Re: Generate CA Certificates key

[Harald Dunkel]

If you are looking for some GUI to manage keys and
certificates, then you should consider TinyCA . Its
in the packages.

To setup OpenVPN (including all that certificate stuff)
this page might help:

http://www.kernel-panic.it/openbsd/vpn/index.html


Good luck

Harri

Re: pkg_add adds an extra / to pkg_path

[Simen Stavdal]

Hello,

Checking on my own box (running 4.1), $PKG_PATH echoes ;
ftp://ftp.stacken.kth.se/pub/OpenBSD/4.1/packages/i386/
# uname -a
OpenBSD ## 4.1 GENERIC.MP#1225 i386

I have
export PKG_PATH=ftp://ftp.stacken.kth.se/pub/OpenBSD/4.1/packages/i386/
Set in my .profile, and it works for me.

From the error message you are getting, it seems it cannot find the host
ftp.openbsd.org...
Can you connect to it from a command line (i.e ftp ftp.openbsd.org)?
Also, make sure that your uname -r corresponds with the version directory
for the ftp path...

Simon.

On Tue Feb 3 8:51 , Siju George sent:

  Hi,

  I have this in my PKG_PATH variable

  $ echo $PKG_PATH
  ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
  $

  When I try to update a package it shows an error

  $ sudo pkg_add -ui firefox3
  Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:
  ftp: connect: Connection refused
  ftp: Can't connect or login to host `ftp.openbsd.org'
  No packages available in the PKG_PATH
  Looking for updates: complete
  Cannot find updates for esound-0.2.38v0 glitz-0.5.6p0
  firefox3-3.0.1p3
  nspr-4.7.1p0 desktop-file-utils-0.15 libaudiofile-0.2.6p0 nss-3.12
  hicolor-icon-theme-0.10p1 png-1.2.28 sqlite3-3.5.9p0 jpeg-6bp3
  glib2-2.16.4p1 tiff-3.8.2p0 atk-1.22.0 libiconv-1.12 pango-1.20.0p0
  cairo-1.6.4 gettext-0.17 pcre-7.7p0 gtk+2-2.12.11
  Proceed? [y/N] y
  $

  I noticed in the line

  Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:

  there are two forward slashes after the ftp.openbsd.org part.

  Is that what is causing the trouble?
  How do I solve this?

  Thanks

  --Siju

-
Fe din egen, gratis e-postadresse pe Start.no

Re: Generate CA Certificates key

[Alexandre Verriere]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Edit openssl.conf to fit with your requirments then follow these steps:

Create a CA:

#openssl genrsa -des3 -out ca.key 1024
#openssl req -new -x509 -days 365 -key ca.key -out ca.crt


Then you can create certs like this:

#openssl genrsa -out user.key 1024
#openssl req -new -key user.key -out user.csr
#openssl x509 -req -days 182 -in user.csr -CA ca.crt -CAkey ca.key
- -CAcreateserial -out user.crt

You can export to pkcs12 using:
#openssl pkcs12 -export -inkey user.key -certfile ca.crt -in user.crt
- -out user.p12

Check man openssl to know the meaning of each options.

Good Luck.

Alexandre Verriere.


Harald Dunkel a icrit :
 If you are looking for some GUI to manage keys and
 certificates, then you should consider TinyCA . Its
 in the packages.
 
 To setup OpenVPN (including all that certificate stuff)
 this page might help:
 
 http://www.kernel-panic.it/openbsd/vpn/index.html
 
 
 Good luck
 
 Harri
iQEcBAEBAgAGBQJJh/5cAAoJEFtprSOdqQjsk4oIALJ+SdY7x+xT1KHpWVCdkLR9
2lyCt9ovAyERf0fTCpZElSAiU8gxhqF0koXEZFo21/Qvex7hs9tjSlF1wR/by6jE
Gd5uJbElhWeuu2kw6tA+Yi2niq32FXu/O+FISokUq4JUH4mmoFdvY8ZzYlTtE5yl
LrpESuZ9OYby9sBtVbRjUgfTEmLOMnlTXG006VKv0ZroQX4WmZWJIN0AgJJmnJIU
b2O390qyejn0DrQxqz6TpXGK+O1IPCsycs1D9iFJdYqFIz8wxsl+f5HuHTUuFFuY
TFuIXyA9F+Zc2bAmlFrYeomRREeGrk4pgzORffgk9oY6BASCb4w2xgOqr4ATvuY=
=i37R
-END PGP SIGNATURE-

Re: pkg_add adds an extra / to pkg_path

[Siju George]

On Tue, Feb 3, 2009 at 1:41 PM, Simen Stavdal sstav...@start.no wrote:
 From the error message you are getting, it seems it cannot find the host
 ftp.openbsd.org...
 Can you connect to it from a command line (i.e ftp ftp.openbsd.org)?


No I was not able to. When I fixed that the update is working.

Thankyou so much Simon :-)

Re: Problem with file command

[Stuart Henderson]

On 2009-02-03, Daniel Bolgheroni m...@dbolgheroni.eng.br wrote:
 Hi,

 I have seem some problem with file command. Whatever file I use for 
 input, I get this:

looks like you upgraded from an earlier version, but missed some steps.

http://www.openbsd.org/faq/upgrade44.html#sysmerge

Re: pkg_add adds an extra / to pkg_path

[Stuart Henderson]

In gmane.os.openbsd.misc, Siju George wrote:
 I have this in my PKG_PATH variable

 $ echo $PKG_PATH
 ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
 $

 When I try to update a package it shows an error

 $ sudo pkg_add -ui firefox3
 Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:
 ftp: connect: Connection refused
 ftp: Can't connect or login to host `ftp.openbsd.org'
...

 I noticed in the line

 Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:

 there are two forward slashes after the ftp.openbsd.org part.

 Is that what is causing the trouble?
 How do I solve this?

This diff removes the extra / and hasn't broken anything yet
in my testing (add/update with ftp and http):

Index: PackageRepository.pm
===
RCS file: 
/data/cvsroot/open/anoncvs/cvs/src/usr.sbin/pkg_add/OpenBSD/PackageRepository.pm,v
retrieving revision 1.62
diff -u -p -r1.62 PackageRepository.pm
--- PackageRepository.pm2 Feb 2009 20:41:47 -   1.62
+++ PackageRepository.pm3 Feb 2009 10:54:24 -
@@ -394,7 +394,7 @@ sub baseurl
 {
my $self = shift;
 
-   return //$self-{host}/$self-{path};
+   return //$self-{host}$self-{path};
 }
 
 sub parse_url

A Benefiting Proposal.

