Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:42:21PM +0500,  ??? wrote:
> the situation is pretty clear - any web gui for pf, something what
> pfsense already is, but installable on "clean" OpenBSD box. you
> probably do not make sense what are mailing lists for.
> mailing lists are for asking questions and for answering questions. if
> you have nothing to say except "read the fantastic manual", please,
> keep quiet.
> 
> "read the fantastic manual" doesn't help anybody. it does't make no
> point at all.

I never pointed you at a manual; I asked for clarification and gave you
a path to solving your problem, which apparently left you all butthurt.

I'm sorry I didn't hold your hand and tell you you were special.

> 
> 2010/3/14 Bret S. Lambert :
> > On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
> >> I just want to make sure there's no wheel already invented ))
> >
> > While that's a fair enough thing to do, you didn't really tell
> > anybody what you were going to use the wheel for.
> >
> > I could continue the metaphor, but that would quickly become
> > illegible, so I'll just reiterate:
> >
> > State the problem you're trying to solve before try to enlist
> > the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

the problem was described very precisely "pf gui like pfsense, but
installable on clean OpenBSD box", wasn't it ?


> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

read the letter before answering to it.


2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
>> I just want to make sure there's no wheel already invented ))
>
> While that's a fair enough thing to do, you didn't really tell
> anybody what you were going to use the wheel for.
>
> I could continue the metaphor, but that would quickly become
> illegible, so I'll just reiterate:
>
> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

the situation is pretty clear - any web gui for pf, something what
pfsense already is, but installable on "clean" OpenBSD box. you
probably do not make sense what are mailing lists for.
mailing lists are for asking questions and for answering questions. if
you have nothing to say except "read the fantastic manual", please,
keep quiet.

"read the fantastic manual" doesn't help anybody. it does't make no
point at all.

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
>> I just want to make sure there's no wheel already invented ))
>
> While that's a fair enough thing to do, you didn't really tell
> anybody what you were going to use the wheel for.
>
> I could continue the metaphor, but that would quickly become
> illegible, so I'll just reiterate:
>
> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
> I just want to make sure there's no wheel already invented ))

While that's a fair enough thing to do, you didn't really tell
anybody what you were going to use the wheel for.

I could continue the metaphor, but that would quickly become
illegible, so I'll just reiterate:

State the problem you're trying to solve before try to enlist
the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

I just want to make sure there's no wheel already invented ))

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:05:48PM +0500,  ??? wrote:
>> a) two CARP-connected OpenBSD boxes
>>
>> b) many "real" IP addresses bound to OpenBSD
>>
>> c) RFC1918 (non routable) network with servers
>>
>> d1) monkey button for "nat" rules, so some servers can connect to
>> certain services (say, smtp to Gmail)
>>
>> d2) monkey button for "rdr" rules, so some servers could be"published"
>> on certain IP addresses
>
> This is actually pretty straightforward, if you're willing to
> build a script which takes a few files as input and then generates
> a pf.conf from each machine from those.
>
> NAT monkey button adds/removes entries from a pf.conf.nat
> RDR monkey button adds/removes entries from a pf.conf.rdr
>
> Some magic happens to trigger the pf.conf getting pulled together
> from those and any other bits you may require (e.g., pf.conf.mypr0n)
> and that gets pushed to your servers.
>
> How complex you make each of these bits is left as an exercise for
> the reader.
>
> You don't need a towering edifice to solve simple problems. You
> damn just solve them.
>
>>
>> 2010/3/14 Bret S. Lambert :
>> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> >> we have many people who know ISA very well and all they do with ISA is
>> >> "publishing applications", rdr rules in terms of pf.
>> >> they do not need to know "all the pf detailed", all they need is
>> >>
>> >> a) something ISA-like
>> >> b) syntax-checker, I mean that gui should only allow adding correct
>> >> rules (what is not true when you edit file)
>> >>
>> >> "learn pf.conf and edit file" is not our case though.
>> >
>> > Then you're in a much more limited problem domain, and it may be
>> > solvable for you. However, this went from "how do I export the
>> > full ability to edit pf.conf into gui form" to possibly just
>> > being "i need to add rdr rules via monkey-usable button", which
>> > is several orders of magnitude easier.
>> >
>> > However, in order to receive help in solving a problem, you must
>> > first state what the problem you're attempting to solve is. As
>> > awesome as I am, your tinfoil underwear is rendering my telepathy
>> > utterly useless.
>> >
>> > So, to summarize: details, mofo.
>> >
>> >>
>> >> 2010/3/14 Jason Dixon :
>> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> >> >> Hello,
>> >> >>
>> >> >> is there any GUI (like pfsense) around which can be installed on a
>> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> >> >> ?
>> >> >> I've found comixwall, but it seems to be dead already.
>> >> >
>> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
>> >> > use OpenBSD if you didn't) then learn pf and understand what you're
>> >> > putting together. ?It's not hard. ?In fact, compared to the
>> >> > other *nix firewalling alternatives, it's fucking easy.
>> >> >
>> >> > I've considered long and hard (TWSS) to write my own web interface for
>> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
>> >> > bother, do it right; ?proper abstraction of filtering and routing
>> >> > concepts is mandatory if you want to make something easy *and* secure.
>> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
>> >> > developers that might take a crack at an OpenBSD pf web ui aren't
>> >> > experienced in interface design.
>> >> >
>> >> > I've written a few web applications related to OpenBSD (Hatchet,
>> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
>> >> > team can put out, they suck. ?But they do an adequate job with the task
>> >> > they're designed to handle. ?Writing a log filtering interface isn't
>> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
>> >> > application isn't hard (unless you're WordPress... then it's just
>> >> > bloated).
>> >> >
>> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
>> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
>> >> > editing pf.conf yourself is easier by geometric proportions.
>> >> >
>> >> > 
>> >> >
>> >> > --
>> >> > Jason Dixon
>> >> > DixonGroup Consulting
>> >> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 12:12:31PM +0500,  ??? wrote:
> 2010/3/14 Jason Dixon :
> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> >> we have many people who know ISA very well and all they do with ISA is
> >> "publishing applications", rdr rules in terms of pf.
> >> they do not need to know "all the pf detailed", all they need is
> >>
> >> a) something ISA-like
> >> b) syntax-checker, I mean that gui should only allow adding correct
> >> rules (what is not true when you edit file)
> >>
> >> "learn pf.conf and edit file" is not our case though.
> >
> > You're SOL on all counts.  Oh by the way, when you find that magical
> > firewall ui that "only allows adding correct rules", please let me know.
> > That's some insanely smart code that knows right from wrong.  Not even
> > pf itself will keep you from shooting yourself in the foot with
> > stupidity.
> 
> text files do not have any structure, from pf.conf's point of view the rule
> 
> "blok in all"
> 
> is nothing more that just a line

