Je sur comptable a la banque BCB je vais virée $12.million sui votre compte

[Kito Waziri]

Invitation : "Je sur comptable a la banque BCB je vais virie $12.million 
sui votre compte".


Par votre htte Kito Waziri:


 Date:  mardi 23 juin 2009

 Heure: 4h 00 - 5h 00 (GMT+00:00)
 Lieu:  Cher Ami Salut, Je suis MR, Kito Waziri comptable a la 
BANQUE COMERCIALE DU BURKINA (BCB), je vais virie $6.million (usd) sui votre 
compte ci ga vous intersse je vous enverrons tous les ditails sur la fagon dont 
on va fait le demache et igalement noter que vous aurez 30% du montant indiqui 
.si vous jtes d'accord pour m'aider ` exicuter cette transaction. reponne moi 
rapidement et s.v.p ces un propossition confidentielle merci

Invitis:

 * recu...@yahoo.ca
 * stolnican2...@yahoo.ca
 * educh...@yahoo.ca
 * gilles...@yahoo.ca
 * apoir...@noos.fr
 * plial...@yahoo.ca
 * bozzo_adri...@yahoo.ca
 * desjardinsfleu...@yahoo.ca
 * gena...@yahoo.ca
 * supquebec2...@yahoo.ca
 * p...@neuf.fr
 * rolandemelan...@yahoo.ca
 * muriellelaroche...@yahoo.ca
 * amin...@yahoo.ca
 * f...@parl.gc.ca
 * patricia_jod...@yahoo.ca
 * eco.pete...@gmail.com
 * fontaine_oliv...@yahoo.ca
 * fournierj...@consultant.com
 * fpicha...@yahoo.fr
 * sere.anto...@yahoo.fr
 * serge.mako...@undp.org
 * serge@voila.fr
 * gostmic...@yahoo.ca
 * salut-anto...@hotmail.fr
 * lilinoue...@hotmail.fr
 * ksentini_med...@yahoo.ca
 * dis...@aol.com
 * huggy69...@aol.com
 * dr_daniel_boisvert...@yahoo.ca
 * seraphinmultiservi...@yahoo.ca
 * antoine.bonneso...@univ-lehavre.fr
 * samet_n...@yahoo.ca
 * woud...@hrw.org
 * loko...@yahoo.com
 * eldta...@yahoo.ca
 * esalegrandebreta...@yahoo.fr
 * fau...@yahoo.fr
 * jasmingeli...@yahoo.ca
 * antoine.cas...@hotmail.fr
 * jc...@kepler.ch
 * met...@hotmail.fr
 * m...@jmd.gov.jo
 * misc@openbsd.org
 * jennybouchard2...@yahoo.ca
 * merci--algerie--sadd...@yahoo.ca--saddek--saddekc
 * droulersjere...@yahoo.ca
 * felipe.rodrigu...@yahoo.ca
 * genevieveduf...@hotmail.com
 * antoine.less...@videotron.ca
 * concours_rim...@yahoo.ca
 * immobiliermg2...@yahoo.ca
 * linan...@yahoo.ca
 * pme...@yahoo.fr
 * stefanovi...@yahoo.ca
 * tnycj...@hotmail.com
 * lapoint...@yahoo.ca
 * boisclairda...@yahoo.ca
 * ericbe...@yahoo.ca
 * dinhbades...@yahoo.ca
 * carolinebla...@yahoo.ca
 * prescott...@yahoo.ca
 * fami...@yahoo.ca
 * sy6...@yahoo.ca
 * lavoie...@hotmail.com
 * cyrv...@yahoo.ca
 * c_bouchard_coulo...@yahoo.ca
 * soccerboreal.communicat...@yahoo.ca
 * pierre.gare...@univ-cezanne.fr
 * antoine.gent...@univ-cezanne.fr
 * gorguin...@yahoo.ca
 * cc_com...@yahoo.ca
 * habsm...@hotmail.com
 * quebeck...@yahoo.ca
 * gboulan...@klmnop.ca
 * vscla...@yahoo.ca
 * xxnyd...@yahoo.ca
 * xxc...@hotmail.fr
 * xx...@hotmail.com
 * adds_mm2...@yahoo.ca

invitation_add_to_your_yahoo_calendar:

 
http://fr.calendar.yahoo.com//?v=60&ST=20090623T04%2B&TITLE=Je+sur+comptable+a+la+banque+BCB+je+vais+vir%c3%a9e+$12.million+sui+votre+compte&DUR=0100&VIEW=d&in_loc=Cher+Ami+Salut,+Je+suis+MR,+Kito+Waziri+comptable+a+la+BANQUE+COMERCIALE+DU+BURKINA+(BCB),+je+vais+vir%c3%a9e+$6.million+(usd)+sui+votre+compte+ci+%c3%a7a+vous+intersse+je+vous+enverrons+tous+les+d%c3%a9tails+sur+la+fa%c3%a7on+dont+on+va+fait+le+demache+et+%c3%a9galement+noter+que+vous+aurez+30%25+du+montant+indiqu%c3%a9+.si+vous+%c3%aates+d%27accord+pour+m%27aider+%c3%a0+ex%c3%a9cuter+cette+transaction.+reponne+moi+rapidement+et+s.v.p+ces+un+propossition+confidentielle+merci&TYPE=10


Copyright ) 2009 Tous droits riservis.
 www.yahoo.fr

Donnies personnelles:
 http://privacy.yahoo.com/privacy/us

Conditions d'utilisation:
 http://docs.yahoo.com/info/terms/

Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)

[Dan Harnett]

On Mon, Jun 22, 2009 at 07:19:09PM -0600, Alvaro Mantilla Gimenez wrote:
>
>According to the /usr/share/sendmail/README file, it is necessary to
> add the "a" modifier to the line that define the MSA: "Additionally, by
> using the M=a modifier you can require authentication before messages
> are accepted by the MSA"

Actually, 'a' will only advertise that SMTP AUTH is available, it does
not require it.  You want to use 'l' to enforce it.

  DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=El')dnl

This won't even allow mail to local recipients without authentication
first.

>   Why the original line (without the "a" modifier) port 587 requires
> authentication as well?. Is it implicit in other place? I already
> checked several times the send process with/without the "a" modifier and
>  I needed the authentication in both cases all the times to be able to
> send an email trough the 587 port.

How did you test this?  Do you have any Srv_Features listed in your
access map?  Authentication is not required in the default config.  In
fact, it's not even available.  Some clients (like Thunderbird, IIRC)
will always try to authenticate if the mail server announces SMTP AUTH
as a feature during the EHLO/HELO state.  Are you sure you're not
confusing an annoying client feature with enforcing authentication?