[Nasser Nasser]

I have a new email address!You can now email me at: nasserr3...@yahoo.com



- Dear friend I am Mr. Nasser Hosaih a banker in Islamic Development Dank I 
contacted you now for a business deal of US$30,000.000, to transfer to your 
account the depositor of the fund died with his entire family during the Iraq 
war in 2004. The customer  his entire family died, unfortunately, leaving 
nobody for the claim, I contacted you if we make this claim, we will share it 
40%/60%. If you are interested reply back and call me on my private telephone 
number so that I will give you the full details on how the fund will be 
executed. (00226) 70 84 88 34 don't fail to call I am waiting for your reply 
Thanks, Mr: Nasser Hosaih

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Henning Brauer]

* Stuart Henderson s...@spacehopper.org [2009-01-30 17:59]:
 On 2009-01-29, Arnoud Vermeer arnoud.verm...@ams-ix.net wrote:
  While looking in to the problem, we found out that OpenBGPD sends a
  empty UPDATE, on which quagga responds by terminating the process.
 
 ...
 
  While doing a tcpdump we found the following packets leading to a
  NOTIFICATION. As you can see, frame 19 is an empty UPDATE packet.
 
 Isn't that an end-of-RIB marker?

yep.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Unicode names on msdosfs

[Eugene Ryazanov]

Sorry, attachement was removed from previous message. If inline patch
also will be damaged (probably by auto line brakes), contact me and I
send you a copy personally.

--- /usr/src/sys/msdosfs/direntry.h Thu Mar 14 09:27:09 2002
+++ direntry.h  Mon Feb  2 17:29:04 2009
@@ -126,9 +126,12 @@
 void dos2unixtime(u_int dd, u_int dt, u_int dh, struct timespec *tsp);
 int dos2unixfn(u_char dn[11], u_char *un, int lower);
 int unix2dosfn(u_char *un, u_char dn[12], int unlen, u_int gen);
-int unix2winfn(u_char *un, int unlen, struct winentry *wep, int cnt,
int chksum);
-int winChkName(u_char *un, int unlen, struct winentry *wep, int chksum);
-int win2unixfn(struct winentry *wep, struct dirent *dp, int chksum);
+int unix2winfn(u_int16_t *un, int unlen, struct winentry *wep, int
cnt, int chksum);
+int winChkName(u_int16_t *un, int unlen, struct winentry *wep, int chksum);
+int win2unixfn(struct winentry *wep, u_int16_t *utf16, int *utf16len,
int chksum);
 u_int8_t winChksum(u_int8_t *name);
 int winSlotCnt(u_char *un, int unlen);
+int utf16len(u_char *, int);
+int utf8to16(u_char *, int, u_int16_t *);
+int utf16to8(u_int16_t *, int, u_char *, int);
 #endif /* _KERNEL */
--- /usr/src/sys/msdosfs/msdosfs_conv.c Fri May 14 13:05:05 2004
+++ msdosfs_conv.c  Tue Feb  3 12:58:29 2009
@@ -564,19 +564,21 @@
  */
 int
 unix2winfn(un, unlen, wep, cnt, chksum)
-   u_char *un;
+   u_int16_t *un;
int unlen;
struct winentry *wep;
int cnt;
int chksum;
 {
u_int8_t *cp;
+   u_int16_t *up;
+   u_int16_t ch;
int i;

/*
 * Drop trailing blanks and dots
 */
-   for (cp = un + unlen; *--cp == ' ' || *cp == '.'; unlen--);
+   for (up = un + unlen; *--up == ' ' || *up == '.'; unlen--);

un += (cnt - 1) * WIN_CHARS;
unlen -= (cnt - 1) * WIN_CHARS;
@@ -597,20 +599,23 @@
for (cp = wep-wePart1, i = sizeof(wep-wePart1)/2; --i = 0;) {
if (--unlen  0)
goto done;
-   *cp++ = *un++;
-   *cp++ = 0;
+   ch = *un++;
+   *cp++ = ch  0xff;
+   *cp++ = ch  8;
}
for (cp = wep-wePart2, i = sizeof(wep-wePart2)/2; --i = 0;) {
if (--unlen  0)
goto done;
-   *cp++ = *un++;
-   *cp++ = 0;
+   ch = *un++;
+   *cp++ = ch  0xff;
+   *cp++ = ch  8;
}
for (cp = wep-wePart3, i = sizeof(wep-wePart3)/2; --i = 0;) {
if (--unlen  0)
goto done;
-   *cp++ = *un++;
-   *cp++ = 0;
+   ch = *un++;
+   *cp++ = ch  0xff;
+   *cp++ = ch  8;
}
if (!unlen)
wep-weCnt |= WIN_LAST;
@@ -629,12 +634,13 @@
  */
 int
 winChkName(un, unlen, wep, chksum)
-   u_char *un;
+   u_int16_t *un;
int unlen;
struct winentry *wep;
int chksum;
 {
u_int8_t *cp;
+   u_int16_t ch;
int i;

/*
@@ -662,30 +668,39 @@
 * Compare the name parts
 */
for (cp = wep-wePart1, i = sizeof(wep-wePart1)/2; --i = 0;) {
+   ch = *cp++;
+   ch |= *cp++  8;
if (--unlen  0) {
-   if (!*cp++  !*cp)
+   if (!ch)
return chksum;
return -1;
}
-   if (u2l[*cp++] != u2l[*un++] || *cp++)
+   /*
+* TODO ignore case on comparasion
+*/
+   if (ch != *un++)
return -1;
}
for (cp = wep-wePart2, i = sizeof(wep-wePart2)/2; --i = 0;) {
+   ch = *cp++;
+   ch |= *cp++  8;
if (--unlen  0) {
-   if (!*cp++  !*cp)
+   if (!ch)
return chksum;
return -1;
}
-   if (u2l[*cp++] != u2l[*un++] || *cp++)
+   if (ch != *un++)
return -1;
}
for (cp = wep-wePart3, i = sizeof(wep-wePart3)/2; --i = 0;) {
+   ch = *cp++;
+   ch |= *cp++  8;
if (--unlen  0) {
-   if (!*cp++  !*cp)
+   if (!ch)
return chksum;
return -1;
}
-   if (u2l[*cp++] != u2l[*un++] || *cp++)
+   if (ch != *un++)
return -1;
}
return chksum;
@@ -696,13 +711,15 @@
  * Returns the checksum or -1 if impossible
  */
 int
-win2unixfn(wep, dp, chksum)
+win2unixfn(wep, utf16, utf16len, chksum)
struct winentry *wep;
-   struct dirent *dp;
+   u_int16_t *utf16;
+   int *utf16len;
int chksum;
 {
u_int8_t *cp;
-   

Re: pkg_add adds an extra / to pkg_path

[Stuart Henderson]

On 2009-02-03, Stuart Henderson s...@spacehopper.org wrote:
 In gmane.os.openbsd.misc, Siju George wrote:
 I have this in my PKG_PATH variable

 $ echo $PKG_PATH
 ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
 $

 When I try to update a package it shows an error

 $ sudo pkg_add -ui firefox3
 Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:
 ftp: connect: Connection refused
 ftp: Can't connect or login to host `ftp.openbsd.org'
 ...

