I'm just the typical home user of obsd, so which should I use, cvs or
 cvsup?
 

I use cvsync. cvsup is not written in C. ;)

You can use cvs if you have copious bandwidth. If you are like me you
have to either use cvsup or cvsync.


 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the
 xenocara repository?
 ( according to this list: http://www.openbsd.org/cvsup.html )
 

Some mirrors may be out of date.

-Girish

Re: Missing security announcements

[David Schulz]

I too have of course subscribed myself to the list, and i think since 
its there, it should work and be updated regularly. If we don't need 
such a list, then lets delete it. But since its there, and people are 
subscribing to it in hope to get a quick mail notifying them of new 
patches or other security issues, someone should take the task to send a 
mail via it once something arrives on the errata page.


Martin Schrvder wrote:

2008/11/13 Theo de Raadt [EMAIL PROTECTED]:
  

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?



Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin


!DSPAM:491bed6c241107248971901!

Re: IPSec to Checkpoint

[Joe Warren-Meeks]

On Wed, Nov 12, 2008 at 07:13:05PM +0100, Hans-Joerg Hoexer wrote:

 Support for specifying aes key sizes was added february 2008, thus 4.2
 does not provide this.

Ah, thought so. Well, I got it working by reverting back to using the
old isakmpd.conf method. 

Thanks for your time.

 -- joe.

Fishing doesn't count as a sport.

Re: Missing security announcements

[David Schulz]

additionally, i care very about about those patches, and apply each and 
everyone where needed every time.


Martin Schrvder wrote:

2008/11/13 Theo de Raadt [EMAIL PROTECTED]:
  

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?



Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin


!DSPAM:491bed6c241107248971901!

Re: HP DL180 hangs on boot

[Alexander Hall]

Status:

As a last resort I tried installing Windows XP pro, but it BSOD on me 
while probing the hw... Not sure if XP pro is a certified OS for the 
DL180 but it certainly seems bad.


Browsing some HP forums, it seems I'm certainly not the only person 
having issues with the HP DL180's. Seems like allover crappy and 
unreliable HW to me.


I'll start bugging the retailer now. Thanks for all suggestions, on-list 
and off-list.


/Alexander

Alexander Hall wrote:

Hi!

I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I
hope someone can shed some light on.

[ While writing thie email I've done some more testing and realized
that the behaviour is not really consistent, but what I describe
below is a typical case ]

1. The machine takes loong pauses (usually two; sometimes more) while
   loading the kernel.
   - The first long pause is after entry point at ... line,
 and is about 90s. [noticed now that pressing any key on the
 keyboard makes it go on... interrupt issues?]
   - Second pause is after pckbd0 at isa0... and lasts
 approximately 3 to 5 minutes.

Dunno if it means anything, but somewhere in between the pauses
described first above, the machine beeps once. I get similar beeps
when adding or removing an usb stick, so it might be related to usb.

2. Sometimes the machine shuts down and restarts slightly after the
   kernel is loaded (might have time to show the (I)nstall...
   prompt). I don't have serial console for now so I cannot tell
   exactly. A few times I have seen the capital letter F being
   printed out (gray on blue) prior to the reboot.

disabling isa and pci seems to make it not hang but makes it rather
unusable... :-d

If the machine gets past loading and initializing the kernel without
rebooting, it seems fine but all I've done so far is installing 4.4.

The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2)
and a 250GB SATA drive. The machine has no proper raid AFAICT (ie no
E200 or P400) but some (likely crappy) built-in semi-raid. Reinserting
the original memory stick did not improve anything, nor did removing
the harddrive.

The diagnostics test showed no errors, but i'm running it now over
the weekend. I'm going to try a firmware upgrade too.

Any clues are appreciated. dmesg from after the succesful install (bsd.rd) 
follows.

Thanks,
Alexander

[1] 
http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-3328421-3580698-3673202.html

==

OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov  2 13:41:35 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 3745857536 (3572MB)
avail mem = 3635634176 (3467MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries)
bios0: vendor HP version O19 date 08/20/2008
bios0: HP ProLiant DL180 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST HEST
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (NPE2)
acpiprt2 at acpi0: bus 2 (NPE3)
acpiprt3 at acpi0: bus 3 (NPE4)
acpiprt4 at acpi0: bus 5 (NPE6)
acpiprt5 at acpi0: bus 10 (P0P1)
acpiprt6 at acpi0: bus 9 (P0PE)
acpiprt7 at acpi0: bus 8 (P0P3)
acpiprt8 at acpi0: bus 7 (BCM_)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5100 Host rev 0x80
ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE rev 0x80
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80
pci2 at ppb1 bus 2
ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80
pci3 at ppb2 bus 3
ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80
pci4 at ppb3 bus 4
ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80
pci5 at ppb4 bus 5
ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80
pci6 at ppb5 bus 6
pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80
pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80
pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80
pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80
pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80
pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80
pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80
uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5
ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11
pci7 at ppb6 bus 9
ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11
pci8 

Re: How to research the cause of a warning message?

[Toni Mueller]

Hi,

On Sun, 02.11.2008 at 15:28:06 +0100, Johannes Krampf [EMAIL PROTECTED] wrote:
 My problem: Every couple of seconds, I get 5 messages WARN:  not
 buffer in the console, even when using an editor or viewing man
 pages.  0brad0 told me That WARN .. not buffer message appears to
 be coming from the ACPI stack. How can I research this and help to
 find the reason of the messages?

in such cases where I have no idea about where a message comes from, I
tend to take a big 'grep' run through all the source, using variations
of the error message (ie, slices that I suspect to appear somewhere in
the code).


Kind regards,
--Toni++

Re: Virtual Consoles in OpenBSD/macppc

[Peter Kay - Syllopsium]

From: Pedro de Oliveira [EMAIL PROTECTED]
Hi,

Anyone here using OpenBSD/macppc knows if its possible to enable more than
one virtual console? I cant seem to find any info about that in the FAQ.

http://www.openbsd.org/faq/faq7.html

It's not supported. Use 'screen' from packages instead.

PK 

usb hsdpa modem not working

[bdz]

hi list,

i have a t-mobile usb web'n'walk stuff for testing. i attached it to a 
4.4 GENERIC and
realized that first it attaches umsm0 and then immediately deattaches 
it. then umsm0
and umsm1 attached along with ucom0 and ucom1. i can open the 
/dev/ttyU[01] but

they don't respond to any AT commands.

from umsm(4) man page:
The Option GlobeTrotter HSDPA modem has three serial ports,
but only the last port can be used to make PPP connections.

i guess i am missing the third serial port (maybe related to the first 
attach/deattach?)

to be able to open the ppp connection.

any idea?

bdz

usbdevs -v:
addr 1: high speed, self powered, config 1, EHCI root hub(0x), 
Intel(0x8086), rev 1.00

port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 5 powered
port 6 powered
Controller /dev/usb2:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

port 1 powered
port 2 addr 2: full speed, power 100 mA, config 1, Fingerprint 
Sensor(0x2016), TouchStrip(0x147e), rev 0.01

Controller /dev/usb3:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00
port 1 addr 2: low speed, power 100 mA, config 1, Optical USB 
Mouse(0xc016), Logitech(0x046d), rev 3.40

port 2 powered
Controller /dev/usb4:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00
port 1 addr 2: low speed, power 100 mA, config 1, Type 6 
Keyboard(0x0005), Sun Microsystems(0x0430), rev 1.02
port 2 addr 3: full speed, power 500 mA, config 1, Globetrotter HSDPA 
Modem(0x6971), Option N.V.(0x0af0), rev 0.00, iSerialNumber Serial Number

Controller /dev/usb5:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

port 1 powered
port 2 powered


dmesg:
real mem  = 2145669120 (2046MB)
avail mem = 2066345984 (1970MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/22/07, BIOS32 rev. 0 @ 0xfdc70, 
SMBIOS rev. 2.4 @ 0xe0010 (71 entries)

bios0: vendor LENOVO version 7KET71WW (1.21 ) date 08/22/2007
bios0: LENOVO 8918B8G
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT 
SSDT SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) IGBE(S4) 
EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S3) USB1(S3) 
USB2(S3) USB3(S3) USB4(S3) EHC0(S3) EHC1(S3) HDEF(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 5 (EXP3)
acpiprt6 at acpi0: bus 13 (EXP4)
acpiprt7 at acpi0: bus 21 (PCI1)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2
acpitz0 at acpi0: critical temperature 127 degC
acpitz1 at acpi0: critical temperature 100 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model 42T4513 serial  5561 type LION oem SANYO
acpibat1 at acpi0: BAT1 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock at acpi0 not configured
acpivideo at acpi0 not configured
acpivideo at acpi0 not configured
bios0: ROM list: 0xc/0xf000 0xcf000/0x1000 0xd/0x1000 
0xe/0x1!

cpu0 at mainbus0
cpu0: unknown Enhanced SpeedStep CPU, msr 0x06170b2d06000b2d
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 2200 MHz (1420 mV): speeds: 2200, 1200 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel GM965 Host rev 0x0c
ppb0 at pci0 dev 1 function 0 Intel GM965 PCIE rev 0x0c: irq 10
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x0429 
rev 0xa1

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: no integrated graphics
drm at vga1 unsupported
em0 at pci0 dev 25 function 0 Intel ICH8 IGP M rev 0x03: irq 11, 
address 00:15:58:cb:d4:f4

uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x03: irq 11
uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x03: irq 11
ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x03: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x03: irq 11
azalia0: RIRB time out
azalia0: RIRB time out
azalia0: codec[s]: Analog Devices AD1984, Conexant/0x2bfa, using Analog 
Devices AD1984

audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x03: irq 11
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x03: irq 11
pci3 at ppb2 bus 3
iwn0 at pci3 dev 0 function 0 Intel Wireless WiFi Link 4965AGN rev 
0x61: irq 11, MoW2, address 00:13:e8:ed:2c:cd

ppb3 at pci0 dev 28 function 2 Intel 82801H PCIE rev 0x03: irq 11
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 3 Intel 82801H PCIE rev 0x03: irq 11
pci5 at ppb4 bus 5
ppb5 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x03: 

Re: cvs, cvsup and xenocara advice

[Christian Weisgerber]

Girish Venkatachalam [EMAIL PROTECTED] wrote:

 cvs is the revision control technology. You can use cvs to check out the
 main OpenBSD repository to your local machine by which you only get the
 files pertaining to the revision you ask.
 