>  Spamhouse said that the only thing I need to avoid that "error" is to
> have SMTP AUTH enable on the server on port 587 (which I already have as
> my previous question about the lines on openbsd-proto.mc).

Authenticated users will skip the DNSBL checks if you use
FEATURE(`delay_checks') in your .mc file.

> 587? Sadly I can test it myself because my IP does not appear on PBL
> lists and my users will connect during my sleep time (I am 8 hours behind).

You can always setup your own test DNSBL that lists just your IP
address.

Re: balsa not in ports?

[Mike Erdely]

A very recent submission (not yet clearly linked) to the OpenBSD website
is the ports handbook.  You should check it out:
http://www.openbsd.org/faq/ports/

I await your submission for the port you'd like.

-ME

On Tue, Jun 23, 2009 at 12:15:21AM -0400, Eric d'Alibut wrote:
> On Mon, Jun 22, 2009 at 10:29 PM, Daniel Dickman said,
> 
> > Eric, attached is a starting point if you -- or someone else -- want
> > to finish the work to get balsa ported over. The patches are quick
> > hacks to get it to compile (so you'll need to investigate why it
> > doesn't compile and fix properly) and dependencies need to be set
> 
> It does compile here, on a stock
> 
> $ uname -a
> OpenBSD trollboy.legomenon.org 4.5 GENERIC#1749 i386
> 
> system. I should hasten to add that is also _runs_, although my test
> drive has been hardly down the driveway yet.  All this even after I
> added to the Makefile:
> 
>  --with-gpgme=yes \
>   --with-ssl \
> 
> Libesmtp is another matter. Just as an fyi, I can report that the
> off-the-shelf tarball of libesmtp-1.0.4 fails to build with:
> 
>  gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -pthread -std=c99 -pedantic -g
> -O2 -pthread -std=c99 -pedantic -g -O2 -MT headers.lo -MD -MP -MF
> .deps/headers.Tpo -c headers.c  -fPIC -DPIC -o .libs/headers.o
> headers.c: In function `print_message_id':
> headers.c:161: error: storage size of `tv' isn't known
> headers.c:170: warning: implicit declaration of function `gettimeofday'
> gmake[2]: *** [headers.lo] Error 1
> gmake[2]: Leaving directory `/usr/local/src/libesmtp-1.0.4'
> gmake[1]: *** [all-recursive] Error 1
> gmake[1]: Leaving directory `/usr/local/src/libesmtp-1.0.4'
> gmake: *** [all] Error 2
> 
> OpenBSD ships with sendmail so the loss of smtp ought not be a
> deal-breaker, yes?
> 
> 
> --
> No no no, my fish's name is Eric, Eric the fish. He's an halibut. I am
> not a looney! Why should I be tarred with the epithet looney merely
> because I have a pet halibut?

Re: balsa not in ports?

[Eric d'Alibut]

On Mon, Jun 22, 2009 at 10:29 PM, Daniel Dickman said,

> Eric, attached is a starting point if you -- or someone else -- want
> to finish the work to get balsa ported over. The patches are quick
> hacks to get it to compile (so you'll need to investigate why it
> doesn't compile and fix properly) and dependencies need to be set

It does compile here, on a stock

$ uname -a
OpenBSD trollboy.legomenon.org 4.5 GENERIC#1749 i386

system. I should hasten to add that is also _runs_, although my test
drive has been hardly down the driveway yet.  All this even after I
added to the Makefile:

 --with-gpgme=yes \
  --with-ssl \

Libesmtp is another matter. Just as an fyi, I can report that the
off-the-shelf tarball of libesmtp-1.0.4 fails to build with:

 gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -pthread -std=c99 -pedantic -g
-O2 -pthread -std=c99 -pedantic -g -O2 -MT headers.lo -MD -MP -MF
.deps/headers.Tpo -c headers.c  -fPIC -DPIC -o .libs/headers.o
headers.c: In function `print_message_id':
headers.c:161: error: storage size of `tv' isn't known
headers.c:170: warning: implicit declaration of function `gettimeofday'
gmake[2]: *** [headers.lo] Error 1
gmake[2]: Leaving directory `/usr/local/src/libesmtp-1.0.4'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/usr/local/src/libesmtp-1.0.4'
gmake: *** [all] Error 2

OpenBSD ships with sendmail so the loss of smtp ought not be a
deal-breaker, yes?


--
No no no, my fish's name is Eric, Eric the fish. He's an halibut. I am
not a looney! Why should I be tarred with the epithet looney merely
because I have a pet halibut?

Re: About the OpenBSD repository

[Abel Camarillo]

On Mon, Jun 22, 2009 at 07:13:51PM -0700, Mike Swanson wrote:
> Paul M wrote:
>> On 23/06/2009, at 6:44 AM, Fernando Quintero wrote:
>>
>>> Hello list,
>>>
>>> I have a question:
>>>
>>> I was reading about version control systems and i found a lot of the
>>> distributed software "with best performance", but really i don't know 
>>> much
>>> about it.
>>> There are some technicals or philosophicals reasons why the OpenBSD
>>> repository does not change to something other than CVS?
>>
>>
>> You seem to make the assumption that _everything_ else is better than  
>> CVS.
>> This may be your opinion, but that's all it is.
>>
>>
>> paulm
>>
> Well, I suppose it is better than RCS or SCCS, and in some small ways,
> CVS even did things right that SVN gets wrong (namely, tags).  But to
> imply that CVS is better than (or equal to) Mercurial or Git is a bit
> ridiculous :)
>

Well the OpenBSD devs have only read completely the source of CVS, and
developed OpenCVS, so (i think) that they don't want to use another thing
that they don't fully understand, and isn't BSD/ISC licensed (like
mercurial or git).

well that's my guess.

also: read the archives, this has been discuted sometimes.

-- 
DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ 
This message will self-destruct in 3 seconds.

Re: About the OpenBSD repository

[Eugene Prodeguene]

On Mon, 22 Jun 2009, Mike Swanson wrote:


Paul M wrote:

On 23/06/2009, at 6:44 AM, Fernando Quintero wrote:


Hello list,

I have a question:

I was reading about version control systems and i found a lot of the
distributed software "with best performance", but really i don't know much
about it.
There are some technicals or philosophicals reasons why the OpenBSD
repository does not change to something other than CVS?