 I noticed in the line

 Error from ftp://ftp.openbsd.org//pub/OpenBSD/4.4/packages/i386/:

 there are two forward slashes after the ftp.openbsd.org part.

 Is that what is causing the trouble?
 How do I solve this?

 This diff removes the extra / and hasn't broken anything yet
 in my testing (add/update with ftp and http):

ftp, http, and scp.

d Index: PackageRepository.pm
===
 RCS file: 
 /data/cvsroot/open/anoncvs/cvs/src/usr.sbin/pkg_add/OpenBSD/PackageRepository.pm,v
 retrieving revision 1.62
 diff -u -p -r1.62 PackageRepository.pm
 --- PackageRepository.pm  2 Feb 2009 20:41:47 -   1.62
 +++ PackageRepository.pm  3 Feb 2009 10:54:24 -
 @@ -394,7 +394,7 @@ sub baseurl
  {
   my $self = shift;
  
 - return //$self-{host}/$self-{path};
 + return //$self-{host}$self-{path};
  }
  
  sub parse_url

Re: Network card, usb or pcmcia

[Nick Holland]

foulis wrote:
 Hi
 
 I'm looking to set up a home firewall and proxy server using an old laptop,
 I have no experience doing this, but I want to learn network security and
 about using BSD. Obviously I will need a second ethernet connection, but
 would OpenBSD 4.4 be more likely to support a USB ethernet adapter, or a
 PCMCIA ethernet card?
 
 I can't get hold of either to test so I need to buy a new one, which is why
 I want to check which will be most likely to work.

you need a supported device, and you need to plug it into a supported
interface.

As you are saying, old laptop, I'm guessing USB1, which will be slower
than a cardbus interface, but the likelihood of the USB port working is
probably higher than the Cardbus interface (both are highly likely to work,
but there are some PCMCIA and cardbus implementations which will give you
headaches sometimes).

On the other hand, for wired NICs, there is a lot more development taking
place on USB network devices than there are for PCMCIA devices...so the
possibility that you randomly pick up a USB device that the OpenBSD devs
have never seen is much higher than it is for PCMCIA devices.

If you get an incompatible device, it doesn't matter what your odds
were...it doesn't work.  If you can't test before you buy, your odds
are far from perfect...


If you are just starting out, I'd highly suggest you get an old desktop;
you don't need to be fighting with hardware AND software at the same time.
Once you know what you are doing, then migrate to your laptop, if you
still wish to (be forewarned: the power savings of a laptop are usually
assumed, not measured, and often smaller than people think.)

Nick.

Re: Net benchmarking (was: Is it possible to increase wscale multiplier?)

[Henning Brauer]

* Brian Keefer ch...@smtps.net [2009-01-31 19:47]:
 On Jan 31, 2009, at 4:57 AM, Stuart Henderson wrote:

 On 2009-01-31, Brian Keefer ch...@smtps.net wrote:

 Great, thanks for the pointers!  I'm trying to fiddle with iperf
 performance testing going to a Linux box.  tcpbench works great on
 OpenBSD, but it seems iperf is the only thing readily available for
 Linux that is also on OpenBSD.  I'm just trying to figure out how  
 each
 variable influences the throughput.

 iperf performance on OpenBSD isn't all that great, it's not a good way
 to judge actual real-life performance.


 I've had problems with it on the Linux side as well.  Are there any  
 alternatives that would work on both OpenBSD and Linux (and for bonus  
 points, OS X)?

I bet tcpbench is easily ported to linux. just rip the pcb snooping
out.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: pkg_add adds an extra / to pkg_path

[Siju George]

On 2/3/09, Stuart Henderson s...@spacehopper.org wrote:

 This diff removes the extra / and hasn't broken anything yet
  in my testing (add/update with ftp and http):


Hi,

This Diff failed to apply.



Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--
|Index: PackageRepository.pm
|===
|RCS file: 
/data/cvsroot/open/anoncvs/cvs/src/usr.sbin/pkg_add/OpenBSD/PackageRepository.pm,v
|retrieving revision 1.62
|diff -u -p -r1.62 PackageRepository.pm
|--- PackageRepository.pm2 Feb 2009 20:41:47 -   1.62
|+++ PackageRepository.pm3 Feb 2009 10:54:24 -
--
Patching file PackageRepository.pm using Plan A...
Hunk #1 failed at 394.
1 out of 1 hunks failed--saving rejects to PackageRepository.pm.rej
done



# cat PackageRepository.pm.rej
@@ -394,7 +394,7 @@
 {
   my $self = shift;

-   return //$self-{host}/$self-{path};
+   return //$self-{host}$self-{path};
 }

 sub parse_url
#

What did I do Wrong?

The command I Issued was

# pwd
/usr/src/usr.sbin/pkg_add/OpenBSD
# patch PackageRepository.pm /var/software/patches/PackageRepository.pm


Thanks

Siju



  Index: PackageRepository.pm
  ===
  RCS file: 
 /data/cvsroot/open/anoncvs/cvs/src/usr.sbin/pkg_add/OpenBSD/PackageRepository.pm,v
  retrieving revision 1.62
  diff -u -p -r1.62 PackageRepository.pm
  --- PackageRepository.pm2 Feb 2009 20:41:47 -   1.62
  +++ PackageRepository.pm3 Feb 2009 10:54:24 -
  @@ -394,7 +394,7 @@ sub baseurl
   {
 my $self = shift;

  -   return //$self-{host}/$self-{path};
  +   return //$self-{host}$self-{path};
   }

   sub parse_url

SSMTP ?

[Matteo Marescotti]

Hi,
is it possible to install SSMTP? In case SSMTP is not available, what is
the simplest setup to send emails via PHP mail() to an external relay
SMTP server? Thanks in advance.

Matteo Marescotti

-- 

SDF Public Access UNIX System
http://freeshell.org

activate edge scrolling for touchpad under gnome

[Moritz Herrmann]

hi folks,
after several useless attempts to get this running, i decided to ask for help.
I am running 4.4 on my Lenovo T61 Laptop with X11 installed and gnome
as desktop environment.
Both are running fine, the only thing is I am missing the horizontal
scrolling function of my touchpad, that scrolls your documents by just
moving your finger along the right edge of your touchpad.