You obviously haven't read pfctl(8).  It supports syntax checking.

$ sudo grep -n blok /etc/pf.conf
   
30:blok in all

$ sudo pfctl -nf /etc/pf.conf   
   
/etc/pf.conf:30: syntax error


-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

install stalls on base64.tgz

[patrick keshishian]

I've gone through the steps outlined in release(8) to create a release
set which then i used mkisofs and cdrecord from cdrtools (ports) to
burn a CD image that I use to upgrade my other machines with. The last
two times I had to do this, after an errata update, I notice that
during the set install time base46.tgz stalls towards the end (this
time at 77%):

base46.tgz77% |*| 36648 KB - stalled -
(above is hand copied obviously)

The sets are being installed off of the same PC's CD drive. So I'm not
sure what is this indicating?

At first I thought maybe bad CD-Rs, but copying the .tgz sets to local
disk and using this path during the upgrade also stalls at the same
point (77% 36648 KB).

I don't recall what I did to get past this last time.

Any ideas?

--patrick

This is a GENERIC i386 4.6 system, following errata and using cvs up
-rOPENBSD_4_6

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:05:48PM +0500,  ??? wrote:
> a) two CARP-connected OpenBSD boxes
> 
> b) many "real" IP addresses bound to OpenBSD
> 
> c) RFC1918 (non routable) network with servers
> 
> d1) monkey button for "nat" rules, so some servers can connect to
> certain services (say, smtp to Gmail)
> 
> d2) monkey button for "rdr" rules, so some servers could be"published"
> on certain IP addresses

This is actually pretty straightforward, if you're willing to
build a script which takes a few files as input and then generates
a pf.conf from each machine from those.

NAT monkey button adds/removes entries from a pf.conf.nat
RDR monkey button adds/removes entries from a pf.conf.rdr

Some magic happens to trigger the pf.conf getting pulled together
from those and any other bits you may require (e.g., pf.conf.mypr0n)
and that gets pushed to your servers.

How complex you make each of these bits is left as an exercise for
the reader.

You don't need a towering edifice to solve simple problems. You
damn just solve them.

> 
> 2010/3/14 Bret S. Lambert :
> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> >> we have many people who know ISA very well and all they do with ISA is
> >> "publishing applications", rdr rules in terms of pf.
> >> they do not need to know "all the pf detailed", all they need is
> >>
> >> a) something ISA-like
> >> b) syntax-checker, I mean that gui should only allow adding correct
> >> rules (what is not true when you edit file)
> >>
> >> "learn pf.conf and edit file" is not our case though.
> >
> > Then you're in a much more limited problem domain, and it may be
> > solvable for you. However, this went from "how do I export the
> > full ability to edit pf.conf into gui form" to possibly just
> > being "i need to add rdr rules via monkey-usable button", which
> > is several orders of magnitude easier.
> >
> > However, in order to receive help in solving a problem, you must
> > first state what the problem you're attempting to solve is. As
> > awesome as I am, your tinfoil underwear is rendering my telepathy
> > utterly useless.
> >
> > So, to summarize: details, mofo.
> >
> >>
> >> 2010/3/14 Jason Dixon :
> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> >> >> Hello,
> >> >>
> >> >> is there any GUI (like pfsense) around which can be installed on a
> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> >> ?
> >> >> I've found comixwall, but it seems to be dead already.
> >> >
> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
> >> > use OpenBSD if you didn't) then learn pf and understand what you're
> >> > putting together. ?It's not hard. ?In fact, compared to the
> >> > other *nix firewalling alternatives, it's fucking easy.
> >> >
> >> > I've considered long and hard (TWSS) to write my own web interface for
> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
> >> > bother, do it right; ?proper abstraction of filtering and routing
> >> > concepts is mandatory if you want to make something easy *and* secure.
> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
> >> > developers that might take a crack at an OpenBSD pf web ui aren't
> >> > experienced in interface design.
> >> >
> >> > I've written a few web applications related to OpenBSD (Hatchet,
> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
> >> > team can put out, they suck. ?But they do an adequate job with the task
> >> > they're designed to handle. ?Writing a log filtering interface isn't
> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
> >> > application isn't hard (unless you're WordPress... then it's just
> >> > bloated).
> >> >
> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
> >> > editing pf.conf yourself is easier by geometric proportions.
> >> >
> >> > 
> >> >
> >> > --
> >> > Jason Dixon
> >> > DixonGroup Consulting
> >> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

2010/3/14 Jason Dixon :
> On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> we have many people who know ISA very well and all they do with ISA is
>> "publishing applications", rdr rules in terms of pf.
>> they do not need to know "all the pf detailed", all they need is
>>
>> a) something ISA-like
>> b) syntax-checker, I mean that gui should only allow adding correct
>> rules (what is not true when you edit file)
>>
>> "learn pf.conf and edit file" is not our case though.
>
> You're SOL on all counts.  Oh by the way, when you find that magical
> firewall ui that "only allows adding correct rules", please let me know.
> That's some insanely smart code that knows right from wrong.  Not even
> pf itself will keep you from shooting yourself in the foot with
> stupidity.