You seem to make the assumption that _everything_ else is better than CVS.
This may be your opinion, but that's all it is.


paulm


Well, I suppose it is better than RCS or SCCS, and in some small ways,
CVS even did things right that SVN gets wrong (namely, tags).  But to
imply that CVS is better than (or equal to) Mercurial or Git is a bit
ridiculous :)



http://www.openbsd.org/why-cvs.html

Because none of the above mentioned will allow for 70+ developers to
update ~1.2GB/~140,000 files of source code, allow anonymous checkouts,
has an available web based interface and interfaces with ssh. Instead 
though non atomic commits, expensive branches and almost 20 years of 
work arounds are utilized.


Eugenio.

Re: About the OpenBSD repository

[Mike Swanson]

Paul M wrote:

On 23/06/2009, at 6:44 AM, Fernando Quintero wrote:


Hello list,

I have a question:

I was reading about version control systems and i found a lot of the
distributed software "with best performance", but really i don't know 
much

about it.
There are some technicals or philosophicals reasons why the OpenBSD
repository does not change to something other than CVS?



You seem to make the assumption that _everything_ else is better than 
CVS.

This may be your opinion, but that's all it is.


paulm


Well, I suppose it is better than RCS or SCCS, and in some small ways,
CVS even did things right that SVN gets wrong (namely, tags).  But to
imply that CVS is better than (or equal to) Mercurial or Git is a bit
ridiculous :)

Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)

[Alvaro Mantilla Gimenez]

Hi,

  The openbsd-proto.mc file has these lines:

  FEATURE(`no_default_msa')dnl
  DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl
  DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl
  DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl
   DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O,
M=E')dnl

   According to the /usr/share/sendmail/README file, it is necessary to
add the "a" modifier to the line that define the MSA: "Additionally, by
using the M=a modifier you can require authentication before messages
are accepted by the MSA"

   If I understood well the line:

DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl

   would be:

DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=Ea')dnl

   and then the smtp auth must work on port 587.

  Why the original line (without the "a" modifier) port 587 requires
authentication as well?. Is it implicit in other place? I already
checked several times the send process with/without the "a" modifier and
 I needed the authentication in both cases all the times to be able to
send an email trough the 587 port.

  My question is because, as I said in my previous email, I want to
separate the dnsbl verification just for port 25 and let the clients to
authenticate and send the email on port 587 without pass trough the
dnsbl lists verifications (as is defined by the line FEATURE(`dnsbl',
`zen.spamhaus.org' that I added to openbsd-proto.mc).

  I just add the "a" modifier and I noticed a little delay when the
client software (thunderbird on this case) do the authentication process
for send the email. My problem is that I have users that connect to the
server with dynamic IP addresses and they are rejected after the
authentication process because the IP is on the PBL list with this message:

 " This IP range has been identified by Spamhaus as not meeting our
policy for IPs which should deliver 'direct-to-mx' mail to PBL users. "

 Spamhouse said that the only thing I need to avoid that "error" is to
have SMTP AUTH enable on the server on port 587 (which I already have as
my previous question about the lines on openbsd-proto.mc).

  Can I assume that the MSA configuration (with the "a" modifier) will
authenticate the user and let him send the email without pass trough the
PBL verification, just doing the authentication process? In case my
assumption  is not correct...is there any way to separate that without
to run another sendmail process (with a separate configuration) on port
587? Sadly I can test it myself because my IP does not appear on PBL
lists and my users will connect during my sleep time (I am 8 hours behind).

  Some light here will be appreciate.

  Regards

  Alvaro

Alvaro Mantilla Gimenez wrote:
> Hello,
> 
>Is there any way to apply dnsbl feature just on port 25 on the
> default openbsd sendmail configuration and do not apply that on port 587
> (just auth smtp)?
> 
>I googled it looking for answers but it seems people disabled dnsbl
> feature on sendmail and used it with spamassasin (which is not an option
> for me).
> 
>Any advice?
> 
> 
>Thanks,
> 
> 
>   Alvaro

Re: balsa not in ports?

[Ted Unangst]

On Mon, Jun 22, 2009 at 8:26 PM, Eric d'Alibut wrote:
> What is the rationale for excluding balsa from ports? Some glaring vuln?

Probably a glaring lack of submissions.  You could also mail the ports
list, which is the list where the people who know about ports tend to
congregate.

balsa not in ports?

[Eric d'Alibut]

What is the rationale for excluding balsa from ports? Some glaring vuln?


Best,

-- 
No no no, my fish's name is Eric, Eric the fish. He's an halibut. I am
not a looney! Why should I be tarred with the epithet looney merely
because I have a pet halibut?

Re: About the OpenBSD repository

[Paul M]

On 23/06/2009, at 6:44 AM, Fernando Quintero wrote:


Hello list,

I have a question:

I was reading about version control systems and i found a lot of the
distributed software "with best performance", but really i don't know 
much

about it.
There are some technicals or philosophicals reasons why the OpenBSD
repository does not change to something other than CVS?



You seem to make the assumption that _everything_ else is better than 
CVS.

This may be your opinion, but that's all it is.


paulm

Re: powerdns port

[Stuart Henderson]

On 2009-06-22, Bambero  wrote:
> Hi,
>
> It seems there is no ldap backend for powerdns. Does anyone know why ?
>
> Bambero
>
>

Because when I last looked at adding it, I found more important
problems with the port to fix first.

Re: pf logging session init and close with match action

[Stuart Henderson]

The FIN/RST packets match the existing state created by the "pass" rule,
so these packets don't touch the ruleset at all.

Sounds like you either want "no state" (though this has many drawbacks),
extra code to do something between "log" and "log (all)", or some other
way to record these sessions (pflow?).


On 2009-06-22, Csaba Szip  wrote:
> Hi!
>
> I would like to log a SYN packet in the beginning of sessions and the
> FIN and/or RST packet at the end with the new match action.
>
> cat pf.conf
>
> set skip on lo
> block in log
> pass out
>
> match in log flags S/S
> match in log flags F/F
> match in log flags R/R
> pass in proto tcp from any to (vic0) port 22
>
>
> If i initiate a new ssh connection to the firewall the match condition seems 
> ok.
>
> Jun 22 13:04:17.797771 rule 2/(match) match in on vic0:
> 192.168.229.1.3711 > 192.168.229.128.22: S 326636544:326636544(0) win
> 65535  (DF)
>
> But if i terminate the ssh session i dont see any further logs.
>
> So my question is: Is it possible to use the match action for this
> scenario (or something else) or i totally misunderstood anything?
>
> Thx
> Godot
>
> PS: Sorry if my english is terrible
>
>

Your English is ok and clearly understandable. I've seen much worse
from native speakers. :)

OT: Anyone based in Canterbury?