 Whereas cvsup and cvsync are tools that fetch the entire cvs
 repository to your local machine.

Actually, cvsup can fetch both the repository or check out a
particular branch/date.

 I use cvsync. cvsup is not written in C. ;)

The csup client for CVSup _is_ written in C and only supports
checkout mode (so far).

That said, I expect CVSup to slowly wither away.
-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: cvs, cvsup and xenocara advice

[Alexander Polakov]

cvsup is not written in C. ;)

net/csup is a cvsup client written in C.

2008/11/13, Girish Venkatachalam [EMAIL PROTECTED]:
 On 01:28:57 Nov 13, Ansen Lloyd wrote:
 1. What are the main differences between cvs and cvsup when updating
 sources
 to stable?


 cvs is the revision control technology. You can use cvs to check out the
 main OpenBSD repository to your local machine by which you only get the
 files pertaining to the revision you ask.

 Whereas cvsup and cvsync are tools that fetch the entire cvs
 repository to your local machine.

 So you have to necessary run a cvs checkout on your local repository to
 obtain the sources.

 2. I'm just the typical home user of obsd, so which should I use, cvs or
 cvsup?


 I use cvsync. cvsup is not written in C. ;)

 You can use cvs if you have copious bandwidth. If you are like me you
 have to either use cvsup or cvsync.


 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the
 xenocara repository?
 ( according to this list: http://www.openbsd.org/cvsup.html )


 Some mirrors may be out of date.

 -Girish

Re: Virtual Consoles in OpenBSD/macppc

[Andreas Kahari]

'tmux' (misc/tmux) is a nice alternative to 'screen'.  Well worth trying out.

Andreas

2008/11/13 Peter Kay - Syllopsium [EMAIL PROTECTED]:
 From: Pedro de Oliveira [EMAIL PROTECTED]
 Hi,

 Anyone here using OpenBSD/macppc knows if its possible to enable more than
 one virtual console? I cant seem to find any info about that in the FAQ.

 http://www.openbsd.org/faq/faq7.html

 It's not supported. Use 'screen' from packages instead.

 PK




-- 
Andreas Kahari
Somewhere in the general Cambridge area, UK

Re: Virtual Consoles in OpenBSD/macppc

[Marco Peereboom]

macppc console sucks, it is slower than dog poo.  Besides this has been
asked, oh maybe 329849384293473284784728347328 times by now?

On Thu, Nov 13, 2008 at 12:57:58PM -, Pedro de Oliveira wrote:
 Is it possible to implement it, its something that may be available in the
 future ? Or its really impossible to have multiple consoles ? 
 From what i understand, the console in macppc just works in Framebuffer, is
 FB limited to just one console, it just doesnt support yet multiple?
 
 
 -Mensagem original-
 De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED] 
 Enviada: quinta-feira, 13 de Novembro de 2008 12:44
 Para: Pedro de Oliveira; misc@openbsd.org
 Assunto: Re: Virtual Consoles in OpenBSD/macppc
 
 From: Pedro de Oliveira [EMAIL PROTECTED]  Hi,
 
  Anyone here using OpenBSD/macppc knows if its possible to enable more 
  than one virtual console? I cant seem to find any info about that in the
 FAQ.
 http://www.openbsd.org/faq/faq7.html
 
 It's not supported. Use 'screen' from packages instead.
 
 PK 

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 5:59 AM, David Schulz [EMAIL PROTECTED] wrote:
 I too have of course subscribed myself to the list, and i think since its
 there, it should work and be updated regularly. If we don't need such a
 list, then lets delete it. But since its there, and people are subscribing
 to it in hope to get a quick mail notifying them of new patches or other
 security issues, someone should take the task to send a mail via it once
 something arrives on the errata page.

So get on the developer's case when they don't send out notifications.
 All this chatter now isn't going to change anything when the next
errata comes out.  You want security announcement? Do something to
make it happen!

Virtual Consoles in OpenBSD/macppc

[Pedro de Oliveira]

Hi,

Anyone here using OpenBSD/macppc knows if its possible to enable more than
one virtual console? I cant seem to find any info about that in the FAQ.

Thanks in advance,
Pedro de Oliveira

I need a trusted partner

[Albert Harr]

I have a new email address!You can now email me at: [EMAIL PROTECTED]

I am Albert of Shell oil plc,I made $40m already from crude oil Intersted 
partner contact me.

- Albert Harr

Re: cvs, cvsup and xenocara advice

[Martin Reindl]

On Thu, Nov 13, 2008 at 01:28:57AM -0800, Ansen Lloyd wrote:
 Let me first say that I looked over all the man pages, the official faqs and
 I searched over the archived mailing lists before sending out these
 questions ... and I'm still a little confused. So:
 
 1. What are the main differences between cvs and cvsup when updating sources
 to stable?

opencvs and gnu cvs are in base

 2. I'm just the typical home user of obsd, so which should I use, cvs or
 cvsup?

opencvs

 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the
 xenocara repository?
 ( according to this list: http://www.openbsd.org/cvsup.html )

for 4.4-stable:

cvs -qd [EMAIL PROTECTED]:/cvs get -rOPENBSD_4_4 xenocara

m

Re: Virtual Consoles in OpenBSD/macppc

[Pedro de Oliveira]

Is it possible to implement it, its something that may be available in the
future ? Or its really impossible to have multiple consoles ? 
From what i understand, the console in macppc just works in Framebuffer, is
FB limited to just one console, it just doesnt support yet multiple?


-Mensagem original-
De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED] 
Enviada: quinta-feira, 13 de Novembro de 2008 12:44
Para: Pedro de Oliveira; misc@openbsd.org
Assunto: Re: Virtual Consoles in OpenBSD/macppc

From: Pedro de Oliveira [EMAIL PROTECTED]  Hi,

 Anyone here using OpenBSD/macppc knows if its possible to enable more 
 than one virtual console? I cant seem to find any info about that in the
FAQ.
http://www.openbsd.org/faq/faq7.html

It's not supported. Use 'screen' from packages instead.

PK 

Re: Missing security announcements

[Tobias Weisserth]

Ted,

everybody knows that's not going to happen. Why no scrap the security
announcement list if it's not being used or just whenever someone feels like
it? The mere existence of this list implies to users that new errata are
being announced to that list which is not the case. Get rid of the list and
the problem is solved.

The website is updated with new errata. Everybody should be able to follow
the CVS. The list is flawed and obsolete.

Just my 2 cents, as I remember having asked the same question YEARS AGO and
nothing has changed since then.

cheers,

Tobias

On Thu, Nov 13, 2008 at 2:55 PM, Ted Unangst [EMAIL PROTECTED] wrote:

 So get on the developer's case when they don't send out notifications.
  All this chatter now isn't going to change anything when the next
 errata comes out.  You want security announcement? Do something to
 make it happen!

Re: Experiences running named and rndc on 4.4 vs 4.3

[23号]

--
Best Regards

My Chaos: https://n23.appspot.com
vi /etc/rc:
...
if [ X${named_flags} != XNO ]; then
   if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
   echo -n rndc-confgen: generating new shared secret... 
   if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21; then
   chmod 0640 /var/named/etc/rndc.key /dev/null 21
   echo done.
   else
   echo failed.
   fi
   fi

   echo 'starting named';  named $named_flags
fi
...


On Thu, Nov 13, 2008 at 14:08, 23号 [EMAIL PROTECTED] wrote:
 vi /etc/rc:
 ..
 if [ X${named_flags} != XNO ]; then
if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
echo -n rndc-confgen: generating new shared secret... 
if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21; 
 then
chmod 0640 /var/named/etc/rndc.key /dev/null 21
echo done.
else
echo failed.
fi
fi

echo 'starting named';  named $named_flags
 fi
 ...

 --
 Best Regards
 
 My Chaos: https://n23.appspot.com



 On Wed, Nov 12, 2008 at 14:17, Woodchuck [EMAIL PROTECTED] wrote:
 On Tue, 11 Nov 2008, Don Jackson wrote:

 Today I began testing named on a freshly installed OpenBSD 4.4 amd64
 machine, using my old named.conf file from 4.3 (which was still running
 named version 9.4.2)

 When the machine first boots after the install, /etc/rc determines there is
 no rndc.key, and generates one:

 rndc-confgen: generating new shared secret... done.
 starting named


 Here are the owner, group, and file modes of the two different copies of
 rndc.key that are generated:

 # ls -lAF /etc/rndc.key /var/named/etc/rndc.key
 -rw---  1 root  wheel  77 Nov 11 12:24 /etc/rndc.key
 -rw-r-  1 root  wheel  77 Nov 11 12:24 /var/named/etc/rndc.key


 named only cares about the rndc.key in /var/named/etc

 Right.  But later, rndc will use the /etc version.  So you need
 both, and the permissions you show are sane ones.

 Looking at the logs: /var/log/daemon, one can see:

 Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission
 denied
 Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 
 127.0.0.1#953:
 permission denied

 Here is my workaround:

 # chown root:named /var/named/etc/rndc.key
 # ls -lAF /var/named/etc/rndc.key
 -rw-r-  1 root  named  77 Nov 11 12:24 /var/named/etc/rndc.key


 Should /etc/rc set the group ownership of /var/named/etc/rndc.key?

 Comments?

 I think rndc.key should pick up the named group from the ownerships
 and permissions on /var/named/etc.

 /var/named/etc should be owned by root.named and have permissions 750.

 I bet your /var/named/etc is owned by root.wheel.

 Dave

Da li ste žrtva zabluda?

[Top Shop]

Top Shop

Top e-revija: 30 l 13. novembar 2008.

Najbolja praktiD
na reE!enja i saveti za bolji Eivot

PoD
etna l Budi fit l Lepota l Zdravlje l Kuhinja i domaDinstvo

Zabava i deca l Carstvo igraD
aka l Knjige

Top Shop

HIT TV proizvodi!