I found some advisories for Linux saying:
add the following lines to your Xorg.conf

 Section InputDevice
Identifier  Touchpad

Option  VertTwoFingerScroll   1
Option  HorizTwoFingerScroll  1
EndSection

As X11 runs in my case without an Xorg.conf file, I created one myself
and added the lines shown above.
Now X11 crashed and I am insecure if this is the right way of getting
nearer to my goal.
Has Somebody successfully used edge scrolling or is this impossible
because of gnome?

Thank you in advance

Moritz

Re: fetch package dependencies

[Hannah Schroeter]

Hi!

On Mon, Feb 02, 2009 at 08:00:21PM +0100, Marc Espie wrote:
On Mon, Feb 02, 2009 at 02:02:59PM +0100, Hannah Schroeter wrote:
 On Sun, Feb 01, 2009 at 02:01:03PM +0100, Dorian B|ttner wrote:
 is there an easy way to fetch a package along with it's recursive 
 dependencies? Scenario is:
 eee904ha does not have network access at all right now. In order to 
 proceed installing useful things, let's say firefox, I'd like to suck 
 packages onto a usb stick and installl from there.
 I thought I could go to the soekris box, which unfortunately isn't that 
 -current, and do something like pkg_add -n mozilla -firefox,  but the 
 output is totally garbled with libc mismatches and things like that.

 Any idea?

 I'd think using a net connected box, setting PKG_CACHE and PKG_PATH and
 then pkg_add -n package_you_want. The required packages should end up
 in the PKG_CACHE directory. From there you should be able to transfer
 them over to the eeepc. If the soekris isn't current, you could try this
 in a chroot environment or a virtual machine (e.g. qemu) setup.

Yep, that's the intent.
PKG_CACHE + pkg_add -n will do it.

There's perhaps one thing we've missed: If some dependency package is
already installed (and current enough) on the source host, pkg_add -n
will probably not refetch it, so it will end up missing in the PKG_CACHE,
i.e. on the destination host. The playing with the signature trick
will avoid that, probably. Or perhaps one would need another option to
pkg_add (or a different, pkg_fetch or similar, frontend to the pkg_*
toolchain) to fetch *all* dependency packages.

Kind regards,

Hannah.

Re: pkg_add adds an extra / to pkg_path

[Robert]

On Tue, 3 Feb 2009 19:28:36 +0530
Siju George sgeorge...@gmail.com wrote:

 What did I do Wrong?
 
 The command I Issued was
 
 # pwd
 /usr/src/usr.sbin/pkg_add/OpenBSD
 # patch
 PackageRepository.pm /var/software/patches/PackageRepository.pm
 

# man diff
# man patch
# cd /usr/src/usr.sbin/pkg_add/OpenBSD
# patch -p0  /var/software/patches/PackageRepository.pm
  ^if that is the file where you saved the diff
^-p0 won't work for every diff you might encounter

Remove X Window after 4.4/i386 Installation?

[Jack Ort]

Recently installed 4.4 on an old Pentium box, with all(?) of the X
file sets.  Thinking now of trying to use it as a firewall, and I've
read that I should not have X on a firewall.

Is there an easy way to uninstall X, or should I just install from
scratch again?  I wouldn't lose that much, but I hate to take the
brute force approach if there's a smarter way.

Thanks in advance for helping a newbie!
-Jack

Re: activate edge scrolling for touchpad under gnome

[Owain Ainsworth]

On Tue, Feb 03, 2009 at 05:38:14PM +0100, Moritz Herrmann wrote:
 hi folks,
 after several useless attempts to get this running, i decided to ask for help.
 I am running 4.4 on my Lenovo T61 Laptop with X11 installed and gnome
 as desktop environment.
 Both are running fine, the only thing is I am missing the horizontal
 scrolling function of my touchpad, that scrolls your documents by just
 moving your finger along the right edge of your touchpad.
 
 I found some advisories for Linux saying:
 add the following lines to your Xorg.conf

If I recall correctly you'll need the synaptics touchpad driver, we
openbsd currently doesn't support.

It would not be too hard to get it working, but lack of interest
prevails.

-0-
-- 
What is wanted is not the will to believe, but the will to find out,
which is the exact opposite.
-- Bertrand Russell, Skeptical_Essays, 1928

Network card, usb or pcmcia

[foulis]

Hi

I'm looking to set up a home firewall and proxy server using an old laptop,
I have no experience doing this, but I want to learn network security and
about using BSD. Obviously I will need a second ethernet connection, but
would OpenBSD 4.4 be more likely to support a USB ethernet adapter, or a
PCMCIA ethernet card?

I can't get hold of either to test so I need to buy a new one, which is why
I want to check which will be most likely to work.

Thanks

Stuart
-- 
View this message in context: 
http://www.nabble.com/Network-card%2C-usb-or-pcmcia-tp21807104p21807104.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Unicode names on msdosfs

[Eugene Ryazanov]

 There's no way to use UTF-8 as system locale in OpenBSD
I don't need to work with national characters in console.
I use UTF-8 locale in KDE. There are some problems with national
characters in Konsole, but it does not matter. Other applications
works fine without any tricks. I just want to read all files from
removable devices. Filenames often contains national characters but
OpenBSD msdosfs implementation can't see this files at all. This is
the reason.

Re: Remove X Window after 4.4/i386 Installation?

[Ingo Schwarze]

Hi Jack,

Jack Ort wrote on Tue, Feb 03, 2009 at 11:39:03AM -0600:

 Recently installed 4.4 on an old Pentium box, with all(?) of the X
 file sets.  Thinking now of trying to use it as a firewall, and I've
 read that I should not have X on a firewall.

Well, probably you should not *run* X on a firewall,
but having the binaries and libraries around does no harm.

 Is there an easy way to uninstall X, or should I just install from
 scratch again?  I wouldn't lose that much, but I hate to take the
 brute force approach if there's a smarter way.

The smartest way is to just leave X in place,
set machdep.allowaperture=0 in /etc/sysctl.conf
(or re-add the comment marker # in front of that line
in case you removed it), remove the line 'xdm_flags='
from /etc/rc.conf.local (or whatever you did to enable X)
and reboot.

Sometimes, the X libraries are needed by non-X programs
from the ports tree, too, and at that point, you will be
re-installing them.  Perhaps you don't need many third-
party software packages on a firewall, but who knows?

Besides, if you are a newbie, chances are you break the system
when trying to remove X.  But even if you were experienced,
there would be no point in removing X.

 Thanks in advance for helping a newbie!

You are welcome,
  Ingo

Re: Remove X Window after 4.4/i386 Installation?

[Cezary Morga]

Ted Unangst wrote:
 There's no way to uninstall, though deleting /usr/X11R6 will get you
 90% there.