[Edd Barrett]

Hi,

Are there any students or researchers from Kent Uni or Canterbury on this list?

-- 
Best Regards

Edd Barrett
(Freelance software developer / technical writer / open-source developer)

http://students.dec.bournemouth.ac.uk/ebarrett

Re: exec/unexec

[Stuart Henderson]

On 2009-06-22, Alexander Hall  wrote:
> Joachim Schipper wrote:
>> On Mon, Jun 22, 2009 at 12:00:31AM +0300, Cem Kayali wrote:
>>> Hi,
>>>
>>> Thanks for your reply.
>>>
>>> -I   If scripts exist for a given package, do not execute them.
>>>
>>>
>>> This does not work... I will re-check, but "pkg_add -vvvI" shows that  
>>> scripts are executed.

please re-check, if it's definitely executing the scripts when -I is used,
open a bug with sendbug showing how you've tested. If you work out how to
fix it, include the diff. (PackingElement.pm might be a good place to start).

>>> Well, one of my client would like to run any 3rd party script only as  
>>> regular user.
>> 
>> Not to be annoying, but this is pretty pointless. (S)he has already
>> installed OpenBSD and is installing the port in question; in other
>> words, (s)he has already decided to trust the OpenBSD and port authors,
>> and to some extent the port maintainer as well. Letting the port run
>> scripts doesn't require trusting anyone that isn't already trusted.
>
> I agree, but still there is a difference in that the @{un,}exec stuff
> would always be run as root.

The majority (if not all) of things that run in @exec/@unexec *need*
to run as root in order to function correctly. Somebody who wants to
exercise this amount of control might be better served by building their
own packages from their own, maybe modified, ports tree.

Re: About the OpenBSD repository

[Anil Madhavapeddy]

Pretty much every single new revision control system can import/export  
from CVS, so use whatever you want...


-anil

On 22 Jun 2009, at 19:44, Fernando Quintero wrote:


Hello list,

I have a question:

I was reading about version control systems and i found a lot of the
distributed software "with best performance", but really i don't  
know much

about it.
There are some technicals or philosophicals reasons why the OpenBSD
repository does not change to something other than CVS?

Thanks in advanced.


--
--

Fernando Quintero
http://nonroot.blogspot.com/
*Just a nonroot User*

Re: About the OpenBSD repository

[Marco Peereboom]

If it ain't broken don't fix it.

What is wrong with CVS?  And no I am not talking about the hypotheticals
and some bugs that exist in the current code (that can also be easily
worked around).

I have used just about all versioning systems, including ones that have
the price tag of islands in the pacific, and ultimately they all suck in
their special ways.  CVS works "well-enough".

On Mon, Jun 22, 2009 at 01:44:45PM -0500, Fernando Quintero wrote:
> Hello list,
> 
> I have a question:
> 
> I was reading about version control systems and i found a lot of the
> distributed software "with best performance", but really i don't know much
> about it.
> There are some technicals or philosophicals reasons why the OpenBSD
> repository does not change to something other than CVS?
> 
> Thanks in advanced.
> 
> 
> -- 
> --
> 
> Fernando Quintero
> http://nonroot.blogspot.com/
> *Just a nonroot User*

About the OpenBSD repository

[Fernando Quintero]

Hello list,

I have a question:

I was reading about version control systems and i found a lot of the
distributed software "with best performance", but really i don't know much
about it.
There are some technicals or philosophicals reasons why the OpenBSD
repository does not change to something other than CVS?

Thanks in advanced.


-- 
--

Fernando Quintero
http://nonroot.blogspot.com/
*Just a nonroot User*

Re: sftp/ftp best practices

[Joachim Schipper]

On Mon, Jun 22, 2009 at 08:52:23AM -0500, Dominguez, Roland wrote:
> I received permission to set up our sftp/ftp server under Openbsd.
> Is there a best practices doc for doing so?
> I'm reading:
> http://www.openbsd.org/faq/faq10.html#ftpchroot
> and
> http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8

You seem to have found the relevant documentation yourself. The only
"best practice" I would suggest is dropping ftpd and just going with
sftp-server(8) (the part of sshd(8) used by the sftp(1) command).

Try something like this in /etc/ssh/sshd_config:

Match group sftp_users
AllowTcpForwarding no
ChrootDirectory "%h"
ForceCommand internal-sftp
X11Forwarding no

You can then create users in group sftp_users with appropriate home
directories. You may impose some limits on the resources they max
consume (see sshd_config(5), login.conf(5)), if required. Do read the
section on syslog sockets (short version: set
syslogd_flags="-a /some/ftp_user's/home -a /some/other/ftp_user's/home"
in /etc/rc.conf.local).

Joachim

OpenBSD 4.4: dnsbl just for port 25 (not msa 587)

[Alvaro Mantilla Gimenez]

Hello,

   Is there any way to apply dnsbl feature just on port 25 on the
default openbsd sendmail configuration and do not apply that on port 587
(just auth smtp)?

   I googled it looking for answers but it seems people disabled dnsbl
feature on sendmail and used it with spamassasin (which is not an option
for me).

   Any advice?


   Thanks,


  Alvaro

CARP problem : slave rioting

[BARDOU Pierre]

Hello,

I have a setup with 2 openBSD boxes used as firewall, redundancy is made using
CARP.
Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a
trunk, collecting all other VLANs.
Master's advskew is 10, slave's is 50.
All worked like a charm since nearly 2 years, but since 3 weeks I have odd
problems :
* on the net interface, the backup becomes master, but the master remains
master -> Nearly half of the packets are lost
I did a tcpdump on the slave's interface, carp packets from the master arrive.
But it remains master !
Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10]
Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10]

* on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it
is part of a trunk, physical connections are good : they work for all other
VLANs. When I shut down the corresponding carp interface on the slave
(ifconfig carp4 down), master becomes master again.

Could you give me any clue to keep my master in master state ?