text files do not have any structure, from pf.conf's point of view the rule

"blok in all"

is nothing more that just a line

I didn't mean prevent myself from "shooting myself in the foot"

>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

a) two CARP-connected OpenBSD boxes

b) many "real" IP addresses bound to OpenBSD

c) RFC1918 (non routable) network with servers

d1) monkey button for "nat" rules, so some servers can connect to
certain services (say, smtp to Gmail)

d2) monkey button for "rdr" rules, so some servers could be"published"
on certain IP addresses

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> we have many people who know ISA very well and all they do with ISA is
>> "publishing applications", rdr rules in terms of pf.
>> they do not need to know "all the pf detailed", all they need is
>>
>> a) something ISA-like
>> b) syntax-checker, I mean that gui should only allow adding correct
>> rules (what is not true when you edit file)
>>
>> "learn pf.conf and edit file" is not our case though.
>
> Then you're in a much more limited problem domain, and it may be
> solvable for you. However, this went from "how do I export the
> full ability to edit pf.conf into gui form" to possibly just
> being "i need to add rdr rules via monkey-usable button", which
> is several orders of magnitude easier.
>
> However, in order to receive help in solving a problem, you must
> first state what the problem you're attempting to solve is. As
> awesome as I am, your tinfoil underwear is rendering my telepathy
> utterly useless.
>
> So, to summarize: details, mofo.
>
>>
>> 2010/3/14 Jason Dixon :
>> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> >> Hello,
>> >>
>> >> is there any GUI (like pfsense) around which can be installed on a
>> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> >> ?
>> >> I've found comixwall, but it seems to be dead already.
>> >
>> > None that are worth it, imho.  If you want to do it right (you wouldn't
>> > use OpenBSD if you didn't) then learn pf and understand what you're
>> > putting together.  It's not hard.  In fact, compared to the
>> > other *nix firewalling alternatives, it's fucking easy.
>> >
>> > I've considered long and hard (TWSS) to write my own web interface for
>> > pf.  The prevailing design philosophies SUCK.  If you're going to
>> > bother, do it right;  proper abstraction of filtering and routing
>> > concepts is mandatory if you want to make something easy *and* secure.
>> > Why hasn't anyone done it?  It's really, really difficult.  And most
>> > developers that might take a crack at an OpenBSD pf web ui aren't
>> > experienced in interface design.
>> >
>> > I've written a few web applications related to OpenBSD (Hatchet,
>> > NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
>> > team can put out, they suck.  But they do an adequate job with the task
>> > they're designed to handle.  Writing a log filtering interface isn't
>> > hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
>> > application isn't hard (unless you're WordPress... then it's just
>> > bloated).
>> >
>> > I'll say it again... writing a good pf web UI is HARD.  It's infinitely
>> > more complicated and prone to security problems.  Reading the pf FAQ and
>> > editing pf.conf yourself is easier by geometric proportions.
>> >
>> > 
>> >
>> > --
>> > Jason Dixon
>> > DixonGroup Consulting
>> > http://www.dixongroup.net/

Re: OpenBSD 4.7 pre-orders are live!

[Predrag Punosevac]

I am probably missing something big time but could somebody enlight me 
and explain why would 4.7 be released May 19 2010? 

If the schedule is going back to normal it should be May 1st. If 4.7
is to be released six months from 4.6 it should be released April 19th.
Right?

Cheers,
Predrag

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> we have many people who know ISA very well and all they do with ISA is
> "publishing applications", rdr rules in terms of pf.
> they do not need to know "all the pf detailed", all they need is
> 
> a) something ISA-like
> b) syntax-checker, I mean that gui should only allow adding correct
> rules (what is not true when you edit file)
> 
> "learn pf.conf and edit file" is not our case though.

You're SOL on all counts.  Oh by the way, when you find that magical
firewall ui that "only allows adding correct rules", please let me know.
That's some insanely smart code that knows right from wrong.  Not even
pf itself will keep you from shooting yourself in the foot with
stupidity.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> we have many people who know ISA very well and all they do with ISA is
> "publishing applications", rdr rules in terms of pf.
> they do not need to know "all the pf detailed", all they need is
> 
> a) something ISA-like
> b) syntax-checker, I mean that gui should only allow adding correct
> rules (what is not true when you edit file)
> 
> "learn pf.conf and edit file" is not our case though.

Then you're in a much more limited problem domain, and it may be
solvable for you. However, this went from "how do I export the
full ability to edit pf.conf into gui form" to possibly just
being "i need to add rdr rules via monkey-usable button", which
is several orders of magnitude easier.

However, in order to receive help in solving a problem, you must
first state what the problem you're attempting to solve is. As
awesome as I am, your tinfoil underwear is rendering my telepathy
utterly useless.

So, to summarize: details, mofo.

> 
> 2010/3/14 Jason Dixon :
> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> >> Hello,
> >>
> >> is there any GUI (like pfsense) around which can be installed on a
> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> ?
> >> I've found comixwall, but it seems to be dead already.
> >
> > None that are worth it, imho.  If you want to do it right (you wouldn't
> > use OpenBSD if you didn't) then learn pf and understand what you're
> > putting together.  It's not hard.  In fact, compared to the
> > other *nix firewalling alternatives, it's fucking easy.
> >
> > I've considered long and hard (TWSS) to write my own web interface for
> > pf.  The prevailing design philosophies SUCK.  If you're going to
> > bother, do it right;  proper abstraction of filtering and routing
> > concepts is mandatory if you want to make something easy *and* secure.
> > Why hasn't anyone done it?  It's really, really difficult.  And most
> > developers that might take a crack at an OpenBSD pf web ui aren't
> > experienced in interface design.
> >
> > I've written a few web applications related to OpenBSD (Hatchet,
> > NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
> > team can put out, they suck.  But they do an adequate job with the task
> > they're designed to handle.  Writing a log filtering interface isn't
> > hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
> > application isn't hard (unless you're WordPress... then it's just
> > bloated).
> >
> > I'll say it again... writing a good pf web UI is HARD.  It's infinitely
> > more complicated and prone to security problems.  Reading the pf FAQ and
> > editing pf.conf yourself is easier by geometric proportions.
> >
> > 
> >
> > --
> > Jason Dixon
> > DixonGroup Consulting
> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

we have many people who know ISA very well and all they do with ISA is
"publishing applications", rdr rules in terms of pf.
they do not need to know "all the pf detailed", all they need is

a) something ISA-like
b) syntax-checker, I mean that gui should only allow adding correct
rules (what is not true when you edit file)

"learn pf.conf and edit file" is not our case though.