Sanozen jonizator

Sanozen jonizator

Ab trainer advance

Ab Trainer Advance

leg magic

Leg Magic

Sweet Dream Pillow

Sweet Dream Pillow

turbo maximus

Turbo Maximus

Da li ste Ertva zabluda o fitnesu?

Svako ima svoj fetiE!...Bolest ili ne?

Potpuno svestan da prolazi vreme

Znate li zaista da operete veE!?

Kako je moguDe da se viE!e puta dnevno borite sa fitnes spravama, a i
dalje se oseDate loE!e?

Da li znate E!ta je seksualni fetiE!izam? Da li je to bolest i posebna
sklonost svakog D
oveka? Proverite...

In memoriam Milan MladenoviD... Kao da je bilo nekad, hronika jednog
vremena i podneblja...

NauD
ite sami da se brinete o sebi, budite D
isti i uredni i bez maminog
nadzora. PokaEite da moEete!

Fitnes

Da li ste Ertva zabluda o fitnesu?

Kako je moguDe da se viE!e puta dnevno borite sa fitnes spravama, a i
dalje se oseDate loE!e? Svi su toliko zadovoljni treningom koji
upraEnjavajub E ta onda sa vama ne valja? Ne brinite, moguDe da
spadate u jednu meDu hiljade osoba b koja robuje pogreE!nim i
zastarelim predstavama o fitnesu. [viE!e...]

Predstavljamo:

Punching Ball

Punching Ball
Puna cena: 4.290 RSD
VaE!a cena: 3.690 RSD

Ekskluzivno!
Punching Ball bokserska vreDa sa 600 RSD popusta.

  * KonaD
no moEete da testirate svoju snagu, preciznost, brzinu i broj
udaraca.

  * Stabilan.

  * Prilagodljive visine.

  * SavrE!en sparing partner.

Neverovatna cena od 3690,00 RSD samo za vas - do 30. novembra!

[ViE!e l PoruD
i odmah]

Mini Washer

Mini Washer
Cena: 3.690 RSD

NOVO u Top Shopu! Mini, praktiD
na i lako prenosiva maE!ina za veE!.
Idealna za male stanove, studenske sobe i vikendice. Temeljno pere sve
vrste tkanina.

[ViE!e l PoruD
i odmah]

DuraMop

DuraMop
Cena: 1.490 RSD

Dosta je napornog D
iE!Denja! Univerzalni dEoger za sve vrste podova. U
paketu dobijate sve E!to Vam je potrebno da se oslobodite praE!ine u
celoj kuDi.

[ViE!e l PoruD
i odmah]

FetiE!

Svako ima svoj fetiE!...

Seksualni ili erotski fetiE!izam podrazumeva seksualnu privlaD
nost
vezanu za neki predmet ili stvar koja nije prirodno vezana za
seksualnost. FetiE!izam se moEe dijagnosticirati kao parafilija, ali
samo ako odreDeni fetiE! izaziva bol ili zavisnost. Mnogi ljudi
produbljuju svoje interesovanje za fetiE! ...[viE!e...]

Najpopularniji proizvodi!

H2O Steam Mop

Orbitrek Elite

Joy Box - multi konzola

H2O Steam Mop
Cena: 8.490 RSD

Orbitrek Elite
Cena: 14.990 RSD

Joy Box
Cena: 4.890 RSD

Za temeljno D
iE!Denje i dezinfekciju svih vrsta podova u kuDi. E=ivite
zdravije, D
istite pomoDu pare!

Sobni trenaEer koji vam uz kardio trening pomaEe i da oblikujete figuru
i da sagorite kalorije.

Igrajte se i zabavite svoje dete. Priredite mu zabavu uz karaoke,
filmove, muziku, igrice...

[ViE!e l PoruD
i odmah]

[ViE!e l PoruD
i odmah]

[ViE!e l PoruD
i odmah]

Milan

Potpuno svestan da prolazi vreme

Kao da doEivljavamo ponovno vraDanje nekim starim vrednostima, do
nedavno potisnutim... Serija emisija o EKV na nacionalnoj televiziji,
peticija za ulicu Milana MladenoviDa i godiE!njica njegove smrti,
ponukala nas je da se, iz veoma liD
nog ugla, podsetimo ove priD
e ...[viE!e...]

Podelite sa nama neE!to iz svog ugla. PoE!aljite nam svoj stav, priD
u
ili miE!ljenje na temu koja Vam je vaEna. Najzanimljivije priD
e
objavljujemo u rubrici bLiD
ni ugaob b PiE!ite nam - kliknite ovde!

E tede vaE!e vreme i trud!

Ab Rocket

Power Juicer + POKLON otvaraD
 za konzerve

Rovus Garment Steamer

Ab Rocket
Cena: 6.490 RSD

Power Juicer
Cena: 9.990 RSD

Rovus Garment Steamer
Cena: 5.990 RSD

VeEbajte kod kuDe i zategnite svoje trbuE!njake uz 3 nivoa otpora i sa
dodatkom za masaEu kiD
me!

Obezbedite sebi zdravlje tokom cele zime. Iscedite sve najbolje iz voDa
i povrDa!

Skratite vreme peglanja! Pegla sa parom temeljnije pegla, a odeDa ostaje
sveEa i meka.

[ViE!e l PoruD
i odmah]

[ViE!e l PoruD
i odmah]

[ViE!e l PoruD
i odmah]

veE! maE!ina

Znate li da operete veE!?

Postoji velika verovatnoDa, da Dete jednom u Eivotu morati da znate
kako da se sami pobrinete za sebe: da budete siti i oprani, a bez mame,
koja bi se za to pobrinula. Da li ste veD na tom stepenu samostalnosti?
Nikad nije na odmet ovo znanje malo i obnoviti, uz nekoliko jednostavnih
saveta...[viE!e...]

Obradujte sebe i one koje volite

Celluless

Kleen Kut

Snap 'n' Slice

Celluless
Cena: 3.990 RSD

Kleen Kut
Cena: 2.190 RSD

Snap 'n' Slice
Cena: 3.490 RSD

Aparat za anticelulit masaEu. Oblikujte svoju figuru baE! kako Eelite
bez skupih tretmana.

Mokro suvi brijaD
 sa baterijom na punjenje. Idealan za putovanja i za
one koji su D
esto u pokretu!

Za brzo pripremanje i dekoraciju hrane kao u najboljim restoranima! Neka
priprema postane zabava!

[ViE!e l PoruD
i odmah]

[ViE!e l PoruD
i odmah]

[ViE!e 

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 9:12 AM, Tobias Weisserth
[EMAIL PROTECTED] wrote:
 everybody knows that's not going to happen. Why no scrap the security
 announcement list if it's not being used or just whenever someone feels like
 it? The mere existence of this list implies to users that new errata are
 being announced to that list which is not the case. Get rid of the list and
 the problem is solved.

Because new errata should be announced on the list.

Re: Missing security announcements

[Janne Johansson]

 All this chatter now isn't going to change anything when the next
errata comes out.  You want security announcement? Do something to
make it happen!


 Ted,

 everybody knows that's not going to happen.
 I remember having asked the same question YEARS AGO and
 nothing has changed since then.

Reading those two next to eachother says everything.

Re: Missing security announcements

[Aram HAVARNEANU]

 there is also the errata rss feed from undeadly

If anyone cares enough, someone could write a perl/ksh/whatever script
that can mail updates to that list. Apparently nobody cares and the
list is useless ATM, so IMHO it should be deleted.

-- 
Aram Havarneanu

Re: Missing security announcements

[Tobias Weisserth]

Janne,

On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote:

  everybody knows that's not going to happen.
  I remember having asked the same question YEARS AGO and
  nothing has changed since then.

 Reading those two next to eachother says everything.


Why ain't you a bit more explicit? Should /I/ have managed that list? Why
didn't you if you care to post messages in this thread? This kind of answer
is so redundant and hypocritical at the same time.

Re: Missing security announcements

[Simon Connah]

On 13 Nov 2008, at 15:56, Tobias Weisserth wrote:


Janne,

On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote:


everybody knows that's not going to happen.
I remember having asked the same question YEARS AGO and
nothing has changed since then.


Reading those two next to eachother says everything.



Why ain't you a bit more explicit? Should /I/ have managed that  
list? Why
didn't you if you care to post messages in this thread? This kind of  
answer

is so redundant and hypocritical at the same time.



Seems perfectly simple. If you want them announced and nobody is doing  
it.

then do it yourself. If you don't care then stop posting about it.

Simon.

Re: Missing security announcements

[Morris, Roy]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Janne Johansson
Sent: Thursday, November 13, 2008 10:14 AM
To: Misc OpenBSD
Subject: Re: Missing security announcements


why not just get it yourself if you're worried about it? just fire a crontab
entry and
move on.

lynx -dump openbsd.org/errata44.html |mail -s Daily Security [EMAIL PROTECTED]

Re: Missing security announcements

[Theo de Raadt]

 someone should take the task to send a 
 mail via it once something arrives on the errata page.

It is really easy to use that word should when it isn't you.

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 11:22:09 -0500
Morris, Roy [EMAIL PROTECTED] wrote:

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
 Janne Johansson
 Sent: Thursday, November 13, 2008 10:14 AM
 To: Misc OpenBSD
 Subject: Re: Missing security announcements
 
 why not just get it yourself if you're worried about it? just fire a crontab
 entry and
 move on.
 
 lynx -dump openbsd.org/errata44.html |mail -s Daily Security [EMAIL 
 PROTECTED]
 

I agree.  Keeping yourself informed about security updates is easy,
at least once you realise security-announce is dead.

From http://www.openbsd.org/mail.html

security-announce
Security announcements. This low volume list receives OpenBSD
security advisories and pointers to security patches as they
become available.

Apparently not, so just remove the damn thing and avoid confusion.