Thank you

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Picardie Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

Re: routing/network question

[patrick keshishian]

On Sun, Jun 21, 2009 at 6:20 PM, Philip Guenther wrote:
> On Sun, Jun 21, 2009 at 5:57 PM, patrick keshishian
wrote:
>> On Sun, Jun 21, 2009 at 3:42 PM, Philip Guenther
wrote:
>>> On Sun, Jun 21, 2009 at 10:36 AM, patrick keshishian
wrote:
 *aham* B ... was this a really stupid question?
>>>
>>> Well, you elided useful data by only including part of the netstat
>>> output, you obfuscated it to make it harder to read, you failed to
>>> even mention what version of OpenBSD you're running, *and* you
>>> actually have a solution to your problem. B Why should anyone bother to
>>> answer?
>>
>> ouch... but thanks for taking the time to reply.
>>
>> well, you have some good points there, but if you read carefully, my
>> post wasn't of the "Hey everyone please help me!" flavour. It was of
>> the form "I notice this on openbsd and this on this other platform, I
>> wonder which is the expected behavior?"
>
> Sure, but how should someone decide that the behavior is expected when
> you leave out chunks of the information that describes your setup? B Do
> I need to have a multipath + ppp setup to be able to help?
>
>
>> This was noticed on periodically-updated openbsd macppc-snapshots
>> since pre 4.4 release until one from 2 months ago, which I'm currently
>> running.
>
> So you're now running some undisclosed version of 4.5-current?

Not sure where you get the "undisclosed version" from. I pointed out
that I've been using various snapshots over the stated time-line. I
didn't keep meticulous notes on what exact snapshot I used starting at
what date and for how long. Frankly I don't think there are many
people that keep such accounting records.

> Wait, does that "until one from 2 months ago" mean that the behavior
> changed when you most recently updated the snapshot you're running?!?

No. That is why I specifically said "which I'm currently running" to
indicate that I am still, currently running the snapshot from two
months ago.


>> e.g., I can start a ping going for the particular host on the remote
>> network, next establish the route and the pings continue out on the
>> physical interface. If I start a new ping, those packets, now, go
>> through the ppp0 interface. As verified with tcpdump.
>>
>> So, it seems, based on my observations, routes are "sticky" with
>> respect to sockets; even non-TCP sockets, which seems bit odd. Do you
>> not agree?
>
> Still asking for people to state expectations on zero data. B My
> crystal ball says that that netstat info would have been interesting,
> but since you apparently only are interested in responses from people
> that happen to have multipath setups and use ppp, I guess I can't help
> you.

Thanks for your input,
--patrick

Re: routing/network question

[patrick keshishian]

On Mon, Jun 22, 2009 at 1:49 AM, Claudio Jeker
wrote:
> On Sun, Jun 21, 2009 at 05:57:09PM -0700, patrick keshishian wrote:
>> On Sun, Jun 21, 2009 at 3:42 PM, Philip Guenther
wrote:
>> > On Sun, Jun 21, 2009 at 10:36 AM, patrick keshishian
>> wrote:
>>
>> >> Maybe I just wrote too many words. In simple terms, once a new route
>> >> has been added to the routing table, all traffic should consider the
>> >> new route right? So, is the ppp interface treated differently when it
>> >> comes to routing in OpenBSD?
>> >
>> > Does this quote from the netstat(8) manpage explain the behavior?
>> > B B B B Connection oriented protocols normally hold on to a single route
>> > B B B B for the duration of a connection while connectionless protocols
obtain
>> a
>> > B B B B route while sending to the same destination.
>>
>> ah, yes. this is good, as it confirms part of my observation; note
>> that i was not specific on the type of socket used, because it did not
>> make a difference. I simply said "same socket descriptor", indicating
>> one created prior to the establishment of the new route.
>>
>> e.g., I can start a ping going for the particular host on the remote
>> network, next establish the route and the pings continue out on the
>> physical interface. If I start a new ping, those packets, now, go
>> through the ppp0 interface. As verified with tcpdump.
>>
>> So, it seems, based on my observations, routes are "sticky" with
>> respect to sockets; even non-TCP sockets, which seems bit odd. Do you
>> not agree?
>>
>
> Yes, sockets cache routes and that's good and it will most probably
> not change anytime soon. If the route becomes unavailable a new lookup
> will be done.

Thanks for your reply. Last night I started to dig through sources for
this answer and I found this out looking at ip_output() (assuming I'm
on the right trail).

Cheers,
--patrick

Re: AMD64 with 4GB RAM

[Chris Kuethe]

On Mon, Jun 22, 2009 at 8:59 AM, Gaby Vanhegan wrote:
> I'd gathered that from reading one of those threads to the end.  I really
> wanted to avoid having to build a custom kernel, especially if the results
> might not even work.  I suppose I was just inquiring about the status of
> bigmem in 4.5 and if it is considered "safe" to use yet?

it is not "safe" to use yet. if it was, it'd be enabled by default.

that being said, it works for some people on some machines. it works
on my amd workstation but not my intel laptop.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: AMD64 with 4GB RAM

[Philip Guenther]

On Mon, Jun 22, 2009 at 7:59 AM, Gaby Vanhegan wrote:
> I'd gathered that from reading one of those threads to the end.  I really
> wanted to avoid having to build a custom kernel, especially if the results
> might not even work.  I suppose I was just inquiring about the status of
> bigmem in 4.5 and if it is considered "safe" to use yet?

Unfortunately, whether it works depends on what hardware devices you
have, as some devices don't support DMA to/from high memory addresses
and the kernel doesn't know how to make sure that it never points such
devices at such memory.  There's been some discussion in this area but
I don't think anything has been finalized yet.


Philip Guenther

Re: AMD64 with 4GB RAM

[Claudio Jeker]

On Mon, Jun 22, 2009 at 03:59:35PM +0100, Gaby Vanhegan wrote:
> On 22 Jun 2009, at 14:58, Thomas Pfaff wrote:
>
>> On Mon, 22 Jun 2009 12:37:08 +0100
>> Gaby Vanhegan  wrote:
>>>
>>> I have a machine with 4GB RAM and a quad core Xeon processor.  Will  
>>> it
>>> be able to see the full 4GB of RAM or will I have to tweak bigmem,
>>> either by building a custom kernel (really don't want to do that) or
>>> by using config()?
>>>
>> You can't use config to toggle bigmem.  You need to set the bigmem
>> variable to 1 in /usr/src/sys/arch/amd64/amd64/machdep.c, then you
>> compile and install a new kernel.
>>
>> http://www.openbsd.org/faq/faq5.html#BldKernel explains how.
>
>
> I'd gathered that from reading one of those threads to the end.  I  
> really wanted to avoid having to build a custom kernel, especially if  
> the results might not even work.  I suppose I was just inquiring about  
> the status of bigmem in 4.5 and if it is considered "safe" to use yet?
>

Consider it unsave. Without iommu (e.g. on Intel Boxes) many devices will
be unable to talk to memory > 4GB bad if that is where your data is. With
the amd64 gart acting as iommu it is possible to use the memory but as
nobody is using it for real now expect some bugs to be hit.