2010/3/14 Jason Dixon :
> On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> Hello,
>>
>> is there any GUI (like pfsense) around which can be installed on a
>> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> ?
>> I've found comixwall, but it seems to be dead already.
>
> None that are worth it, imho.  If you want to do it right (you wouldn't
> use OpenBSD if you didn't) then learn pf and understand what you're
> putting together.  It's not hard.  In fact, compared to the
> other *nix firewalling alternatives, it's fucking easy.
>
> I've considered long and hard (TWSS) to write my own web interface for
> pf.  The prevailing design philosophies SUCK.  If you're going to
> bother, do it right;  proper abstraction of filtering and routing
> concepts is mandatory if you want to make something easy *and* secure.
> Why hasn't anyone done it?  It's really, really difficult.  And most
> developers that might take a crack at an OpenBSD pf web ui aren't
> experienced in interface design.
>
> I've written a few web applications related to OpenBSD (Hatchet,
> NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
> team can put out, they suck.  But they do an adequate job with the task
> they're designed to handle.  Writing a log filtering interface isn't
> hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
> application isn't hard (unless you're WordPress... then it's just
> bloated).
>
> I'll say it again... writing a good pf web UI is HARD.  It's infinitely
> more complicated and prone to security problems.  Reading the pf FAQ and
> editing pf.conf yourself is easier by geometric proportions.
>
> 
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> Hello,
> 
> is there any GUI (like pfsense) around which can be installed on a
> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> ?
> I've found comixwall, but it seems to be dead already.

None that are worth it, imho.  If you want to do it right (you wouldn't
use OpenBSD if you didn't) then learn pf and understand what you're
putting together.  It's not hard.  In fact, compared to the
other *nix firewalling alternatives, it's fucking easy.

I've considered long and hard (TWSS) to write my own web interface for
pf.  The prevailing design philosophies SUCK.  If you're going to
bother, do it right;  proper abstraction of filtering and routing
concepts is mandatory if you want to make something easy *and* secure.
Why hasn't anyone done it?  It's really, really difficult.  And most
developers that might take a crack at an OpenBSD pf web ui aren't
experienced in interface design.

I've written a few web applications related to OpenBSD (Hatchet,
NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
team can put out, they suck.  But they do an adequate job with the task
they're designed to handle.  Writing a log filtering interface isn't
hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
application isn't hard (unless you're WordPress... then it's just
bloated).

I'll say it again... writing a good pf web UI is HARD.  It's infinitely
more complicated and prone to security problems.  Reading the pf FAQ and
editing pf.conf yourself is easier by geometric proportions.



-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

PPPOE/IPSEC/PF

[Steve]

Hi all,

I know this is extremely vague but I am hoping someone can advise whether this
is known/rectified in the upcoming release so I dont have to interfere with
production equipment to test.

We have a wan configired with pppoe/ipsec/pf configured at each gateway. As
soon as 4.6 is in place the performace through the tunnel slows drastically. I
have ensured that the new pppoe match line is correct in pf and have tried
no-df switch both on and off. As soon as we drop back to 4.5 the speed is
back.

As mentioned, I know this is far too vague for specifics but any input before
we have to disrupt this production system would be apprecated.

any web management gui for pf ?

[Илья Шипицин]

Hello,

is there any GUI (like pfsense) around which can be installed on a
clean OpenBSD box (or even two CARP-connected boxes) for pf management
?
I've found comixwall, but it seems to be dead already.


Cheers,
Ilya Shipitsin

Online dis ticaret egitimleri

[info]

 
ATCO MARKETING VE DERSIMONLINE ISBIRLIGI ILE UYGULAMALI DIS TICARET
UZMANLIK PROGRAMINI ONLINE OLARAK SIZLERE SUNUYORUZ.
 

Sermaye ve mal degisimi |retimi igin |lke genelinde veya uluslar arasi
platformlarda hizmet vermek, |lkelerin ekonomisi ve gayri safi milli
hasilasi igerisinde vnemli bir payi temsil eder.

Dis ticaretin tarih boyunca s|regelip, g|n|m|ze kadar geliserek
ilerlemesini saglayan sey, dis ticaretin |lkelerin sosyal, ekonomik ve
siyasi gelisimlerini desteklemesidir. Bu denklem iginde bulundugumuz
y|zyilda, dis ticaret' e hizmet veren b|t|n unsurlarin ekonomik
parametrelerinde pozitif yvnde artis saglamak amaci ile
gelistirilmektedir.  Buna paralel olarak t|m d|nya |zerinde daha genis
alan bulan sanayilesme, ulastiklari son noktada, gok uluslu sirketler
politikasi ile kullanicilarina erisim s|relerini en aza indirmeyi
hedeflemektedirler. Karmasik |r|n |retmekte olan sirketler
kullanicilarina daha hizli eristikge ham maddenin teminine ve elde etme
s|resinin m|mk|n olan en kisa s|reye indirilmesine artik g|n|m|zde daha
fazla ihtiyag duyulmaktadir. T|m bu olan satim ve alimlar |lkeler
arasinda makro b|y|kl|kteki bir ekonominin garklarini geviren
parametrelerin bir kismini olusturmaktadir.