How about following?
cd /
tar -ztf /path/to/xbase44.tgz | xargs rm

-- 
Cezary Morga
If everything seems under control, you're not going fast enough (Mario 
Andretti)

Re: Net benchmarking

[Sebastian Schmitzdorff]

you could give netio a try. It compiles fine on openbsd and linux, maybe 
even on osx.

http://www.ars.de/ars/ars.nsf/docs/netio

Brian Keefer schrieb:

On Jan 31, 2009, at 4:57 AM, Stuart Henderson wrote:


On 2009-01-31, Brian Keefer ch...@smtps.net wrote:


Great, thanks for the pointers!  I'm trying to fiddle with iperf
performance testing going to a Linux box.  tcpbench works great on
OpenBSD, but it seems iperf is the only thing readily available for
Linux that is also on OpenBSD.  I'm just trying to figure out how each
variable influences the throughput.


iperf performance on OpenBSD isn't all that great, it's not a good way
to judge actual real-life performance.



I've had problems with it on the Linux side as well.  Are there any 
alternatives that would work on both OpenBSD and Linux (and for bonus 
points, OS X)?


--
bk

Re: Remove X Window after 4.4/i386 Installation?

[Ingo Schwarze]

Cezary Morga wrote on Tue, Feb 03, 2009 at 07:31:59PM +0100:

 How about following?
 cd /
 tar -ztf /path/to/xbase44.tgz | xargs rm

Look up
  http://marc.info/?l=openbsd-miscm=121190668200375w=2 (May 27, 2008)
and read the whole thread, in particular the very useful postings
by Stuart Henderson.

People will come up with even worse suggestion than yours:
For example, Travers Buda suggested adding -rf at the end.  Ooops.
Anyway, let's not restart that thread.

 If everything seems under control, you're not going fast enough
 (Mario Andretti)

Yeah, that hits the mark.  :)

Re: Remove X Window after 4.4/i386 Installation?

[Ted Unangst]

On Tue, Feb 3, 2009 at 1:31 PM, Cezary Morga c...@therek.net wrote:
 Ted Unangst wrote:
 There's no way to uninstall, though deleting /usr/X11R6 will get you
 90% there.

 How about following?
 cd /
 tar -ztf /path/to/xbase44.tgz | xargs rm

1.  that doesn't delete nearly 90% of X, unless you also do it for the
font and serv and whatnot files.
2.  it requires you have the base sets available, which is frequently a hassle.
3.  by the time you correct for points 1 and 2, you're getting
dangerously close to having a self destruct tool.
4.  as a general personal rule, i don't feed people pipelines that
delete files.  see point 3.

AVAYA Wireless USB Client (Gold)

[Dorian Büttner]

Feb  3 19:02:55 eee /bsd: ugen0 at uhub2 port 1 vendor 0x0d98 Avaya 
Wireless USB Adapter rev 1.10/0.00 addr 2


According to http://www.wifihowto.org/?mo=HowTo;Item=14 it should work 
with the wi driver, but wi doesn't attach, I only get the ugen0.
PC24E-H-FC is printed on the sticker at the bottom, and it's most likely 
rebranded lucent or proxim.

Is there a quick hack to attach a wi instance to it?

Thanks again,
Dorian

Re: Remove X Window after 4.4/i386 Installation?

[Cezary Morga]

Ted Unangst wrote:
 On Tue, Feb 3, 2009 at 1:31 PM, Cezary Morga c...@therek.net wrote:
  Ted Unangst wrote:
  There's no way to uninstall, though deleting /usr/X11R6 will get
  you 90% there.
 
  How about following?
  cd /
  tar -ztf /path/to/xbase44.tgz | xargs rm

 1.  that doesn't delete nearly 90% of X, unless you also do it for
 the font and serv and whatnot files.

Of course this had to be done for each x* set.

 2.  it requires you have the base sets available, which is frequently
 a hassle.

You're right. I guess I just got used to broadband that I didn't think 
about it.

 3.  by the time you correct for points 1 and 2, you're 
 getting dangerously close to having a self destruct tool.

As Ingo suggested, I won't continue this subject.

 4.  as a general personal rule, i don't feed people pipelines that
 delete files.  see point 3.

I wasn't feeding anything, just asking the list.

-- 
Cezary Morga
Middle age is when you've met so many people that every new person you 
meet reminds you of someone else. (Ogden Nash)

Re: fetch package dependencies

[Marc Espie]

On Tue, Feb 03, 2009 at 05:57:39PM +0100, Hannah Schroeter wrote:
 Hi!
 
 On Mon, Feb 02, 2009 at 08:00:21PM +0100, Marc Espie wrote:
 On Mon, Feb 02, 2009 at 02:02:59PM +0100, Hannah Schroeter wrote:
  On Sun, Feb 01, 2009 at 02:01:03PM +0100, Dorian B|ttner wrote:
  is there an easy way to fetch a package along with it's recursive 
  dependencies? Scenario is:
  eee904ha does not have network access at all right now. In order to 
  proceed installing useful things, let's say firefox, I'd like to suck 
  packages onto a usb stick and installl from there.
  I thought I could go to the soekris box, which unfortunately isn't that 
  -current, and do something like pkg_add -n mozilla -firefox,  but the 
  output is totally garbled with libc mismatches and things like that.
 
  Any idea?
 
  I'd think using a net connected box, setting PKG_CACHE and PKG_PATH and
  then pkg_add -n package_you_want. The required packages should end up
  in the PKG_CACHE directory. From there you should be able to transfer
  them over to the eeepc. If the soekris isn't current, you could try this
  in a chroot environment or a virtual machine (e.g. qemu) setup.
 
 Yep, that's the intent.
 PKG_CACHE + pkg_add -n will do it.
 
 There's perhaps one thing we've missed: If some dependency package is
 already installed (and current enough) on the source host, pkg_add -n
 will probably not refetch it, so it will end up missing in the PKG_CACHE,
 i.e. on the destination host. The playing with the signature trick
 will avoid that, probably. Or perhaps one would need another option to
 pkg_add (or a different, pkg_fetch or similar, frontend to the pkg_*
 toolchain) to fetch *all* dependency packages.
Nope, you can easily tell pkg_add to look elsewhere for installed packages,
first starting with a pseudo-virgin install: use PKG_DBDIR.

The simple use case is the one where you install one box on the net,
then want to duplicate: you simply set PKG_CACHE before the install,
and then... it works.

With -current, you can also use pkg_create after the installation to recreate
all the binary packages from the installed files (older pkg_add did not keep
DEINSTALL scripts, this is no longer an issue at all).

Something like
for i in /var/db/pkg/*/+CONTENTS
do
pkg_create -f $i
done
should recreate all your installed packages.