-- 
:wq Claudio

Re: AMD64 with 4GB RAM

[Gaby Vanhegan]

On 22 Jun 2009, at 14:58, Thomas Pfaff wrote:


On Mon, 22 Jun 2009 12:37:08 +0100
Gaby Vanhegan  wrote:


I have a machine with 4GB RAM and a quad core Xeon processor.  Will  
it

be able to see the full 4GB of RAM or will I have to tweak bigmem,
either by building a custom kernel (really don't want to do that) or
by using config()?


You can't use config to toggle bigmem.  You need to set the bigmem
variable to 1 in /usr/src/sys/arch/amd64/amd64/machdep.c, then you
compile and install a new kernel.

http://www.openbsd.org/faq/faq5.html#BldKernel explains how.



I'd gathered that from reading one of those threads to the end.  I  
really wanted to avoid having to build a custom kernel, especially if  
the results might not even work.  I suppose I was just inquiring about  
the status of bigmem in 4.5 and if it is considered "safe" to use yet?


G.

--
Sent from my email program on my computer sitting on my desk in my  
house.

http://playr.co.uk/

Re: apache DOS tool

[John Wright]

On Mon, Jun 22, 2009 at 04:36:58PM +0200, Jonas Thambert wrote:
> Aiko Barz wrote:
> > On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
> >> The solution, like the problem, lies in the network layer.  See iptables
> >> and similar network stack filters to provide protection against this  
> >> vector.
> >>
> >> Seems like they (and you) are saying are Apache is not the place for the 
> >> fix?
> > 
> > The apache would be the right place to fix the issue IMHO since other
> > webservers are not affected that much. Maybe something like not counting
> > an unfinished request as an active workerthread. But this is up to the
> > people who know the program internals, which I don't.
> > 
> > So long,
> > Aiko
> 
> This is more intresting:
> 
> http://www.phrack.com/issues.html?issue=66&id=9#article
> 
> //Jonas
> 

That looks like much lower level TCP timer stuff whereas the slowloris DOS
can be replicated with telnet or netcat.

sftp/ftp best practices

[Dominguez, Roland]

I received permission to set up our sftp/ftp server under Openbsd.
Is there a best practices doc for doing so?
I'm reading:
http://www.openbsd.org/faq/faq10.html#ftpchroot
and
http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8

thanks in advance
roland dominguez

Re: apache DOS tool

[Jonas Thambert]

Aiko Barz wrote:
> On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
>> The solution, like the problem, lies in the network layer.  See iptables
>> and similar network stack filters to provide protection against this  
>> vector.
>>
>> Seems like they (and you) are saying are Apache is not the place for the 
>> fix?
> 
> The apache would be the right place to fix the issue IMHO since other
> webservers are not affected that much. Maybe something like not counting
> an unfinished request as an active workerthread. But this is up to the
> people who know the program internals, which I don't.
> 
> So long,
> Aiko

This is more intresting:

http://www.phrack.com/issues.html?issue=66&id=9#article

//Jonas

Re: AMD64 with 4GB RAM

[Thomas Pfaff]

On Mon, 22 Jun 2009 12:37:08 +0100
Gaby Vanhegan  wrote:
>
> I have a machine with 4GB RAM and a quad core Xeon processor.  Will it  
> be able to see the full 4GB of RAM or will I have to tweak bigmem,  
> either by building a custom kernel (really don't want to do that) or  
> by using config()?
>
You can't use config to toggle bigmem.  You need to set the bigmem
variable to 1 in /usr/src/sys/arch/amd64/amd64/machdep.c, then you
compile and install a new kernel.

http://www.openbsd.org/faq/faq5.html#BldKernel explains how.

openbsd.org nixspam mirror broken

[Andrew Von Cid]

Hi all,

I just noticed that the link to the OpenBSD Nixspam mirror is broken on 
http://www.openbsd.org/spamd/.  Any ideas what happened?


I'm not sure if this is the right place to report this, please let me 
know if not and who should I ping to get this fixed.



Cheers,

Andrew.

AMD64 with 4GB RAM

[Gaby Vanhegan]

Does anybody know the status of large memory support in 4.5/amd64?  I  
found this about 4.4 not finding the full 4GB:

http://kerneltrap.org/mailarchive/openbsd-misc/2008/12/15/4420904

And this about bigmem causing boot failure:


http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/10/8/3555614/thread

And I've looked at the changelog between 4.4 and 4.5 for any memory  
related changes.

I have a machine with 4GB RAM and a quad core Xeon processor.  Will it  
be able to see the full 4GB of RAM or will I have to tweak bigmem,  
either by building a custom kernel (really don't want to do that) or  
by using config()?

Gaby.

-- 
Uganda Maximum - Enemy of the English Thrust
http://www.playr.co.uk/

powerdns port

[Bambero]

Hi,

It seems there is no ldap backend for powerdns. Does anyone know why ?

Bambero

pf logging session init and close with match action

[Csaba Szép]

Hi!

I would like to log a SYN packet in the beginning of sessions and the
FIN and/or RST packet at the end with the new match action.

cat pf.conf

set skip on lo
block in log
pass out

match in log flags S/S
match in log flags F/F
match in log flags R/R
pass in proto tcp from any to (vic0) port 22


If i initiate a new ssh connection to the firewall the match condition seems ok.

Jun 22 13:04:17.797771 rule 2/(match) match in on vic0:
192.168.229.1.3711 > 192.168.229.128.22: S 326636544:326636544(0) win
65535  (DF)

But if i terminate the ssh session i dont see any further logs.

So my question is: Is it possible to use the match action for this
scenario (or something else) or i totally misunderstood anything?

Thx
Godot

PS: Sorry if my english is terrible

Re: apache DOS tool

[Aiko Barz]

On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
> The solution, like the problem, lies in the network layer.  See iptables
> and similar network stack filters to provide protection against this  
> vector.
>
> Seems like they (and you) are saying are Apache is not the place for the 
> fix?

The apache would be the right place to fix the issue IMHO since other
webservers are not affected that much. Maybe something like not counting
an unfinished request as an active workerthread. But this is up to the
people who know the program internals, which I don't.

So long,
Aiko
-- 
:wq b  

Re: apache DOS tool

[Richard Toohey]

On 22/06/2009, at 9:25 PM, Aiko Barz wrote:


On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote:

On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:


Hi,

Today i some pages are publishing news about a apache DOS tool for
example (http://isc.sans.org/diary.html?storyid=6601) and http://
ha.ckers.org/blog/20090617/slowloris-http-dos/

Does this applies to the openbsd apache to ?