Dersimonline olarak bizlerin gvrevi ise, t|m bu olagan|st| b|y|kl|kteki
pazarda, sizlere, kendinize nasil yer agmaniz gerektigi, t|m bu
parametreler hakkinda bilgi sahibi olabilmeniz ve bilgiye nasil
ulasabileceginiz konularini, kariyerlerinde gok deneyimli egitimcileri
ile hep birlikte canli olarak ve y|z y|ze konusabilecegimiz bir
platformu internet |zerinde olusturmaktir.



UYGULAMALI DIS TICARET UZMANLIK
SERTIFIKA PROGRAMI KONU BASLIKLARI
1 . ULUSLARARASI PAZARLAMA - ( UYGULAMALI )
2 . DIS TICARETTE TESLIM SEKILLERI - ( UYGULAMALI )
3 . DIS TICARETTE VDEME SEKILLERI VE FINANSMAN ( UYGULAMALI )
4 . DIS TICARETTE ALTERNATIF UZMANLASMA ALANLARI
5 . IHRACAT SIM\LASYONU
6 . HUKUKSAL GERGEVE VE SVZLESMELER
7 . ITHALAT ISLEMLERI
8 . E - DIS TICARET UYGULAMALARI
9 . DIS TICARETTE ILETISIM TEKNIKLERI
10 . G\MR\K ISLEMLERI
11 . LOJISTIK YVNETIMI
12 . DIS TICARETTE DEVLET DESTEKLERI
13 . DIS TICARETTE SIGORTA
14 . BIR "VRNEK OLAY" DEGERLENDIRME ( PROJE )

EGITMENLER
VZGEGMIS
VMER PESEN
http://dersimonline.com/VMER%20PESEN.htm

IMRE GAFFAROGULLARI
http://dersimonline.com/Imre%20GAFFAROGULLARI.htm

HAFTA SONU PROGRAMI (CUMARTESI - PAZAR) ( 13.00 - 17.00)
TOPLAM DERS SAATI
80 SAAT
BASLANGIG TARIHI
03 NISAN 2010
BITIS TARIHI
06 HAZIRAN 2010

HAFTA IGI PROGRAMI (PAZARTESI-SALI-GARSAMBA-PERSEMBE-CUMA) ( 19.30 -
21.30)
TOPLAM DERS SAATI
80 SAAT
BASLANGIG TARIHI
03 NISAN 2010
BITIS TARIHI
28 MAYIS 2010


30 YILLIK DIS TICARET DENEYIMINI VE BILGI BIRIKIMINI PAYLASMAK IGIN
SIZLERI DERSIMONLINE.COM A BEKLIYORUZ

www.dersimonline.com 

Egitim programlariyla ilgili detayli bilgi ve katilim igin l|tfen
bizimle iletisime geginiz.
TELEFON: 0232 372 81 16
E - MAIL : i...@dersimonline.com

Re: OpenBSD 4.7 pre-orders are live!

[Ted Roby]

On Sat, Mar 13, 2010 at 7:42 PM, Jason Dixon  wrote:

> https://https.openbsd.org/cgi-bin/order?CD47=1&CD47%2b=Add
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
>
>
You're late!
I already put my order in with the USA distributor as soon as I saw Theo's
post.
Their automated service says they'll be shipping it to me this coming
Monday.
Somehow, I think I'll be getting a follow-up email instead.

OpenBSD 4.7 pre-orders are live!

[Jason Dixon]

https://https.openbsd.org/cgi-bin/order?CD47=1&CD47%2b=Add

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: RouterBOARD RB600A support

[Theo de Raadt]

> I was hoping that it might work as the RB600A and RB1000 CPU / SOC
> seem similar (MPC8343/E and MPC8547/E).

They are not similar.  The MPC8547/E is shockingly different.

Re: RouterBOARD RB600A support

[David Gwynne]

On 14/03/2010, at 10:36 AM, P. Souza wrote:

>> Has anyone tested the network throughput on these sweet little things?
>
> Not that relevant but I thought I'd share my findings anyway.
> According to some page I found(TM), the RB600 measured about 250 Mbps
> on iperf on both debian and routerOS[1].
>
> I was expecting more since the routerboard performance tests[2] show a
> routing performance between 592-745 Mbps with 1500 byte packets. Even
> so, seems like a nice alix substitute since, at least locally, the
> price difference is negligible.

there's a big difference between forwarding and terminating traffic on a box
which could explain those numbers.

still, how openbsd copes will be different again.

Re: No login prompt on Intel Atom board.

[Gabriel Read]

Just an update:
I am able to cat > /dev/ttyC0 and cat /dev/ttyC0 and send and get text
both ways.

If I run /usr/klibexec/getty std.9600 /dev/ttyC0, I get nothing.  the
only way to get out is ^Z and then kill it.

Also, getty is not running when I start up.  I check ps ax and its not there.

Thanks.