Can't ping top-level public IP subnets

[Vivek Ayer]

Hi guys,

This is certainly a weird problem. But I'm sure I won't need to attach
a pf.conf file to solve this. First of all, is it possible to ping
google.com, but not other nets even with the right DNS servers? For
example, suppose the public IP you've been given to setup up your
openbsd firewall is 184.159.29.23 (whatever) and you can ping google.
You have NAT setup on the firewall for your localnet (192.168.1.0/24).
So from inside the network, you can virtually use the internet without
a hitch except for accessing machines under the subnet
184.159.xxx.xxx. Is pf doing something to block these IPs even if
they're not in your NATed local net 192.168.1.0/24, which would all
have public IP 184.159.29.23. How come I can't ping and let alone use
services located at 184.159.xxx.xxx and vice versa? If I'm at a
computer located somewhere else with the for example, public IP
184.159.35.35, I can't access 184.159.29.23, my subnet. I have to use
a online web proxy to get to my subnet and vice versa. I'm not really
sure how pf works this out. If pf is the culprit, I'll attach a
pf.conf next time when I can actually my subnet (I'm at one of the
other computers).

I pulled all these public IPs out of thin air, just so that you know.

Help appreciated,
Vivek

Re: Can't ping top-level public IP subnets

[Jussi Peltola]

Sounds like a netmask is wrong on some machine in the subnet, probably
your openbsd box or the router.

-- 
Jussi Peltola

Re: Can't ping top-level public IP subnets

[Vivek Ayer]

what should it be? 255.255.255.0? or something else? Or should that
depend on the top-level subnet?

Thanks for the quick reply,
Vivek

On Tue, Feb 3, 2009 at 3:33 PM, Jussi Peltola pe...@pelzi.net wrote:
 Sounds like a netmask is wrong on some machine in the subnet, probably
 your openbsd box or the router.

 --
 Jussi Peltola

Re: Can't ping top-level public IP subnets

[Jussi Peltola]

It depends on the size of the subnet; /24 = 255.255.255.0 is common but
not necessarily correct for your network.

On Tue, Feb 03, 2009 at 03:43:02PM -0800, Vivek Ayer wrote:
 what should it be? 255.255.255.0? or something else? Or should that
 depend on the top-level subnet?
 
 Thanks for the quick reply,
 Vivek
 
 On Tue, Feb 3, 2009 at 3:33 PM, Jussi Peltola pe...@pelzi.net wrote:
  Sounds like a netmask is wrong on some machine in the subnet, probably
  your openbsd box or the router.
 
  --
  Jussi Peltola

Disabling device node mtime updates

[Jussi Peltola]

Is there any way to disable mtime updates for devices? Is there a reason
not to? I'd rather not play with /dev on mfs, it's one more thing to
screw up during upgrades. The rest of OpenBSD doesn't write to a CF
enough to worry me; /dev/log seems to get hit quite a lot even when
syslogging to a remote machine.

-- 
Jussi Peltola

Re: Can't ping top-level public IP subnets

[Vivek Ayer]

I believe I just figured it out. I read this article:
http://en.wikipedia.org/wiki/IPv4_subnetting_reference

Since I'm in control of a public IP, I'm supposed to set the netmask
for the ext_if on my openbsd router to 255.255.0.0 not 255.255.255.0.
Would that solve the mysterious ping problem?

I really didn't know what netmask were until now.

Thanks,
Vivek

On Tue, Feb 3, 2009 at 3:43 PM, Vivek Ayer vivek.a...@gmail.com wrote:
 what should it be? 255.255.255.0? or something else? Or should that
 depend on the top-level subnet?

 Thanks for the quick reply,
 Vivek

 On Tue, Feb 3, 2009 at 3:33 PM, Jussi Peltola pe...@pelzi.net wrote:
 Sounds like a netmask is wrong on some machine in the subnet, probably
 your openbsd box or the router.

 --
 Jussi Peltola

PHP5 GD2

[L. V. Lammert]

Can someone point me in the right direction to determine what packages are 
required for 'GD2' support, php5, OBSD 4.3? The SilverStripe CMS is asking 
for 'GD2', but they don't provide enough information to isolate the 
required packages.


TIA,

Lee

flock(1) utility proposal.

[Christiano Farina Haesbaert]

I've noticed that openbsd currently does not have an flock(1) utility,
it's basically a wrapper around flock(2) used to get file locks in
shell, it calls flock(2) in a file, forks and executes a command
passes to by command line and wait(2) for it.

I'm willing to implement one, what do you guys think ? Could it be
usefull ?

-- 
Christiano Farina Haesbaert

snmpd GET and GETNEXT against scalar OIDs

[(private) HKS]

I made the following bug report on 2009-01-08, but didn't get a PR
number back. Did I botch this report, or does the bugs@ address
require hands-on that this report simply hasn't gotten yet?

Thanks for the clarification.

-HKS

On Thu, Jan 8, 2009 at 3:52 PM, (private) HKS hks.priv...@gmail.com wrote:
 snmpd on OpenBSD 4.4 Stable, i386 architecture.

 This bug was found by the OpenNMS team [1]. They've invited you to
 contact them for more
 details if I'm unable to provide enough info. The snmpget and
 snmpgetnext commands used
 in examples below are from the Net SNMP 5.4.2.1 package on FreeBSD 7.

 Essentially, snmpd seems to regard OIDs without an instance identifier
 as equivalent to
 OIDs with an instance identifier of 0.

 SNMP GET requests against a scalar OID with no instance identifier
 results in the agent
 apparently interpolating the .0 instance identifier:

 # snmpget -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.2
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1


 The expected behavior (RFC 1157, 4.1.2, rule 1) is a noSuchName error
 since .1.3.6.1.2.1.1.2
 has no exact match.

 In a similar vein, GETNEXT requests against a single-instance scalar
 OID without an instance
 identifier return the next OID as if the .0 identifier were originally
 requested. An example of
 OpenBSD's behavior:

 # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1
 # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1.0
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1


 Lexically, however, .1.3.6.1.2.1.1.1 is followed by .1.3.6.1.2.1.1.1.0
 - not .1.3.6.1.2.1.1.2.0. So the
 first request should have returned .1.3.6.1.2.1.1.1.0. The second was correct.

 An example of Net SNMP's lexically correct response:

 # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1
 .1.3.6.1.2.1.1.1.0 = STRING: FreeBSD netsnmp-host 7.0-RELEASE FreeBSD
 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
 r...@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
 # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1.0
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.8072.3.2.8


 I hope that's clear. Please let me know if I can provide any further
 information.