Peter



Looks like it is old ...

http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2

And advice here ...

http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos

(Yes, I appreciate that it doesn't directly answer your question,
but might help someone ...)


Nope, this does not help at all. Reducing the Timeout helps for a
second. But reducing the timeout in slowloris.pl too, makes the apache
unreachable within seconds again.

Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that
helps currently IMHO, is to limit the number of established
connections
per IP. So, one client is not able to block all the available apache
processes (threads) anymore.

So long,
Aiko
--
:wq b  


By "help" I also meant "explain" - not "here's a fix" ... the top
link I posted said this:

Every network application is affected by such attacks, this is
a protocol
level issue.  It occurs at the network layer, not the application layer,
as demonstrated by the fact that AcceptFilter in httpd has no impact on
the attack.

The solution, like the problem, lies in the network layer.  See iptables
and similar network stack filters to provide protection against this
vector.

Seems like they (and you) are saying are Apache is not the place for
the fix?

Enough from me ...

Re: apache DOS tool

[Aiko Barz]

On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote:
> On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:
>
>> Hi,
>>
>> Today i some pages are publishing news about a apache DOS tool for  
>> example (http://isc.sans.org/diary.html?storyid=6601) and http:// 
>> ha.ckers.org/blog/20090617/slowloris-http-dos/
>>
>> Does this applies to the openbsd apache to ?
>>
>> Peter
>
>
> Looks like it is old ...
>
> http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2
>
> And advice here ...
>
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
>
> (Yes, I appreciate that it doesn't directly answer your question,
> but might help someone ...)

Nope, this does not help at all. Reducing the Timeout helps for a
second. But reducing the timeout in slowloris.pl too, makes the apache
unreachable within seconds again.

Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that
helps currently IMHO, is to limit the number of established connections
per IP. So, one client is not able to block all the available apache
processes (threads) anymore.

So long,
Aiko
-- 
:wq b  

Re: Open Vs Free BSD

[Holger Kipp]

Daniel Bolgheroni schrieb:
> On Fri, 19 Jun 2009, Holger Kipp wrote:
>   
>> On Fri, Jun 19, 2009 at 09:47:35AM +0100, Michal wrote:
>>
>> For the masses:
>>
>> - NetBSD: Run on any hardware (including toasters)
>> - OpenBSD: Be as secure as possible
>> - FreeBSD: provide best system for x86-platforms
>> 
>
> It's a mistake to make this association.
>   
I don't think so:

*NetBSD say on their website:*
NetBSD is a free, fast, secure, and _highly_portable_ Unix-like Open 
Source operating system. It is available for a 
_wide_range_of_platforms_, from large-scale servers and powerful desktop 
systems to handheld and embedded devices. Its clean design and advanced 
features make it excellent for use in both production and research 
environments, and the source code is freely available under a 
business-friendly license.

*OpenBSD say on their website:*
The OpenBSD project produces a *FREE*, multi-platform 4.4BSD-based 
UNIX-like operating system. Our efforts emphasize portability, 
standardization, correctness, proactive security 
 and integrated cryptography 
.

*FreeBSD say on their website:*
FreeBSD is an advanced operating system for _x86_compatible (including 
Pentium. and Athlon^(TM)), _amd64_compatible_ (including Opteron^(TM), 
Athlon^(TM)64, and EM64T), ARM, IA-64, PowerPC, PC-98 and UltraSPARC. 
architectures.
[..]
With over 20,000 ported libraries and applications 
, FreeBSD supports 
applications for desktop, server, appliance, and embedded environments.


Actually I like it this way, because every BSD variant has a different 
focus and is trying different ways to solve problems or fullfill user 
requirements. Whatever turns out to be best will be incorporated into 
the other *BSDs whenever the need arises. Each of the mentioned BSDs has 
its advantages and disadvantages, so what? Choose the system you seem 
best suited for your needs. Afaik some developers are also working on 
several BSD-flavours.
> OpenBSD people chose "security" as an argument to describe what the OS 
> is. It's true and I believe it can attract more users, but on the other 
> side, people seem to think OpenBSD is ONLY used when you need security, 
> like a firewall, router, etc.
>   
OpenBSD was a fork of NetBSD but is having more of a focus on security. 
This is a good thing. We might not have OpenSSH, PF etc. without it. 
Afaik OpenBSD however is using a simple Giant Lock for MP which FreeBSD 
got rid of some time ago (wasn't an easy task) which now results in very 
good scalability of FreeBSD on MP systems. I have not checked how NetBSD 
is handling MP and have also not conducted any performance tests in this 
area, though.
> OpenBSD is a GENERIC OS which can be used to do _almost_ every task a 
> computer system is able to.
>   
This is true for all unix-like (and many other) operating systems. I 
don't see the point here.

The OP did not intend to start a flame war, and I don't either. I like 
OpenBSD (because of the security features and supported platforms). I 
like NetBSD (because of the supported platforms - especially RiscPCs - 
and the clean implementation). I like FreeBSD because of the many 
available ports (which in the past was a reason to choose FreeBSD over 
NetBSD or OpenBSD on x86-hardware) and for other reasons. There is no 
general "a is better than b" here. It all depends on the requirements 
and what you're familiar with.

I prefer FreeBSD because I have ipf, ipfw and pf to chose from, it has 
good MP support, ZFS and never let me down since 2.2.8.
I also use OpenBSD and NetBSD occasionally and support their projects by 
buying their CDs and T-Shirts ever now and then.

Best regards,
Holger

Re: routing/network question

[Claudio Jeker]

On Sun, Jun 21, 2009 at 05:57:09PM -0700, patrick keshishian wrote:
> On Sun, Jun 21, 2009 at 3:42 PM, Philip Guenther wrote:
> > On Sun, Jun 21, 2009 at 10:36 AM, patrick keshishian
> wrote:
> 
> >> Maybe I just wrote too many words. In simple terms, once a new route
> >> has been added to the routing table, all traffic should consider the
> >> new route right? So, is the ppp interface treated differently when it
> >> comes to routing in OpenBSD?
> >
> > Does this quote from the netstat(8) manpage explain the behavior?
> > B  B  Connection oriented protocols normally hold on to a single route
> > B  B  for the duration of a connection while connectionless protocols obtain
> a
> > B  B  route while sending to the same destination.
> 
> ah, yes. this is good, as it confirms part of my observation; note
> that i was not specific on the type of socket used, because it did not
> make a difference. I simply said "same socket descriptor", indicating
> one created prior to the establishment of the new route.
> 
> e.g., I can start a ping going for the particular host on the remote
> network, next establish the route and the pings continue out on the
> physical interface. If I start a new ping, those packets, now, go
> through the ppp0 interface. As verified with tcpdump.
> 
> So, it seems, based on my observations, routes are "sticky" with
> respect to sockets; even non-TCP sockets, which seems bit odd. Do you
> not agree?
> 

Yes, sockets cache routes and that's good and it will most probably
not change anytime soon. If the route becomes unavailable a new lookup
will be done.