On Fri, Mar 12, 2010 at 1:00 PM, Gabriel Read  wrote:
> Hi everyone,
>
> I have an Intel D945GSEJT mini-itx motherboard
> running 4.6 GENERIC.MP#89 i386.
> I have been using it as a server for a while without
> a monitor or keyboard and it has been
> working just fine. I hooked up a monitor and
> keyboard but I don't get a login prompt.  If I type on
> the keyboard, the letters do appear on the screen,
> as do system messages, for example, when I
> shutdown it displays the shutdown message.  I have
> tried switching virtual consoles, which works, but it
> still doesn't display a login prompt.  I have checked
> /etc/ttys and console and ttyC0 through ttyC3 are all turned on.
> Does anyone have an ideas?
>
> Thanks, Gabe read
>
> Here is my dmesg output:
>
>  function 3 "Intel 82801GB USB" rev 0x02: apic 2 int 16 (irq 11)
> ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 2
> int 23 (irq 10)
> ehci0: timed out waiting for BIOS
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb4 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
> pci5 at ppb4 bus 5
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM
disabled
> pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> pciide0: channel 0 disabled (no drives)
> pciide0: channel 1 disabled (no drives)
> pciide1 at pci0 dev 31 function 2 "Intel 82801GBM SATA" rev 0x02: DMA,
> channel 0 configured to native-PCI, channel 1 configured to native-PCI
> pciide1: using apic 2 int 19 (irq 11) for native-PCI interrupt
> wd0 at pciide1 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
> wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
> ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: apic
> 2 int 19 (irq 11)
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: 
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> mtrr: Pentium Pro MTRR support
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b
> arp info overwritten for 192.168.1.11 by 00:11:09:ed:7b:ee on re0
> arp info overwritten for 192.168.1.11 by 00:07:e9:0f:e0:a2 on re0
> arp info overwritten for 192.168.1.11 by 00:11:09:ed:7b:ee on re0
> arp info overwritten for 192.168.1.11 by 00:11:09:ed:7b:ee on re0
> arp info overwritten for 192.168.1.11 by 00:07:e9:0f:e0:a2 on re0
> arp info overwritten for 192.168.1.11 by 00:11:09:ed:7b:ee on re0
> arp info overwritten for 192.168.1.11 by 00:07:e9:0f:e0:a2 on re0
> arp info overwritten for 192.168.1.11 by 00:11:09:ed:7b:ee on re0
> arp info overwritten for 192.168.1.11 by 00:07:e9:0f:e0:a2 on re0
> arp info overwritten for 192.168.1.127 by 00:16:cb:95:ae:fa on re0
> arp info overwritten for 192.168.1.127 by 00:16:cb:b4:65:53 on re0
> uhub5 at uhub1 port 2 "Mitsumi Electric Hub in Apple Extended USB
> Keyboard" rev 1.10/1.22 addr 2
> uhidev0 at uhub5 port 1 configuration 1 interface 0 "Mitsumi Electric
> Apple Extended USB Keyboard" rev 1.10/1.22 addr 3
> uhidev0: iclass 3/1
> ukbd0 at uhidev0: 8 modifier keys, 6 key codes
> wskbd1 at ukbd0 mux 1
> wskbd1: connecting to wsdisplay0
> uhidev1 at uhub5 port 1 configuration 1 interface 1 "Mitsumi Electric
> Apple Extended USB Keyboard" rev 1.10/1.22 addr 3
> uhidev1: iclass 3/0, 3 report ids
> uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
> uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
> syncing disks...
> OpenBSD 4.6 (GENERIC.MP) #89: Thu Jul  9 21:32:39 MDT 2009
>dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60
GHz
> cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,A
CPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,ES

Re: RouterBOARD RB600A support

[P. Souza]

> Has anyone tested the network throughput on these sweet little things?

Not that relevant but I thought I'd share my findings anyway.
According to some page I found(TM), the RB600 measured about 250 Mbps
on iperf on both debian and routerOS[1].

I was expecting more since the routerboard performance tests[2] show a
routing performance between 592-745 Mbps with 1500 byte packets. Even
so, seems like a nice alix substitute since, at least locally, the
price difference is negligible.

[1] www.marlow.dk/wiki/index.php/RouterboardPPC#Performance
[2] www.routerboard.com/pdf/routerboard_performance_tests.pdf

Re: usb(3) to usb(4) migration issue at http://www.openbsd.org/cgi-bin/man.cgi

[Jason McIntyre]

On Sun, Mar 14, 2010 at 01:07:31AM +0100, Adriaan wrote:
> The following URL which is supposed to show the usb(4) man page still
> shows the old usb(3) man page:
> http://www.openbsd.org/cgi-bin/man.cgi?query=usb&sektion=4&apropos=0&manpath=OpenBSD+Current&arch=
> 
> I know it is release time and that everybody is extremely busy  :)
> 
> Adriaan

we know about this, and a fix is coming...
jmc

usb(3) to usb(4) migration issue at http://www.openbsd.org/cgi-bin/man.cgi

[Adriaan]

The following URL which is supposed to show the usb(4) man page still
shows the old usb(3) man page:
http://www.openbsd.org/cgi-bin/man.cgi?query=usb&sektion=4&apropos=0&manpath=OpenBSD+Current&arch=

I know it is release time and that everybody is extremely busy  :)

Adriaan

Re: Opteron 250 Overheating

[Jeff Ross]

On Sun, 14 Mar 2010, Ross Cameron wrote:


On Sun, Mar 14, 2010 at 12:27 AM, Jeff Ross  wrote:

Jeff Ross wrote:


Henning Brauer wrote:


* Jeff Ross  [2010-03-02 16:59]:


I bought a replacement supermicro motherboard off fleabay that has
dual Opteron 250 @2.4GHz. B The cpus have passive heatsinks, it is in
a supermicro 2U chassis with 4 front fans.


do you have the air shroud? this plastic thing that forms a "tunnel"
over the heatsinks? it is required.



No, the motherboard didn't come with that. B If I can find one will that
mean I don't need the active heatsinks?

Thanks!


As a followup, here's what I have done to try to alleviate this:

I bought and installed the plastic air shroud using the passive heatsinks
that came with the motherboard. B System still overheats and shuts down
within a couple of B minutes.

I bought 2 AMD brand active heatsinks, specific to this processor, and
installed them. B That meant I had to ditch the plastic air shroud, but the
motherboard manual says that active heatsinks are suggested for 2U chassis
and the air shroud was only $10. B I also used new heat sink compound when

I

put everything together.

System seems to run okay at idle. but make it work a little--like compiling
a kernel or tar-ing up a big file and the temp indicator comes on and

sysctl

reports
temps (on both the kate and lm sensors) finally exceeding 100 degrees C on
one processor, with the other is not that far behind at over 80 deg C.

At that point the system shuts down.

I'm at a loss as what to try next. B If I've read the AMD specs correctly
these processors should not exceed 71 deg C but I see temps near that at
inear dle.

Did I just get a lemon motherboard/CPU combo? B I still have a couple of

days

on my 30 day exchange if this is the case.



I'd get it all swopped out, something's very suspect there.

I've got 8 Opteron 250 servers at the office that I regularly pound
the heck out of (dist-cc cluster for bulk and repetitive building of
software) and the hottest we've ever seen the CPUs go was 42deg.