 -HKS


 [1] - http://bugzilla.opennms.org/show_bug.cgi?id=2962

 dmesg follows:
 --
 OpenBSD 4.4-stable (GENERIC) #0: Wed Nov 19 12:00:19 EST 2008
r...@localhost:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
 real mem  = 2142142464 (2042MB)
 avail mem = 2062938112 (1967MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries)
 bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008
 bios0: Dell Inc. PowerEdge 2950
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
 acpi0: wakeup devices PCI0(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 4 (PEX2)
 acpiprt2 at acpi0: bus 5 (UPST)
 acpiprt3 at acpi0: bus 6 (DWN1)
 acpiprt4 at acpi0: bus 8 (DWN2)
 acpiprt5 at acpi0: bus 1 (PEX3)
 acpiprt6 at acpi0: bus 0 (PE2P)
 acpiprt7 at acpi0: bus 10 (PEX4)
 acpiprt8 at acpi0: bus 12 (PEX6)
 acpiprt9 at acpi0: bus 2 (SBEX)
 acpiprt10 at acpi0: bus 14 (COMP)
 acpicpu0 at acpi0: C3
 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00
 0xcc000/0x5e00 0xec000/0x4000!
 ipmi at mainbus0 not configured
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
 pci1 at ppb0 bus 4
 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci2 at ppb1 bus 5
 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci3 at ppb2 bus 6
 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
 pci4 at ppb3 bus 7
 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
 pci5 at ppb4 bus 8
 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
 pci6 at ppb5 bus 9
 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
 pci7 at ppb6 bus 1
 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
 Dell PERC 6/i integrated
 mfi0: logical drives 1, version 6.0.1-0080, 256MB RAM
 scsibus0 at mfi0: 1 targets, initiator 64
 sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
 sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
 5856296960 sec total
 ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
 pci8 at ppb7 bus 10
 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
 pci9 at ppb8 bus 11
 ppb9 at pci0 dev 6 

Re: Backup strategies

[Jonathan Thornburg]

Etienne Robillard robillard.etienne () gmail ! com wrote
 i kinda like cpio for fast backup of filesystems... for large media
 files (think anime movies) -- I think its generally best to just
 burn them on a iso..

I have found rsync to an external usb hard disk to work very nicely;
these are now cheap and readily available up to over a terabyte.
Here are a few notes from my experience using this strategy for the
past several years:
* With rsync, the initial backup does a full copy, but then future
  backups automatically only copy changed files.
* I found that performance went from painfully slow to ok when I
  switched my external disks from ext2fs to ffs mounted softdep,noatime.
* I have had no problems with single files as big as 5 GB.
* For extra disaster-insurance I actually use a pair of external disks,
  one at home and one at my office.  I swap them every week or so.
* Backups can be a security risk, since anyone who steals the backup
  medium has instant access to all the files stored there.  This is a
  great use for encrypting filesystems, eg svnd, raidctl, or cfs (ports).
* Backups need to be hassle-free and as tired-system-administrator--proof
  as possible, so it's good to script the process.  I use scripts like
  the following:
 #!/bin/sh
 set -x
 rsync -aHESvv --delete \
   --exclude '/home/jonathan/crypt/*' \
   --exclude '/mnt/oxygen/home/jonathan/crypt/*' \
   /home/jonathan/ /mnt/oxygen/home/jonathan/
  This works fine except that the --exclude options are not honored
  (files under those directories are still copied).  I don't know what's
  wrong there...

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: getting random icmp host unreachable messages from firewall

[Salvatore Sciacco]

Hi folks,

somebody else is experiencing this same problem?

On Sat, Jan 31, 2009 at 5:21 PM, sas2000 scia...@gmail.com wrote:
 Hi,

 I confirm this bug. I've experienced the same icmp errors with three
 different firewalls  using 4.4 and nat.

 If I add the static-port option to the nat rule then no icmp errors are
 experienced, so it's something to do with the nat port relocation.

 Bye

 S.


 Imre Oolberg-3 wrote:

 Hallo again!

 When i access internet from behind nat'ting OpenBSD 4.4-current i386
 platform firewall (20090121 snapshot, under Xen HVM quest if this test
 then qualifies) i get randomly icmp host unreachable messages. At the
 same time network traffic is low and this test firewall is not under any
 mentionable load. For example about five to ten icmp error messages
 appear from firewall to wget client when issuing 300 wgets i a raw, like
 this

 $ for i in `seq 1 300`; do wget http://172.16.0.12/README?count=$i; -O
 - 1dhs.$i.log; done

 # tcpdump -nttti ne3 icmp
 tcpdump: listening on ne3, link-type EN10MB
 Jan 25 15:21:04.986368 192.168.10.210  192.168.10.10: icmp: host
 x.x.x.x unreachable
 Jan 25 15:21:06.444112 192.168.10.210  192.168.10.10: icmp: host
 x.x.x.x unreachable
 ...

 And insterting one second delay between wgets reduces icmp errors a lot.

 I belive it has something to do with a firewall's natting because with
 plain routing it seems to work all right.

 I would be very greateful if somebody could comment on this.


 --
 View this message in context: 
 http://www.nabble.com/getting-random-icmp-host-unreachable-messages-from-firewall-tp21651701p21765424.html
 Sent from the openbsd user - misc mailing list archive at Nabble.com.

Apache Port Config

[L. V. Lammert]

Is there a way to have a virtual host listen on a port to which the main 
server does not, .. e.g.


Main Server
Port 81
Port 443
/Main Server

VirtualHost IP
Port 80
/VirtualHost

Even with the port directive in the VirtualHost stanza, it still listens on 
Port 81 and not Port 80.


TIA,

Re: Can't ping top-level public IP subnets

[Jon Simola]

On Tue, Feb 3, 2009 at 3:56 PM, Vivek Ayer vivek.a...@gmail.com wrote:

 Since I'm in control of a public IP, I'm supposed to set the netmask
 for the ext_if on my openbsd router to 255.255.0.0 not 255.255.255.0.
 Would that solve the mysterious ping problem?

Actually a not-mysterious routing problem.

The entity that assigned you the IP address would have also provided
you with an IP, a netmask and a gateway IP, possibly DNS servers as
well. You would have to check with them (commonly one of network
admin, DHCP server, or ISP).

-- 
Jon

Re: Backup strategies

[Amarendra Godbole]

On Wed, Feb 4, 2009 at 2:59 AM, Jonathan Thornburg
jth...@astro.indiana.edu wrote:
 Etienne Robillard robillard.etienne () gmail ! com wrote
 i kinda like cpio for fast backup of filesystems... for large media
 files (think anime movies) -- I think its generally best to just
 burn them on a iso..

 I have found rsync to an external usb hard disk to work very nicely;
 these are now cheap and readily available up to over a terabyte.
 Here are a few notes from my experience using this strategy for the
 past several years:
 * With rsync, the initial backup does a full copy, but then future
  backups automatically only copy changed files.
 * I found that performance went from painfully slow to ok when I
  switched my external disks from ext2fs to ffs mounted softdep,noatime.
 * I have had no problems with single files as big as 5 GB.
 * For extra disaster-insurance I actually use a pair of external disks,
  one at home and one at my office.  I swap them every week or so.

thanks. this gives me some pointers to implement a better backup
strategy. i also use a similar setup, except that i don't have
multiple disks (no backup for the backup).