Here:

Index: mail.html
===
RCS file: /cvs/www/mail.html,v
retrieving revision 1.110
diff -u -p -r1.110 mail.html
--- mail.html   4 Sep 2008 09:55:21 -   1.110
+++ mail.html   13 Nov 2008 16:45:27 -
@@ -19,12 +19,10 @@
 hr
 
 Mailing lists are an important means of communication among users and
-developers of OpenBSD. With the exceptions of bannounce/b and
-bsecurity-announce/b, the lists are not moderated.  We deliberately
-restrict the number of different mailing lists.
-This helps reduce the amount of cross-posting and makes sure that the
+developers of OpenBSD. With the exception of bannounce/b, the lists
+are not moderated.  We deliberately restrict the number of different mailing
+lists. This helps reduce the amount of cross-posting and makes sure that the
 information gets distributed to a wide audience.
-
 p
 a name=Netiquette/a
 h2font color=#e0Netiquette/font/h2
@@ -149,11 +147,6 @@ Problem/a before posting.
 dtbannounce/b
 ddImportant announcements.  This low volume list is excellent for
 people who just want occasional news about the project.
-
-dtbsecurity-announce/b
-ddSecurity announcements.  This low volume list receives OpenBSD
-security advisories and pointers to security patches as they become
-available.
 
 dtbports/b
 ddDiscussions about using and contributing to the 'ports' source tree.

If people continually complain about the lack of a security-announce
list, there's always the option of updating the FAQ.

Thomas

active partition not booting

[Steven]

I installed NetBSD 4.01 (amd64) and then installed OpenBSD 4.4 (amd64) 
onto the same hard disk.

I used the OpenBSD fdisk on the install CD to set it up OpenBSD like this:

Offset: 0   Signature : 0xAA55
   C  H   S C  H  S
 0:   A9   0   1   1  8885   254   63  
*1:   A6   8896 0   1  15000 254   63


where *1 is the active OpenBSD partition.

Yet, when I reboot I am greeted with the NetBSD boot loader,
not the Open BSD boot loader as I hoped.

I am very new to BSD and UNIX.

Any suggestions?

Thank you!

smtpd - developer blog on undeadly

[Rémi Bougard]

Hello,

For those of you who where asking informations about (open ?)smtpd :
Gilles Chehade writes a long and clear text about it on undeadly.org :
http://undeadly.org/cgi?action=articlesid=20081112084647

Thank you Gilles for this work. This is a very exciting project.

-- 
Rimi Bougard

Re: Missing security announcements

[Brian Drain]

As someone new to OpenBSD and UNIX in general (reading a lot and trying
to learn) I signed up for the security list due to the description of
the list thinking I would be covered if something serious were to come
up.  I only check errata about every week or so and as of right now I'm
not even sure how to apply the reliability patches, but I am trying to
learn without causing too much noise, only generally skimming to find
some golden nuggets that will help me with learning (admittedly, most is
over my head and I don't attempt much of what I read, but it does help
me).

By having the list seemingly available, it's possible new people such as
myself are missing announcements and after checking the errata for 4.4
(which I purchased as soon as it was avail along with 3 or 4 prior
versions which I only installed to test but gladly support this effort
albeit in a small way) lets me know that I am indeed missing things.

So I am curious, what IS the best way to stay up to date?  Is manually
checking the errata page every day really correct (seems like there
would be an automated solutuion such as the lynx dump aforementioned)?
It seems to me that even if there is a security flaw in OpenBSD most of
them (from reading prior patches) would be exceedingly hard to exploit
anyway so maybe it's not as big of a deal as, say, Windows B.S. (which
is exactly the reason I am learning something else).

If people really DO want the list, I would have no problem checking it
once a day and posting any relevant updates as they appear on errata.

Cheers,
Brian


From http://www.openbsd.org/mail.html

security-announce
Security announcements. This low volume list receives OpenBSD
security advisories and pointers to security patches as they
become available.

Re: Missing security announcements

[Aaron W. Hsu]

To everyone who wants security-announce to work:

On Thu, 13 Nov 2008 09:29:09 -0700
Theo de Raadt [EMAIL PROTECTED] wrote:

  someone should take the task to send a mail via it once something
  arrives on the errata page.
 
 It is really easy to use that word should when it isn't you. 

I'll do it.  I care about having security announcements sent out in a
way that makes it easy for us to track without having to write out own
scripts.  I happen to think a mailing list is a very good way of doing
this.  I'm willing to put in the time to do this, since I *do* use
-stable. 

Is security-announce an open list?  If not, give me access and I'll
keep it reasonably up to date, give or take a day or so of release of
the Security Errata on the website, unless there is an even faster way
of checking it out, such as CVS. 

-- 
Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us
Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Tom Van Looy]

 just fire a crontab entry and move on

actually, that's a great idea, I just scheduled the following script
this mails the diff of errata.html, but only if something changed

#!/bin/sh
rel=44 # OpenBSD version

ftp http://www.openbsd.org/errata$rel.html  /dev/null 21
if [ $? != 0 ]; then
   echo Unable to fetch errata page!
   exit 1
fi

if [ ! -f .errata$rel.old ]; then
   touch .errata$rel.old
fi

mv errata$rel.html .errata$rel.new
diff -u .errata$rel.old .errata$rel.new  .errata$rel.diff
if [ $? = 1 ]; then
   cat .errata$rel.diff | mail -s OpenBSD$rel errata changed root
   rm .errata$rel.old  /dev/null 21
   mv .errata$rel.new .errata$rel.old
fi

exit 0

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote:
 Is security-announce an open list?  If not, give me access and I'll
 keep it reasonably up to date, give or take a day or so of release of
 the Security Errata on the website, unless there is an even faster way
 of checking it out, such as CVS.

It is moderated, and really, outsiders should not be posting to it
because then it appears that they have some position of authority.
The only person who should be posting to the list is the person who
made the fix, because they are the security contact.  When people
reply, it is important they are talking to the right person.

What you can do is monitor the list.  If an erratum comes out and
nothing happens for a day, email the person responsible and remind
them.  The person responsible is not necessarily the person who
happened to commit to stable, though, it's the person who made the
original fix.  There's no announcements on the list because probably
half the developers don't know they are supposed to make such
announcements.

Re: active partition not booting

[Nick Holland]

Steven wrote:
I installed NetBSD 4.01 (amd64) and then installed OpenBSD 4.4 (amd64) 
onto the same hard disk.

I used the OpenBSD fdisk on the install CD to set it up OpenBSD like this:

Offset: 0   Signature : 0xAA55
   C  H   S C  H  S
 0:   A9   0   1   1  8885   254   63  *1:   
A6   8896 0   1  15000 254   63


that didn't come through as desired. :)


where *1 is the active OpenBSD partition.

Yet, when I reboot I am greeted with the NetBSD boot loader,
not the Open BSD boot loader as I hoped.

I am very new to BSD and UNIX.


ah, so dive in and hurt yourself as much as you can with a
complicated setup. :)

See the first paragraph in FAQ4 about multibooting.
You really should understand a lot about how your systems
work before attempting multibooting.


Any suggestions?

Thank you!


Just ran into that problem myself on an Acer Aspire One, apparently
the MBR they shipped on the thing doesn't actually respect the
partition flagged as active.  Flagging the partition is supposed
to work, of course, but that assumes the MBR code actually
decides to play by the rules.  Sounds like your MBR (like mine)
doesn't.

You can probably fix the problem by installing the OpenBSD MBR
code on the system (fdisk's -u command line option or update in
the interactive editor). This should get OpenBSD booting.
Not sure what it will do to your NetBSD setup, however (it may be
just fine, it may not, never tried to multi-boot NetBSD and
OpenBSD, you may find some quirks).

It looks like your disk is pretty big, and you split in half.
Might want to make sure NetBSD's boot loader can load an OS over
8G.  I have no idea if they can.  OpenBSD can..assuming the MBR
hands control over to the PBR and /boot properly.  For that
matter, you might want to make sure your BIOS supports large
disks properly, otherwise you may have boot issues (just realized
I may not be the only one sticking big disks on old computers!)

Nick.

Re: Missing security announcements

[Randal L. Schwartz]

 Ted == Ted Unangst [EMAIL PROTECTED] writes:

Ted What you can do is monitor the list.  If an erratum comes out and
Ted nothing happens for a day, email the person responsible and remind
Ted them.  The person responsible is not necessarily the person who
Ted happened to commit to stable, though, it's the person who made the
Ted original fix.  There's no announcements on the list because probably
Ted half the developers don't know they are supposed to make such
Ted announcements.

Who handles the errata page, assigning the sequential numbers and deciding
whether it's a security fix or not?  Surely, it would be easier to teach that
small set of people (one?) to cc the mailing list on a security announcement,
rather than expect that everyone with a core commit bit be reminded to watch
errata to notice when their particular contribution has been accepted as a
security patch.  What am I missing here?

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
[EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 12:55:36 -0500
Ted Unangst [EMAIL PROTECTED] wrote:

 [...] There's no announcements on the list because probably
 half the developers don't know they are supposed to make such
 announcements.

Excuse my ignorance, but who keeps http://openbsd.org/errata44.html
updated, then?  Apparently the errata page is kept up-to-date, so
why not automate the process of sending mail to security-announce?

Thomas

3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)

[Denis Doroshenko]

Hi,

upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now,
why it is hogged with interrupts when i run tcpdump on em0. According
to vmstat iterrupt rate is more or less the following:

$ vmstat -i
interrupt   total rate
irq10/em0  399560  330
irq11/em1   50
irq14/pciide012691
irq15/pciide0 1360
irq5/vr0 16591
irq0/clock 120799   99
irq8/rtc   154617  127
Total  678045  561
$

The traffic going to em0 is (taken from the cisco here):

  30 second output rate 569104000 bits/sec, 125107 packets/sec

that must be a lot, but 3.8 stable has been handling 960 Mbps on the
same link. Yes 3.8 stable was losing frames but interrupt load was
under 30% and the system was pretty responsive. Now the box nearly
freezes, other processes get delayed seriously, load goes up to 20. It
does not matter whether tcpdump writes to disk or just to /dev/null,
so it more seems to be related to em driver. What could be the cause?
It would be real pity to go back to 3.8, since there are nice features
and fixes that came in during the three years...

I don't know if ifconfig output gives anything useful and dmesg is
traditionally at the end. Thanks in advance.

$ ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0e:0c:05:0c:3f
media: Ethernet autoselect (1000baseT full-duplex,rxpause)
status: active
inet6 fe80::20e:cff:fe05:c3f%em0 prefixlen 64 scopeid 0x1
em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0e:0c:05:0c:9c
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20e:cff:fe05:c9c%em1 prefixlen 64 scopeid 0x2
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0a:e6:22:2e:a5
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.110.16.245 netmask 0xff00 broadcast 10.110.16.255
inet6 fe80::20a:e6ff:fe22:2ea5%vr0 prefixlen 64 scopeid 0x3
enc0: flags=0 mtu 1536
pflog0: flags=141UP,RUNNING,PROMISC mtu 33204
groups: pflog
$

OpenBSD 4.4-current (GENERIC) #1480: Tue Nov 11 19:56:54 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 1.70GHz (GenuineIntel 686-class) 1.71 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
real mem  = 251162624 (239MB)
avail mem = 234262528 (223MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/27/02, BIOS32 rev. 0 @
0xfdad0, SMBIOS rev. 2.3 @ 0xf0630 (19 entries)
bios0: vendor American Megatrends Inc. version 07.00T date 04/02/01
bios0: ECS P4VMM2
apm at bios0 function 0x15 not configured
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP
acpi0: wakeup devices UAR1(S4) USB_(S4) USB1(S4) USB2(S4) AC9_(S4)
MC9_(S4) ILAN(S4) PCI0(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
bios0: ROM list: 0xc/0xc000 0xcc000/0x4000!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 VIA VT8751 PCI rev 0x00
viaagp0 at pchb0v2,
agp0 at viaagp0: aperture at 0xe800, size 0xe40
ppb0 at pci0 dev 1 function 0 VIA VT8633 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 S3 ProSavage DDR rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 9 function 0 Intel PRO/1000MT (82541GI) rev 0x00:
irq 10, address 00:0e:0c:05:0c:3f
em1 at pci0 dev 11 function 0 Intel PRO/1000MT (82541GI) rev 0x00:
irq 11, address 00:0e:0c:05:0c:9c
viapm0 at pci0 dev 17 function 0 VIA VT8233 ISA rev 0x00
iic0 at viapm0
spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2
pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 config
ured to compatibility
wd0 at pciide0 channel 0 drive 0: MAXTOR 6L040J2
wd0: 16-sector PIO, LBA, 38172MB, 78177792 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0: Maxtor 7L300R0
wd1: 16-sector PIO, LBA48, 286188MB, 586114704 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x70: irq 5, address
00:0a:e6:22:2e:a5
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 5: OUI
0x004063, model 0x0032
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 1:38 PM, Randal L. Schwartz
[EMAIL PROTECTED] wrote:
 Who handles the errata page, assigning the sequential numbers and deciding
 whether it's a security fix or not?  Surely, it would be easier to teach that
 small set of people (one?) to cc the mailing list on a security announcement,
 rather than expect that everyone with a core commit bit be reminded to watch
 errata to notice when their particular contribution has been accepted as a
 security patch.  What am I missing here?

There's no real good reason why it can't be the same person, but
maintaining stable already sucks enough without having more work.  I
won't ask that.  And I strongly believe that the person making a
security fix needs to take responsibility for seeing it through to the
end.  If they can't handle that, I don't think they should be making
security fixes.

Of course, everything I've said so far is more my opinion than project
rules.  By now, it should be pretty clear that the rules are not
clear.

Re: Missing security announcements

[Emilio Perea]

On Thu, Nov 13, 2008 at 11:19:45AM -0600, Brian Drain wrote:
 So I am curious, what IS the best way to stay up to date?  Is manually
 checking the errata page every day really correct (seems like there
 would be an automated solutuion such as the lynx dump aforementioned)?
 It seems to me that even if there is a security flaw in OpenBSD most of
 them (from reading prior patches) would be exceedingly hard to exploit
 anyway so maybe it's not as big of a deal as, say, Windows B.S. (which
 is exactly the reason I am learning something else).

I'm not sure this is the best way, but what I do to keep up with -stable
is to have a cronjob do a cvs (or csup) update every day.  Most days
there is nothing updated, so it's quite noticeable when there's a
change.  These are the two changes since 4.4 release:

- Forwarded message from Cron Daemon [EMAIL PROTECTED] -

Date: 2 Nov 2008 11:00:02 -
From: Cron Daemon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Cron [EMAIL PROTECTED] /home/eperea/Bin/updsrc

Starting /home/eperea/Bin/updsrc: Sun Nov 2 05:00:02 CST 2008
P sys/conf/newvers.sh
P sys/dev/pci/if_vr.c
P sys/netinet6/in6.c
P sys/netinet6/in6_var.h
P sys/netinet6/nd6_nbr.c
Finished updating source: Sun Nov 2 05:15:24 CST 2008

*==*

Date: 6 Nov 2008 11:00:02 -
From: Cron Daemon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Cron [EMAIL PROTECTED] /home/eperea/Bin/updsrc

Starting /home/eperea/Bin/updsrc: Thu Nov 6 05:00:02 CST 2008
P sys/netinet/tcp_input.c
P usr.sbin/httpd/src/ap/ap_hook.c
P usr.sbin/httpd/src/modules/proxy/proxy_http.c
Finished updating source: Thu Nov 6 05:14:56 CST 2008

- End forwarded message -

When I see these, I check to see if it's something that requires
patching immediately (but haven't seen any of those yet).  Otherwise, I
build a release and install it after hours on the remote sites.

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff [EMAIL PROTECTED] wrote:
 On Thu, 13 Nov 2008 12:55:36 -0500
 Ted Unangst [EMAIL PROTECTED] wrote:

 [...] There's no announcements on the list because probably
 half the developers don't know they are supposed to make such
 announcements.

 Excuse my ignorance, but who keeps http://openbsd.org/errata44.html
 updated, then?  Apparently the errata page is kept up-to-date, so
 why not automate the process of sending mail to security-announce?

Because it hasn't happened in 10 years of whining about it.

There are two ways to fix the problem.

One is the developers change their process.  As should be damn clear
by now, you're not making much progress in that regard.

The other option is to step up and remind the developers when they are
not doing what they should.  That doesn't mean throwing a pity party
on misc every 6 months, it means actively watching what's happening as
errata come out.  This is the one thing that *ANYONE* who cares can
do, yet nobody does it.  All we get is more chatter about changing
things that obviously aren't changing.

Of course, this is how things always work on misc.  There's the
developers do it option and the community does it option.  The
community is full of ideas about the first option, and full of shit
when it comes to the second.

It doesn't matter which way is better, it only matters which way
something will get done.

Re: Missing security announcements

[Theo de Raadt]

 Of course, this is how things always work on misc.  There's the
 developers do it option and the community does it option.  The
 community is full of ideas about the first option, and full of shit
 when it comes to the second.

That is exactly what happens.

Now what happens next?

You guys out there on misc have more ideas that we can ignore?

Because that is exactly what I will do.  I'm just so sick and tired of
the whining, and over the last year or so I have adjusted my attitude
and started getting pleasure out of watching the futility.

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 14:12:21 -0500
Ted Unangst [EMAIL PROTECTED] wrote:

 On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff [EMAIL PROTECTED] wrote:
  On Thu, 13 Nov 2008 12:55:36 -0500
  Ted Unangst [EMAIL PROTECTED] wrote:
 
  [...] There's no announcements on the list because probably
  half the developers don't know they are supposed to make such
  announcements.
 
[...]
 It doesn't matter which way is better, it only matters which way
 something will get done.

Applying my diff will get something done.

Thanks for your time.

Thomas

Re: 3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)

[Jason Beaudoin]

On Thu, Nov 13, 2008 at 1:54 PM, Denis Doroshenko
[EMAIL PROTECTED] wrote:
 Hi,

 upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now,
 why it is hogged with interrupts when i run tcpdump on em0. According
 to vmstat iterrupt rate is more or less the following:

snip

re upgraded from 3.8 to 4.4 snapshot: how (explicitly) did you do
this? is this a fresh install? or an actual upgrade? if it was an
upgrade, did you go from 3.8-3.9---4.4, or did you fudge from 3.8
-- 4.4 with a snapshot?

cheers,
~Jason

Re: Can't SSH into CARP'd system from the outside

[Vivek Ayer]

Oh ok. That kind of makes sense.

Thanks

On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote:
 On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

 say you have a carp configured like:

 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
groups: carp
inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255

 As you can see, carp0 is using em0 as its carpdev.
 A pf rule to pass ssh to the carp address would be:

  pass in on em0 inet proto tcp to (carp0) port 22

 and NOT:

  pass in on carp0 inet proto tcp to (carp0) port 22

 HTH,

   Marco

Re: 3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)

[Denis Doroshenko]

On Thu, Nov 13, 2008 at 10:12 PM, Jason Beaudoin
[EMAIL PROTECTED] wrote:
 On Thu, Nov 13, 2008 at 1:54 PM, Denis Doroshenko
 [EMAIL PROTECTED] wrote:
 Hi,

 upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now,
 why it is hogged with interrupts when i run tcpdump on em0. According
 to vmstat iterrupt rate is more or less the following:

 snip

 re upgraded from 3.8 to 4.4 snapshot: how (explicitly) did you do
 this? is this a fresh install? or an actual upgrade? if it was an
 upgrade, did you go from 3.8-3.9---4.4, or did you fudge from 3.8
 -- 4.4 with a snapshot?

ugh, sorry, the upgrade was actually a clean install of the Nov 11 snapshot

Re: Missing security announcements

[Aaron W. Hsu]

On Thu, 13 Nov 2008 12:55:36 -0500
Ted Unangst [EMAIL PROTECTED] wrote:

 On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote:
  Is security-announce an open list?  If not, give me access and I'll
  keep it reasonably up to date, give or take a day or so of release of
  the Security Errata on the website, unless there is an even faster way
  of checking it out, such as CVS.
 
 It is moderated, and really, outsiders should not be posting to it
 because then it appears that they have some position of authority.
 The only person who should be posting to the list is the person who
 made the fix, because they are the security contact.  When people
 reply, it is important they are talking to the right person.

Okay, I can see why everyone would prefer to see the developer's
sending their own fixes -- this is convenient to the users, though not
to the developers.  However, it is obvious that the developers do not
wish to do this, have no time to bother with it, and aren't concerned
at all.  I don't blame them, that's perfectly legitimate.  So we
should get someone else to do it, because some people do care about
having semi-timely security announcements on a mailing list. I also
see no reason why someone announcing a security announcement that is
detailed elsewhere should be required to be a developer heavily
involved in the development process.  The very nature of this suggests
that people who meet this requirement will not have the motivation or
time to do this.  There is nothing wrong with having someone else
assigned to the task. 