Thanks--that is exactly what I was loooking for.

I've e-mailed the vendor.  With luck I'll have replacement or at least my 
money back before long.


Jeff

Re: Opteron 250 Overheating

[Ross Cameron]

On Sun, Mar 14, 2010 at 12:27 AM, Jeff Ross  wrote:
> Jeff Ross wrote:
>>
>> Henning Brauer wrote:
>>>
>>> * Jeff Ross  [2010-03-02 16:59]:

 I bought a replacement supermicro motherboard off fleabay that has
 dual Opteron 250 @2.4GHz. B The cpus have passive heatsinks, it is in
 a supermicro 2U chassis with 4 front fans.
>>>
>>> do you have the air shroud? this plastic thing that forms a "tunnel"
>>> over the heatsinks? it is required.
>>>
>>
>> No, the motherboard didn't come with that. B If I can find one will that
>> mean I don't need the active heatsinks?
>>
>> Thanks!
>>
> As a followup, here's what I have done to try to alleviate this:
>
> I bought and installed the plastic air shroud using the passive heatsinks
> that came with the motherboard. B System still overheats and shuts down
> within a couple of B minutes.
>
> I bought 2 AMD brand active heatsinks, specific to this processor, and
> installed them. B That meant I had to ditch the plastic air shroud, but the
> motherboard manual says that active heatsinks are suggested for 2U chassis
> and the air shroud was only $10. B I also used new heat sink compound when
I
> put everything together.
>
> System seems to run okay at idle. but make it work a little--like compiling
> a kernel or tar-ing up a big file and the temp indicator comes on and
sysctl
> reports
> temps (on both the kate and lm sensors) finally exceeding 100 degrees C on
> one processor, with the other is not that far behind at over 80 deg C.
>
> At that point the system shuts down.
>
> I'm at a loss as what to try next. B If I've read the AMD specs correctly
> these processors should not exceed 71 deg C but I see temps near that at
> inear dle.
>
> Did I just get a lemon motherboard/CPU combo? B I still have a couple of
days
> on my 30 day exchange if this is the case.


I'd get it all swopped out, something's very suspect there.

I've got 8 Opteron 250 servers at the office that I regularly pound
the heck out of (dist-cc cluster for bulk and repetitive building of
software) and the hottest we've ever seen the CPUs go was 42deg.





--
"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
Thomas Alva Edison
Inventor of 1093 patents, including:
The light bulb, phonogram and motion pictures.

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[Stuart Henderson]

On 2010-03-13, Sunnz  wrote:
> 2010/3/12 Daniel Gracia Garallar :
>> Not quite a solution, I think. What about if /var/www mounts in a different
>> filesystem than /var?
>>
>> Hardlinks from chrooted environments don't seem to be a wise solution
>> anyway... Just IMHO.
>>
>
> In that case you could change the location mysqld itself uses to be
> inside the chroot.

yes, this works well. borrowing from the notes in the drupal package;

-- -- --
In order to run with standard OpenBSD chroot'ed httpd:

- make sure you can connect to your database.

Create a directory for the mysql socket.

mkdir -p /var/www/var/run/mysql

Adjust /etc/my.cnf to put the mysql socket into the chroot.

[client]
socket = /var/www/var/run/mysql/mysql.sock

[mysqld]
socket = /var/www/var/run/mysql/mysql.sock
-- -- --

if you have an application outside the chroot where you can't set
the socket path, you can create /var/run/mysql and create a symlink
in that directory pointing at the socket inside /var/www/var/run/mysql..

"I call bullshit on audiors all the time. " [Was: Re: suggested patch to httpd.conf in base]

[chefren]

On 13-03-10 17:04, Bob Beck wrote:

> I call bullshit on audiors all the time.  I normally get away with it.
> Why? I know something about the field, They actually do not, they are
> working from a cookbook. Once you explain coherently why the cookbook
> is wrong for your environment you know what *THEY HAVE TO BELIEVE YOU*
> in absence of proof otherwise.


Quite true.

And if the other party insists on the bull shit it simply isn't a good party
to work with. When it's about security: Unnecessary compromises stand for
unnecessary insecurity.

+++chefren

Re: Opteron 250 Overheating

[Jeff Ross]

Jeff Ross wrote:

Henning Brauer wrote:

* Jeff Ross  [2010-03-02 16:59]:

I bought a replacement supermicro motherboard off fleabay that has
dual Opteron 250 @2.4GHz.  The cpus have passive heatsinks, it is in
a supermicro 2U chassis with 4 front fans.


do you have the air shroud? this plastic thing that forms a "tunnel"
over the heatsinks? it is required.



No, the motherboard didn't come with that.  If I can find one will 
that mean I don't need the active heatsinks?


Thanks!


As a followup, here's what I have done to try to alleviate this:

I bought and installed the plastic air shroud using the passive 
heatsinks that came with the motherboard.  System still overheats and 
shuts down within a couple of  minutes.


I bought 2 AMD brand active heatsinks, specific to this processor, and 
installed them.  That meant I had to ditch the plastic air shroud, but 
the motherboard manual says that active heatsinks are suggested for 2U 
chassis and the air shroud was only $10.  I also used new heat sink 
compound when I put everything together.


System seems to run okay at idle. but make it work a little--like 
compiling a kernel or tar-ing up a big file and the temp indicator comes 
on and sysctl reports
temps (on both the kate and lm sensors) finally exceeding 100 degrees C 
on one processor, with the other is not that far behind at over 80 deg C.


At that point the system shuts down.

I'm at a loss as what to try next.  If I've read the AMD specs correctly 
these processors should not exceed 71 deg C but I see temps near that at 
inear dle.


Did I just get a lemon motherboard/CPU combo?  I still have a couple of 
days on my 30 day exchange if this is the case.


Thanks to all,

Jeff

Re: Easy money with OpenBSD & OpenBGPd?