 * Backups can be a security risk, since anyone who steals the backup
  medium has instant access to all the files stored there.  This is a
  great use for encrypting filesystems, eg svnd, raidctl, or cfs (ports).
 * Backups need to be hassle-free and as tired-system-administrator--proof
  as possible, so it's good to script the process.  I use scripts like
  the following:
 #!/bin/sh
 set -x
 rsync -aHESvv --delete \
   --exclude '/home/jonathan/crypt/*' \
   --exclude '/mnt/oxygen/home/jonathan/crypt/*' \
   /home/jonathan/ /mnt/oxygen/home/jonathan/
  This works fine except that the --exclude options are not honored
  (files under those directories are still copied).  I don't know what's
  wrong there...
[...]

how about using double-quotes instead? for eg., --exclude
/home/jonathan/crypt/*. your shell might be preventing rsync from
looking what's inside the quotes...

-amarendra

Re: PHP5 GD2

[Les Richardson]

L. V. Lammert wrote:
 Can someone point me in the right direction to determine what packages
 are required for 'GD2' support, php5, OBSD 4.3? The SilverStripe CMS is
 asking for 'GD2', but they don't provide enough information to isolate
 the required packages.
 
 TIA,
 
 Lee
 
From what I remember, the gd package has some prereq libs that live in
xbase, so you will want to make sure it is part of your install. After
that, pkg_add gd should take care of it, assuming you have set a package
path.

Re: Is it possible to increase wscale multiplier?

[Dieter]

How high is too high?  I have a utility that sets recv buf size
to 100,000,000 and it works fine on FreeBSD and NetBSD.  (Not
tested yet on OpenBSD.)  Necessary when the other end has buggy
network code and insufficient send buf.
   
   Could you clarify what you mean by that?
  
  Black box sends data to BSD box using TCP.  Data is generated in
  real time, the rate cannot be changed.  Black box has a very small
  (way too small) send buffer.  If the BSD box takes too long to
  ack, the black box's send buffer fills up and data is lost,
  and/or black box's buggy firmware screws up and data is lost.
  So I have to do everything I can to ensure that incoming packets
  do not get dropped, and that the acks get sent out as fast as
  possible.  Making the TCP recv buffer very large allows the
  incoming packets to get stored and acked, even if the userland
  process reading the data doesn't get to run often enough.  Even
  so, there is still the problem that other device drivers can and
  do lock out the Ethernet driver for too long.  Still working on
  that problem.  What we really need is true real time facilities.
  
  It is a latency problem, not a throughput problem.  If the black
  box were FLOSS instead of evil closed source it should be possible
  to fix the buggy network code.
  
 
 A) huge recv buffer does not solve your ACK problem.
 B) recv buffer is only affected by either the global
 net.inet.tcp.recvspace or the setsockopt SO_RCVBUF.
 C) the socketbuffers are limmited to 256kB
 D) Instead of playing with knobs that don't realy do what you think they
 will do you should make your userland app read faster.

It is a workaround.  The way to *solve* the problem is with a true
real time system.

Grepping through a few log files, the userland program read 44,751,896 bytes
with a single syscall.  The default recv buf size of 65536 doesn't get the
job done for this application.

It doesn't matter how fast the userland program is if it doesn't get
run often enough.  I have no way to guarantee how often a userland program
is run.  I have to estimate, add a safety factor, and size the buffers
accordingly.  As far as I can tell the only remaining problem is
when other device drivers lock out the Ethernet driver for too long.
Nothing I do to the userland program will change that.  I have to
figure out what driver(s) it is, and then figure out how to fix it.
At this point, problems are very rare.

Re: http version of spamd, anyone?

[Jeffrey 'jf' Lim]

anybody? I'm excluding the projects some of you might think of
(Labrea, and haproxy) for the reasons that none of them fit the
requirements that I have listed below...

-jf

On Tue, Feb 3, 2009 at 1:47 PM, Jeffrey 'jf' Lim jfs.wo...@gmail.com wrote:
 Is the project (or anybody) planning to work on something like spamd
 for http? Or does anybody know of any projects which do this already?

 I am looking for something to be (as per spamd) put in front of an
 actual server. A bunch of possible features i would be looking at:
 - blacklisting (should ideally allow for dynamic reloads without
 killing any existing valid connections)
 - tarpitting for open connections (no http request sent) beyond a
 certain timeout
 - tarpitting for invalid http requests
 - greytrapping (let's say u have only specific url patterns which
 are valid. Anything else, tarpit)


 thanks,
 -jf

 --
 In the meantime, here is your PSA:
 It's so hard to write a graphics driver that open-sourcing it would not 
 help.
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
 http://kerneltrap.org/node/7228

ssh VisualHostKey

[Chris]

I've recently enabled VisualHostKey yes in my .ssh/config file. I
would like to hear from people who are using it and how they are
finding it useful.

Thanks.

Re: ssh VisualHostKey

[Peter N. M. Hansteen]

Chris atst...@gmail.com writes:

 I've recently enabled VisualHostKey yes in my .ssh/config file. I
 would like to hear from people who are using it and how they are
 finding it useful.

Not much to say, really.  The assumption that the ASCII-art picture
gives you a fairly unique shape per host that stands out more than a
change in a string of hex digits seems to be correct at least in my case.

One practical example - if you're used to seeing 

Host key fingerprint is 67:88:39:bd:7f:3c:df:a5:47:87:de:bd:9b:5e:7b:55

and one morning when you've had way too little coffee you may not
notice anything different if the machine greets you with

Host key fingerprint is 4b:b3:3e:54:54:ae:f0:0f:8d:28:10:d2:db:53:77:3f

but you likely would notice the difference between


+--[ RSA 1024]+
| |
| |
| |
|   + .  E|
|  + S o..|
|   . +. +|
|.  . . o*|
| .  + .oX|
|  .. o+B=|
+-+

and

+--[ RSA 1024]+
|  ...  ..|
|   ...  . o..|
|.o ..o ...   |
|..o  +.+  E  |
|  ..S.= .  . |
|   o.+ o |
|   .o   .|
|   ..|
|..   |
+-+

(both actual samples from machines in my care)

so yes, I think it's a helpful feature.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: ssh VisualHostKey

[Damien Miller]

On Wed, 4 Feb 2009, Chris wrote:

 I've recently enabled VisualHostKey yes in my .ssh/config file. I
 would like to hear from people who are using it and how they are
 finding it useful.

the undead orc hits, you die.