 What you can do is monitor the list.  If an erratum comes out and
 nothing happens for a day, email the person responsible and remind
 them.  The person responsible is not necessarily the person who
 happened to commit to stable, though, it's the person who made the
 original fix.  There's no announcements on the list because probably
 half the developers don't know they are supposed to make such
 announcements.

You're implying ignorance of the developers, which I doubt.  They
don't care about it, and we shouldn't be nagging them about it.
Instead, we should do something, rather than just being on the outside
bugging them like annoying gnats. 

I'm offering to do the work.  OpenBSD as a whole may not want me to do
anything, but that's not my fault.  At least I'm trying to *do*
something; I don't consider nagging people who don't have time or
motivation or reason to bother with such things to be an useful thing
to do. 

-- 
Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us
Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Layer 7 relaying still needs pf?

[Edd Barrett]

Hi,

Why does layer 7 relaying require pf still?

Thanks

-- 

Best Regards

Edd

http://students.dec.bournemouth.ac.uk/ebarrett

Re: Missing security announcements

[Aaron W. Hsu]

On Thu, 13 Nov 2008 10:38:06 -0800
[EMAIL PROTECTED] (Randal L. Schwartz) wrote:

 Surely, it would be easier to teach that small set of people (one?)
 to cc the mailing list on a security announcement, rather than
 expect that everyone with a core commit bit be reminded to watch
 errata to notice when their particular contribution has been
 accepted as a security patch.  What am I missing here?

Why should developers listen to people who are just consuming
resources that they are giving out for free?  We don't need to teach
them, we can just do the work they don't want to do to free them up
for doing the work they should be doing.  Why bug them?  They have
work to do. 

-- 
Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us
Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Martin Schröder]

2008/11/13 Theo de Raadt [EMAIL PROTECTED]:
 You guys out there on misc have more ideas that we can ignore?

quote src=http://www.openbsd.org/goals.html;
Do not let serious problems sit unsolved.
/quote

Best
   Martin

Re: Missing security announcements

[andrew fresh]

On Thu, Nov 13, 2008 at 12:55:36PM -0500, Ted Unangst wrote:
 On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote:
  Is security-announce an open list?  If not, give me access and I'll
  keep it reasonably up to date, give or take a day or so of release of
  the Security Errata on the website, unless there is an even faster way
  of checking it out, such as CVS.
 
 It is moderated, and really, outsiders should not be posting to it
 because then it appears that they have some position of authority.
 The only person who should be posting to the list is the person who
 made the fix, because they are the security contact.  When people
 reply, it is important they are talking to the right person.


I just wrote something quick in perl that scrapes the errata pages of
the two most recent releases and sends a nicely formatted email for any
that are have change since the last check.

It does require a couple of packages be installed (p5-libwww and
p5-HTML-Tree) but if there were enough interest from someone who could
do something with it, I could probably make it work with just what is
available in the base system.

There are lots of ways to break something that scrapes html, but it is
at least automated.

l8rZ,
-- 
andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED]


#!/usr/bin/perl -T
use strict;
use warnings;

%ENV = ();

#Additional modules needed
use LWP::Simple;  # pkg_add p5-libwww
use HTML::TreeBuilder;# pkg_add p5-HTML-Tree

# Core modules
use Text::Wrap;
use Fcntl ':flock';   # import LOCK_* constants

# should end with a /
my $base_url   = 'http://www.OpenBSD.org/';
my $start_page = 'errata.html';

my $sender= '[EMAIL PROTECTED]';
my $recipient = '[EMAIL PROTECTED]';

# should end with a /
my $base_dir = '/home/andrew/.openbsd_errata_notifier/';

my $max_versions_to_process = 2;

#*#*# Nothing to change beyond this point #*#*#

my $tree = HTML::TreeBuilder-new();

my $content = get( $base_url . $start_page )
or die Could't get [$start_page]: $!;
$tree-parse($content)-eof;

my @errata_urls;
foreach my $link ( @{ $tree-extract_links('a') } ) {
my ( $url, $element, $attr, $tag ) = @{$link};
if ( $url =~ /^errata\d+\.html\Z/xms ) {
push @errata_urls, $base_url . $url;
}
}

$tree-delete;

my $processed = 0;
URL: foreach my $url ( reverse @errata_urls ) {
$processed++;
last URL if $processed  $max_versions_to_process;

my $tree = HTML::TreeBuilder-new();

my $content = get($url) or die Couldn't get [$url]: $!;
$tree-parse($content)-eof;

my $title = $tree-find('title')-as_trimmed_text;
my ($version) = $title =~ /\b ( \d+ \. \d ) \b/xms;

foreach my $entry ( reverse $tree-find('ul')-find('li') ) {
my $errata = process_errata_entry($entry);
$errata-{version} = $version;
$errata-{url} = $url;

my $message = format_errata_message($errata);
my $file= make_errata_dir($errata);

if ( should_send( $message, $file ) ) {
mail($message);
}
}

$tree-delete;
}

sub process_errata_entry {
my ($errata) = @_;

my $id = $errata-find('a')-attr('name');

my ( $num, $type, $date ) = split /:\s*/xms,
$errata-find('strong')-as_trimmed_text;

my $arch = $errata-find('i')-as_trimmed_text;

my %errata = (
id = $id,
number = $num,
type   = $type,
date   = $date,
arch   = $arch,
);

foreach my $content ( $errata-content_list ) {
if ( ref $content eq 'HTML::Element' ) {
if ( my $href = $content-attr('href') ) {
if ( $href =~ m{ftp\.openbsd\.org.*patch\Z}ixms ) {
$errata{patch} = {
href = $href,
text = $content-as_trimmed_text,
};
$content-delete;
}
elsif ( $href =~ m{CVE-} ) {
push @{ $errata{cve} },
{
href = $href,
text = $content-as_trimmed_text,
};
$content-delete;
}
}
}
}

foreach my $br ( $errata-find('br') ) {
$br-replace_with(\n);
}

my @descr = split /\n/, $errata-as_text;
shift @descr;
pop @descr;

foreach my $m (@descr) {
$m =~ s/^\s+//xms;
$m =~ s/\.\W+\Z/\./xms;
}

$errata{description} = [EMAIL PROTECTED];

return \%errata;
}

sub mail {
my ($message) = @_;

open( my $sendmail, |/usr/sbin/sendmail -oi -t -odq )
or die Can't fork for sendmail: $!\n;
print $sendmail $message;
close $sendmail or warn sendmail didn't close nicely;
}

sub format_errata_message {
my ($errata) = @_;

my $message = EOL;
From: $sender
To: $recipient
EOL

$message
.= 'Subject: OpenBSD '
. $errata-{version}
. ' Errata '
. 

OpenBSD 4.4 panics when using AICCU

[Felipe Alfaro Solana]

Hi misc,

Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you
experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take
AICCU down, then up, after a while the system panics. I can reproduce
this reliably, although the timing is not always the same: sometimes
the system panics in a few seconds, sometimes it takes longer.

Have you experienced this?

Thanks in advance.

PS: I have crash dumps for each panic.

-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: OpenBSD 4.4 panics when using AICCU

[Felipe Alfaro Solana]

On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana
[EMAIL PROTECTED] wrote:
 Hi misc,

 Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you
 experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take
 AICCU down, then up, after a while the system panics. I can reproduce
 this reliably, although the timing is not always the same: sometimes
 the system panics in a few seconds, sometimes it takes longer.

 Have you experienced this?

I've been trying to chase down what is causing the panic. Apparently,
it's related to IPSec/IPv6: when I reboot the system with no
IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't
panic when I take aiccu down and then up.

The system panics here:

uvm_fault(0xd623f758, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Stopped at  in6_selecthlim+0x29:movzbl  0x1c(%eax),%eax


 Thanks in advance.

 PS: I have crash dumps for each panic.

 --
 http://www.felipe-alfaro.org/blog/disclaimer/




-- 
http://www.felipe-alfaro.org/blog/disclaimer/

opencvs weird problem 4.3

[Jesus Sanchez]

Hi list, using stable 4.3.

I have a weird behaviour with opencvs and wish to know if it's a known
thing. My usual steps to have an up to date OpenBSD source tree is to
download the src.tar.gz and sys.tar.gz files from a well known ftp
server, and then launch a opencvs checkout. I found that opencvs seems
to get stuck when the source tree it's checking is already up to date.

To reproduce this behaviour from a clean /usr/obj/ and /usr/src/ dirs I
do:

- download de src.tar.gz and sys.tar.gz from a ftp.
- untar them on /usr/src (tar zxvf file.tar.gz in /usr/src)
- cd /usr
- opencvs checkout -P -r OPENBSD_4_3 src

Then opencvs updates a few files for me in about 10-12 minutes.

Well, from this point lets say I have a nice source tree, then I use
the exactly same opencvs again and the process takes several minutes
(about 2 hours) without any response, it seems it loops or something
similar.

Have anyone experienced something similar? google didn't helped me, but
also the cvs manual.

-Jesus

Re: OpenBSD 4.4 panics when using AICCU

[Felipe Alfaro Solana]

On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana
[EMAIL PROTECTED] wrote:
 On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana
 [EMAIL PROTECTED] wrote:
 Hi misc,

 Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you
 experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take
 AICCU down, then up, after a while the system panics. I can reproduce
 this reliably, although the timing is not always the same: sometimes
 the system panics in a few seconds, sometimes it takes longer.

 Have you experienced this?

 I've been trying to chase down what is causing the panic. Apparently,
 it's related to IPSec/IPv6: when I reboot the system with no
 IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't
 panic when I take aiccu down and then up.

 The system panics here:

 uvm_fault(0xd623f758, 0x0, 0, 1) - e
 kernel: page fault trap, code=0
 Stopped at  in6_selecthlim+0x29:movzbl  0x1c(%eax),%eax

Looks to me that the IPSec/IPv6 code is holding a reference to a
in6pcb structure (that represents or is associated the aiccu tun0
interface) that gets destroyed when I take aiccu down. When I start
aiccu again, the in6_selecthlim ends up being called with an old
reference to tun0 interface that does not exist anymore (was freed)
and that causes the trap.