-- 
:wq Claudio

Re: Open Vs Free BSD

[Peter Kay - Syllopsium]

From: "Anton Parol" 
OBSD is the best choice of OS for people who like violent little fish 
mascots.

And it has blue-boot-console-thingy (tm) . Ace.


I wasn't going to contribute to this thread, but I have to ask. *What* 
blue-boot-console-thingy?


I'm not sure it's sensible to do direct comparisons of 
NetBSD/OpenBSD/FreeBSD. At first glance the maxim of 'OpenBSD is more 
secure, NetBSD is more portable, FreeBSD has better support' applies, 
however OpenBSD has some platform support that NetBSD does not and NetBSD, 
for a Unix that on first glance looks a bit hardcore, has quite a large 
amount of functionality and seems quite willing to experiment with new 
features. FreeBSD is sometimes promoted as being mostly i386 based, but 
supports a number of platforms.


There's the cultural and administrative differences, too. Custom kernels are 
pretty much anathema to OpenBSD, encouraged on NetBSD and generally handled 
by modules on FreeBSD..


PK 

Re: Open Vs Free BSD

[Michal]

-Original Message-
From: owner-freebsd-sta...@freebsd.org
[mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Charlie Kester
Sent: 19 June 2009 20:24
To: freebsd-sta...@freebsd.org
Subject: Re: Open Vs Free BSD

On Fri 19 Jun 2009 at 11:23:26 PDT Michael R. Wayne wrote:
>
>OK, I'm going to take a guess here that English may not be Michal's primary
>language and re-ask his question:
>
>   Given the several versions of *BSD, I have been led to understand
>   that each excells in different ways.  How do I select which one
>   is right for my application, what are the underlying reasons
>   that would lead me to that choice and what are the the disadvantages
>   I am risking?
>
>This is, actually, not an inappropriate question coming from a potential
>new user who is not familiar with the history surrounding the various
>versions and would make an outstanding FAQ.  As an example, we run FreeBSD
>on our firewalling machines because it works well enough and we prefer the
>reduced support costs of using a single O/S across our network.  I am
unsure
>of what the advantage of moving to OpenBSD might be and would find it very
>difficult to quantify the advantages (if any) versus the increased support
>resources required.
>
>This is a very real issue.  Linux has a similar problem; I've personally
>been in meetings where clients examined the myriad Linux distributions
>and say "It's very likely that we will make the incorrect choice.  So we'll
>go with Windows."  I suspect similar events have occurred with *BSD.  So,
>rather than jumping on people about them bringing up religous wars
(because,
>face it, you CAN edit a file perfectly well in either vi or emacs :-), we'd
>all be better served by giving them enough information to make the
>right choice in their situation while realizing the tradeoffs they are
>making.


I agree, this shouldn't necessarily be treated as flamebait or trolling.

But shouldn't the question be redirected to the advocacy mailing
list/team?
--

Sorry, I would just like to add that English is my first and only language.
As I said at a Terremark Europe meeting, (everyone else spoke [mostly] Dutch
and English, I speak English and bad English. I think my dyslexia and
general ignorance may have caused the confusion in my question. I was never
asking WHO WINS WHO WINS, as I have multiple OS's running, more looking
forward 2-5 years, upgrades and so forth, what should I take in to account.
>From the answers I have got, I've learn that I should ask my questions
better, most importantly I think there, and OBSD may not have lots of
packages but it has brilliant security. A desktop might be served better
with Linux of FreeBSD, but at the end of the day, it's your horse, your
course. You choose as you wish.

I thank you all

Re: apache DOS tool

[Richard Toohey]

On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:


Hi,

Today i some pages are publishing news about a apache DOS tool for  
example (http://isc.sans.org/diary.html?storyid=6601) and http:// 
ha.ckers.org/blog/20090617/slowloris-http-dos/


Does this applies to the openbsd apache to ?

Peter



Looks like it is old ...

http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2

And advice here ...

http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos

(Yes, I appreciate that it doesn't directly answer your question,
but might help someone ...)

Re: Open Vs Free BSD

[Anton Parol]

OBSD is the best choice of OS for people who like violent little fish 
mascots.

And it has blue-boot-console-thingy (tm) . Ace.

Re: exec/unexec

[Alexander Hall]

Joachim Schipper wrote:
> On Mon, Jun 22, 2009 at 12:00:31AM +0300, Cem Kayali wrote:
>> Hi,
>>
>> Thanks for your reply.
>>
>> -I   If scripts exist for a given package, do not execute them.
>>
>>
>> This does not work... I will re-check, but "pkg_add -vvvI" shows that  
>> scripts are executed.
>>
>>
>> Well, one of my client would like to run any 3rd party script only as  
>> regular user.
> 
> Not to be annoying, but this is pretty pointless. (S)he has already
> installed OpenBSD and is installing the port in question; in other
> words, (s)he has already decided to trust the OpenBSD and port authors,
> and to some extent the port maintainer as well. Letting the port run
> scripts doesn't require trusting anyone that isn't already trusted.

I agree, but still there is a difference in that the @{un,}exec stuff
would always be run as root.

Re: exec/unexec

[Joachim Schipper]

On Mon, Jun 22, 2009 at 12:00:31AM +0300, Cem Kayali wrote:
> Hi,
>
> Thanks for your reply.
>
> -I   If scripts exist for a given package, do not execute them.
>
>
> This does not work... I will re-check, but "pkg_add -vvvI" shows that  
> scripts are executed.
>
>
> Well, one of my client would like to run any 3rd party script only as  
> regular user.

Not to be annoying, but this is pretty pointless. (S)he has already
installed OpenBSD and is installing the port in question; in other
words, (s)he has already decided to trust the OpenBSD and port authors,
and to some extent the port maintainer as well. Letting the port run
scripts doesn't require trusting anyone that isn't already trusted.

Joachim