 Thanks in advance.

 PS: I have crash dumps for each panic.

 --
 http://www.felipe-alfaro.org/blog/disclaimer/




 --
 http://www.felipe-alfaro.org/blog/disclaimer/




-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: 4.3 Freeze

[Jean-Gérard Pailloncy]

Hello,

I had the time to test a snapshot.
I download the bsd.mp i386 11 nov 2008 23h25

I install only the bsd.mp because I want keep the box in 4.4 stable if
something goes wrong. If that is not engouh I will have the next week a
better environnement to test it (with serial console, apc, etc).

I have a heavy apache with mod_perl that was crashing the box due to (I
suppose) heavy memory fragmentation under 4.3. I upgrade to 4.4, and that
was only a little better.
With the 44.2008-2325 snapshot, it is really better.




What looks strange to me is that I limit the heavy perl to 10
MaxRequestPerChild in httpd.conf as a test. And when the child exist,
sometimes the swap used grows even if the memory is not exhausted.

When there are many heavy httpd process running, if I do apachectl stop
the machine often starts to swap to death.
But if I do pkill -9 httpd, no problem.


The second thing, I use watchdogd but it never reboots the server.




I see some message in /var/log/messages
Nov 14 01:00:07 root /bsd: uvm_mapent_alloc: out of static map entries Nov
14 01:01:58 root /bsd: uvm_mapent_alloc: out of static map entries Nov 14
01:03:44 root last message repeated 9 times
Nov 14 01:08:25 root last message repeated 4 times

When I test the box with
http_load - parallel 200 -seconds 60 url.txt
the server sometimes freezes.

Here the last output of some tools at freeze times:

   6 usersLoad 112.80 53.61 29.18  Fri Nov 14 01:22:02
2008

memory totals (in KB)PAGING   SWAPPING
Interrupts
   real   virtual free   in  out   in  out  453
total
Active  1553940   2068016   133424   ops110  116100 clock
All 3212464   3726540   133424   pages *326 mpi0
 27
bge1
Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks ehci0
   119  3 20   188  1013   421   353   141 1004   fkppw
com0
  fksvm
   0.4%Int  96.9%Sys   2.8%Usr   0.0%Nic   0.0%Idle   pwait
|||||||||||   116 relck
=116 rlkok
  noram
Namei Sys-cacheProc-cacheNo-cache 398 ndcpy
Calls hits%hits %miss   % fltcp
  112  112  100 5 zfod
  254 cow
Disks   sd0   cd0   27882 fmin
seeks   37176 ftarg
xfers   327194244 itarg
Kbyte  1314 1 wired
  sec   0.8   116 pdfre


oad averages: 115.35, 56.10, 30.35   
01:22:07
225 processes: 115 running, 109 idle, 1 on processor
CPU states:  3.6% user,  0.0% nice, 96.4% system,  0.0% interrupt,  0.0% idle
Memory: Real: 1519M/3137M act/tot  Free: 131M  Swap: 502M/502M used/tot

  PIDUID   PRI NICE  SIZE   RES STATEWAIT  TIMECPU COMMAND
   12  0   -1800K  465M sleeppgdaemo   1:52 91.21%
pagedaemon
28486997280  212M   46M run  - 0:02  0.05% httpd 
16277 67280   47M   28M run  - 0:00  0.05% httpd 
26147 67280   47M   35M run  - 0:00  0.05% httpd
20969997280  227M   14M run  - 0:00  0.05% httpd 
19676 67280   68M 3404K run  - 0:07  0.00% httpd 
31033 67280   79M 3292K run  - 0:06  0.00% httpd
15570 67280   67M 3188K run  - 0:03  0.00% httpd
30920 67280   73M 6588K run  - 0:02  0.00% httpd
 4906 67280   72M 6184K run  - 0:02  0.00% httpd
6291997280  189M   57M run  - 0:02  0.00% httpd
19720 67280   67M 7148K run  - 0:02  0.00% httpd
 6337997280  232M   17M run  - 0:02  0.00% httpd 
1030997280  193M   55M run  - 0:02  0.00% httpd
29512997280  204M   61M run  - 0:02  0.00% httpd
17457997280  189M   30M run  - 0:02  0.00% httpd
19779997280  189M   31M run  - 0:02  0.00% httpd
17380997280  189M   17M run  - 0:01  0.00% httpd


netstat -m
2157 mbufs in use:
501 mbufs allocated to data
1648 mbufs allocated to packet headers
8 mbufs allocated to socket names and addresses
431/898/6144 mbuf clusters in use (current/peak/max)
2356 Kbytes allocated to network (59% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines



OpenBSD 4.4-current (GENERIC) #1480: Tue Nov 11 

In a bit of a pickle with ral0

[Juan Miscaro]

I'm providing wireless internet access for a small building with
OpenBSD 4.3 (some snapshot) as access point.  I'm using the ral
driver.  I regularly need to bring down and then back up the interface
with ifconfig.  Is this normal?  Is there anything I can do short of
replacing the card?  As an aside, I'm pondering going wired but
plugging into a wireless bridge.  Any recommendations on models?

ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:18:f8:28:b9:f4
groups: wlan
media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap)
status: active
ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm
inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255

Thanks for listening,

/juan

Re: Virtual Consoles in OpenBSD/macppc

[disintx]

It's not possible (at this time?) and probably won't be for quite a long
time.

I use OpenBSD on macppc, I too recommend using screen or tmux, although I
have no experience with the latter. It's enough to get by.

On Thu, Nov 13, 2008 at 5:29 AM, Marco Peereboom [EMAIL PROTECTED] wrote:

 macppc console sucks, it is slower than dog poo.  Besides this has been
 asked, oh maybe 329849384293473284784728347328 times by now?

 On Thu, Nov 13, 2008 at 12:57:58PM -, Pedro de Oliveira wrote:
  Is it possible to implement it, its something that may be available in
 the
  future ? Or its really impossible to have multiple consoles ?
  From what i understand, the console in macppc just works in Framebuffer,
 is
  FB limited to just one console, it just doesnt support yet multiple?
 
 
  -Mensagem original-
  De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED]
  Enviada: quinta-feira, 13 de Novembro de 2008 12:44
  Para: Pedro de Oliveira; misc@openbsd.org
  Assunto: Re: Virtual Consoles in OpenBSD/macppc
 
  From: Pedro de Oliveira [EMAIL PROTECTED]  Hi,
  
   Anyone here using OpenBSD/macppc knows if its possible to enable more
   than one virtual console? I cant seem to find any info about that in
 the
  FAQ.
  http://www.openbsd.org/faq/faq7.html
 
  It's not supported. Use 'screen' from packages instead.
 
  PK

Re: Can't SSH into CARP'd system from the outside

[Vivek Ayer]

Yay! I got ssh and http to work on the CARP interface. Thanks.

However, the httpd redirect is not working just yet on the CARP
interface for one of the computers. Does IP balancing mess up
redirect?

When I only have one router up doing the redirect, the CARP interface
works, but when I have both routers on, the CARP interface defaults to
the one that doesn't apparently do redirection. I'm going to
troubleshoot and turn off the one that works and turn on the computer
that doesn't redirect.

Any other suggestions for troubleshooting this weird setup I have? Has
anyone ever done this before having CARP'd web servers behind CARP'd
routers?

Here's my current pf.conf:

#   $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
ext_if = re0 # External Interface (169.229.158.0/24)
int_if = xl0 # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = 192.168.1.50 # Redundant Sun Servers
nameserver = 192.168.1.101 # Dell L400 Celeron
webports = { http , https }
domainport = { domain }
tcp_services = { ssh }
icmp_types = echoreq
carpdevs = { carp0 , carp1 }
syncdev = { re1 }
carp_mcast = 224.0.0.18

# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in all

# nat
nat on $ext_if from $localnet to any - ($ext_if)
no nat on $int_if proto tcp from $int_if to $localnet
nat on $int_if proto tcp from $localnet to $webserver port $webports - $int_if

# rdr for http
rdr on $ext_if proto tcp from any to any port $webports - $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports - $webserver
rdr on $int_if proto tcp from $localnet to $int_if port $webports - $webserver

# rdr for domain (tcp)
rdr on $ext_if proto tcp from any to any port $domainport - $nameserver
rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -
$nameserver
rdr on $int_if proto tcp from $localnet to $int_if port $domainport -
$nameserver

# rdr for domain (udp)
rdr on $ext_if proto udp from any to any port $domainport - $nameserver
rdr on $int_if proto udp from $localnet to $ext_if port $domainport -
$nameserver
rdr on $int_if proto udp from $localnet to $int_if port $domainport -
$nameserver

# pass rules
block in # Default Deny
pass out keep state
antispoof quick for { lo }
pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
   flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $nameserver port $domainport
pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
   flags S/SA synproxy state

# Basic CARP/pfsync pass rules
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
   from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync

# Internet-Facing CARP rules
pass in on $ext_if inet proto tcp from any to (carp0) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to (carp0) \
   port $webports flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to (carp0) \
   port $domainport
pass in on $ext_if inet proto tcp from any to (carp0) \
   port $domainport flags S/SA synproxy state

# LAN-Facing CARP rules
pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $webports flags S/SA synproxy state
pass in on $int_if inet proto udp from $localnet to (carp1) \
   port $domainport
pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $domainport flags S/SA synproxy state

Thanks

On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer [EMAIL PROTECTED] wrote:
 Oh ok. That kind of makes sense.

 Thanks

 On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] 
 wrote:
 On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

 say you have a carp configured like:

 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
groups: carp
inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255

 As you can see, carp0 is using em0 as its carpdev.
 A pf rule to pass ssh to the carp address would be:

  pass in on em0 inet proto tcp to (carp0) port 22

 and NOT:

  pass in on carp0 inet proto tcp to (carp0) port 22

 HTH,

   Marco

Re: OpenBSD 4.4 panics when using AICCU

[Felipe Alfaro Solana]

On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana
[EMAIL PROTECTED] wrote:
 On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana
 [EMAIL PROTECTED] wrote:
 Hi misc,

 Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you
 experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take
 AICCU down, then up, after a while the system panics. I can reproduce
 this reliably, although the timing is not always the same: sometimes
 the system panics in a few seconds, sometimes it takes longer.

 Have you experienced this?

 I've been trying to chase down what is causing the panic. Apparently,
 it's related to IPSec/IPv6: when I reboot the system with no
 IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't
 panic when I take aiccu down and then up.

 The system panics here:

 uvm_fault(0xd623f758, 0x0, 0, 1) - e
 kernel: page fault trap, code=0
 Stopped at  in6_selecthlim+0x29:movzbl  0x1c(%eax),%eax

Another datapoint:

When bringing aiccu down, the kernel logs the following message:

in6_purgeaddr: failed to remove a route to the p2p destination:
2001::::2 on tun0, errno=3.

This looks very suspicious to me, and wrong, by the way, since tun0
interface is using 2001::::2 as the local IPv6 address, while
2001::::1 is the remote end point. Hence, there is no route in
the routing table that is bound to tun0 and has 2001::::2 as
the destination (there is one but is bound to lo0). It leads me to
think that some data structures are not properly freed/referenced
counted which leads eventually to the panic.

Any ideas?



 Thanks in advance.

 PS: I have crash dumps for each panic.

 --
 http://www.felipe-alfaro.org/blog/disclaimer/




 --
 http://www.felipe-alfaro.org/blog/disclaimer/




-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: Can't SSH into CARP'd system from the outside

[Vivek Ayer]

Confirmed. If I have both routers on, the http redirection on the CARP
interface doesn't work. But when I only have one on, then the
redirection works just fine. Is CARP getting confused with the
packets?

On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer [EMAIL PROTECTED] wrote:
 Yay! I got ssh and http to work on the CARP interface. Thanks.

 However, the httpd redirect is not working just yet on the CARP
 interface for one of the computers. Does IP balancing mess up
 redirect?

 When I only have one router up doing the redirect, the CARP interface
 works, but when I have both routers on, the CARP interface defaults to
 the one that doesn't apparently do redirection. I'm going to
 troubleshoot and turn off the one that works and turn on the computer
 that doesn't redirect.

 Any other suggestions for troubleshooting this weird setup I have? Has
 anyone ever done this before having CARP'd web servers behind CARP'd
 routers?

 Here's my current pf.conf:

 #   $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
 #
 # See pf.conf(5) and /usr/share/pf for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.

 # macros
 ext_if = re0 # External Interface (169.229.158.0/24)
 int_if = xl0 # Internal Interface (192.168.1.0/24)
 localnet = $int_if:network
 webserver = 192.168.1.50 # Redundant Sun Servers
 nameserver = 192.168.1.101 # Dell L400 Celeron
 webports = { http , https }
 domainport = { domain }
 tcp_services = { ssh }
 icmp_types = echoreq
 carpdevs = { carp0 , carp1 }
 syncdev = { re1 }
 carp_mcast = 224.0.0.18

 # extra tweaks
 set skip on lo
 set block-policy return
 set loginterface $ext_if
 scrub in all

 # nat
 nat on $ext_if from $localnet to any - ($ext_if)
 no nat on $int_if proto tcp from $int_if to $localnet
 nat on $int_if proto tcp from $localnet to $webserver port $webports - 
 $int_if

 # rdr for http
 rdr on $ext_if proto tcp from any to any port $webports - $webserver
 rdr on $int_if proto tcp from $localnet to $ext_if port $webports - 
 $webserver
 rdr on $int_if proto tcp from $localnet to $int_if port $webports - 
 $webserver

 # rdr for domain (tcp)
 rdr on $ext_if proto tcp from any to any port $domainport - $nameserver
 rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -
 $nameserver
 rdr on $int_if proto tcp from $localnet to $int_if port $domainport -
 $nameserver

 # rdr for domain (udp)
 rdr on $ext_if proto udp from any to any port $domainport - $nameserver
 rdr on $int_if proto udp from $localnet to $ext_if port $domainport -
 $nameserver
 rdr on $int_if proto udp from $localnet to $int_if port $domainport -
 $nameserver

 # pass rules
 block in # Default Deny
 pass out keep state
 antispoof quick for { lo }
 pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
 pass in quick on $int_if
 pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
 pass in on $ext_if inet proto tcp from any to $webserver port $webports \
   flags S/SA synproxy state
 pass in on $ext_if inet proto udp from any to $nameserver port $domainport
 pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
   flags S/SA synproxy state

 # Basic CARP/pfsync pass rules
 pass on $carpdevs proto carp keep state
 pass quick on $ext_if proto carp \
   from $ext_if:network to $carp_mcast keep state
 pass on $syncdev proto pfsync

 # Internet-Facing CARP rules
 pass in on $ext_if inet proto tcp from any to (carp0) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
 pass in on $ext_if inet proto tcp from any to (carp0) \
   port $webports flags S/SA synproxy state
 pass in on $ext_if inet proto udp from any to (carp0) \
   port $domainport
 pass in on $ext_if inet proto tcp from any to (carp0) \
   port $domainport flags S/SA synproxy state

 # LAN-Facing CARP rules
 pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
 pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $webports flags S/SA synproxy state
 pass in on $int_if inet proto udp from $localnet to (carp1) \
   port $domainport
 pass in on $int_if inet proto tcp from $localnet to (carp1) \
   port $domainport flags S/SA synproxy state

 Thanks

 On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer [EMAIL PROTECTED] wrote:
 Oh ok. That kind of makes sense.

 Thanks

 On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] 
 wrote:
 On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

 say you have a carp configured like:

 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0 vhid 

Re: opencvs weird problem 4.3

[Robert]

On Fri, 14 Nov 2008 01:15:19 +0100
Jesus Sanchez [EMAIL PROTECTED] wrote:

 Hi list, using stable 4.3.
 
 I have a weird behaviour with opencvs and wish to know if it's a
 known thing. My usual steps to have an up to date OpenBSD source tree
 is to download the src.tar.gz and sys.tar.gz files from a well known
 ftp server, and then launch a opencvs checkout. I found that opencvs
 seems to get stuck when the source tree it's checking is already up
 to date.
 
 To reproduce this behaviour from a clean /usr/obj/ and /usr/src/ dirs
 I do:
 
 - download de src.tar.gz and sys.tar.gz from a ftp.
 - untar them on /usr/src (tar zxvf file.tar.gz in /usr/src)
 - cd /usr
 - opencvs checkout -P -r OPENBSD_4_3 src
 
 Then opencvs updates a few files for me in about 10-12 minutes.
 
 Well, from this point lets say I have a nice source tree, then I use
 the exactly same opencvs again and the process takes several minutes
 (about 2 hours) without any response, it seems it loops or something
 similar.
 
 Have anyone experienced something similar? google didn't helped me,
 but also the cvs manual.
 
 -Jesus


You are doing it wrong.
Check out the up command for cvs.

- Robert

Re: Layer 7 relaying still needs pf?

[Girish Venkatachalam]

On 21:45:56 Nov 13, Edd Barrett wrote:
 Hi,
 
 Why does layer 7 relaying require pf still?
 

There are cases where relaying works in tandem with redirection. pf
never looks into the packet payloads.

-Girish

Re: OpenBSD 4.4 panics when using AICCU

[Daniel Melameth]

On Thu, Nov 13, 2008 at 7:18 PM, Felipe Alfaro Solana
[EMAIL PROTECTED] wrote:
 On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana
 [EMAIL PROTECTED] wrote:
 On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana
 [EMAIL PROTECTED] wrote:
 Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you
 experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take
 AICCU down, then up, after a while the system panics. I can reproduce
 this reliably, although the timing is not always the same: sometimes
 the system panics in a few seconds, sometimes it takes longer.

 Have you experienced this?

 I've been trying to chase down what is causing the panic. Apparently,
 it's related to IPSec/IPv6: when I reboot the system with no
 IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't
 panic when I take aiccu down and then up.

 The system panics here:

 uvm_fault(0xd623f758, 0x0, 0, 1) - e
 kernel: page fault trap, code=0
 Stopped at  in6_selecthlim+0x29:movzbl  0x1c(%eax),%eax

 Another datapoint:

 When bringing aiccu down, the kernel logs the following message:

 in6_purgeaddr: failed to remove a route to the p2p destination:
 2001::::2 on tun0, errno=3.

 This looks very suspicious to me, and wrong, by the way, since tun0
 interface is using 2001::::2 as the local IPv6 address, while
 2001::::1 is the remote end point. Hence, there is no route in
 the routing table that is bound to tun0 and has 2001::::2 as
 the destination (there is one but is bound to lo0). It leads me to
 think that some data structures are not properly freed/referenced
 counted which leads eventually to the panic.

 Any ideas?

Haven't looked at it in detail, but brad@ just updated 4.4 stable's
if.c to address an apparently similar IPv6-related panic that might
help.

trouble installing ports (No packages available in the PKG_PATH)

[Juan Miscaro]

I'm scripting a reinstall routine for my ports on 4.3.  When I come to
'make reinstall' the thing is trying to download from the $PKG_PATH
that I have set earlier in my script and, of course, does not find the
files it needs.  Removing that variable and I get No packages
available in the PKG_PATH.

Relevant snippet:

export SUBDIR=$(pkg_info -Pq postfix)
cd /usr/ports
make reinstall

Any ideas?

~juan

Re: In a bit of a pickle with ral0

[STeve Andre']

On Thursday 13 November 2008 19:54:55 Juan Miscaro wrote:
 I'm providing wireless internet access for a small building with
 OpenBSD 4.3 (some snapshot) as access point.  I'm using the ral
 driver.  I regularly need to bring down and then back up the interface
 with ifconfig.  Is this normal?  Is there anything I can do short of
 replacing the card?  As an aside, I'm pondering going wired but
 plugging into a wireless bridge.  Any recommendations on models?

 ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:18:f8:28:b9:f4
 groups: wlan
 media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap)
 status: active
 ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm
 inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1
 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255

 Thanks for listening,

 /juan

I had a random ral USB device on a T60p ThinkPad, which was rock stable,
so if you're having to reset things, I'd try another card.  I'd also try 
another newer snapshot.

--STeve Andre'