[Graeme Lee]

FreeBSD and Linux

The routing is done on FreeBSD.  UI on Linux

It's hardly rocket science either.  It could easily be done on OpenBSD, 
but we would need to add a "strip private" or similar to make it 
implementable.




On 14/03/2010 2:24 AM, Sevan / Venture37 wrote:

Hi guys,
I was reading the arstechnica article on the internet filtering that's 
now in place in New Zealand & they mentioned that the appliance 
they're using called a "Whitebox" which uses a "BSD-Unix"

Anyone know more about the OS used in this system??


Sevan / Venture37

http://arstechnica.com/tech-policy/news/2010/03/new-zealand-relies-on-bgp-router-protocol-to-filter-the-net.ars 



http://www.watchdoginternational.net/images/stories/ncwb2.pdf

Re: RouterBOARD RB600A support

[Liam Farr]

I'd be quite keen to get OpenBSD running on the RB1000.

I tried writing the miniroot47.fs to a CF card and booting off that, (on the 
off chance that it might work), but didn't get very far.

--
RouterBOOT booter 2.20

RouterBoard 1000

CPU frequency: 1333 MHz
  Memory size: 512 MB

Press any key within 2 seconds to enter setup..
Booting CF
Loading kernel... done
setting up elf image... OK
jumping to kernel code
>> OpenBSD/socppc BOOT 1.0

|
/
-
boot> 
--

At this point the serial console just hangs.

I was hoping that it might work as the RB600A and RB1000 CPU / SOC seem similar 
(MPC8343/E and MPC8547/E).


Liam

Re: Easy money with OpenBSD & OpenBGPd?

[Sevan / Venture37]

I'm not trying to over throw bypass governments or make money being a thug
I was trying to imply a possibly that the white box is nothing more
then a fancy white box running OpenBSD?


Sevan / Venture37

Re: RouterBOARD RB600A support

[David Gwynne]

On 14/03/2010, at 4:41 AM, P. Souza wrote:

> Has anyone tested the network throughput on these sweet little things?

not really. ive always been limited by the speed of wireless, or the speed of
the dsl link im using. i havent got close to high cpu usage on my rb600 unless
i was compiling stuff.

Re: RouterBOARD RB600A support

[P. Souza]

Has anyone tested the network throughput on these sweet little things?

Re: Filtering based on MAC adress

[Jean-Francois]

All,

As suggested.
Just to confirm that it perfectly works.
I made a NAT on ext_if from int_if

In principle :
- create a bridge, add the int_if to the bridge
- add a rule filtering and tagging based on MAC address ex :
brconfig bridge0 rule pass in  on fxp0 src 9:8:7:6:5:4 tag boss
- filter with pf based on the tag of the packets

Thanks for pointing this out.

Re: Easy money with OpenBSD & OpenBGPd?

[Peter N. M. Hansteen]

Sevan / Venture37  writes:

> they're using called a "Whitebox" which uses a "BSD-Unix"

Their marketers apparently do not know (or do not care) that term is
15+ years out of date and used to be the focusing point of a legal
dust-up back in the days.  Not a good sign in itself, their website
(which runs on Microsoft if Netcraft is to be believed) doesn't offer
too much detail either.  It does sound rather like the 'we must appear
to be doing something fer chrissake' excercise the powers that be in
.no were trying to impose on ISPs here recently (DNS based and all).

> Anyone know more about the OS used in this system??

The marketing material at on their web site gives you enough pointers
that you could knit together a rough equivalent on anything unixlike,
including OpenBSD.  Fairly easy money once you figure out what color
schemes the johns^H^H^H^H^Hcustomers want in their web interfaces, I
suppose.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[bert beaudin]

This has also worked for me in the past.
Bert


On 3/13/10 9:27 AM, "L. V. Lammert"  wrote:

> On Sat, 13 Mar 2010, Sunnz wrote:
> 
>> 2010/3/12 Daniel Gracia Garallar :
>>> Not quite a solution, I think. What about if /var/www mounts in a different
>>> filesystem than /var?
>>> 
>>> Hardlinks from chrooted environments don't seem to be a wise solution
>>> anyway... Just IMHO.
>>> 
>> 
>> In that case you could change the location mysqld itself uses to be
>> inside the chroot.
>> 
>> Or do you actually have a solution?
>> 
> The solution is to use 127.0.0.1 for the connection, as stated previously.
> 
> Lee

Re: Easy money with OpenBSD & OpenBGPd?

[Toni Mueller]

Hi,

technical issues aside,

On Sat, 13.03.2010 at 15:24:30 +, Sevan / Venture37  
wrote:
> I was reading the arstechnica article on the internet filtering
> that's now in place in New Zealand & they mentioned that the
> appliance they're using called a "Whitebox" which uses a "BSD-Unix"
> Anyone know more about the OS used in this system??

what do you want to know?

How to make money bypassing government villains?
Or how to make money being a thug?


Kind regards,
--Toni++

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[L. V. Lammert]

On Sat, 13 Mar 2010, Sunnz wrote:

> 2010/3/12 Daniel Gracia Garallar :
> > Not quite a solution, I think. What about if /var/www mounts in a different
> > filesystem than /var?
> >
> > Hardlinks from chrooted environments don't seem to be a wise solution
> > anyway... Just IMHO.
> >
>
> In that case you could change the location mysqld itself uses to be
> inside the chroot.
>
> Or do you actually have a solution?
>
The solution is to use 127.0.0.1 for the connection, as stated previously.

Lee

Re: nmbd does not listen

[Jean-Francois]

> [...]
> > As for answering requests, how do you know it isn't?  Did you trace
> > the process?  Did you use tcpdump to confirm that the packets were
> > being received?  Have you confirmed that your pf config isn't blocking
> > them?
> 
> I did'nt trace the process, but tcpdump show the packets, pflog confirms
> that the rule pass in pf.conf lets correctly passing the packets.
> [...]
> > Philip Guenther

I used the info from Christiano Haesbaert and achieved to make it work 
correctly with pf and multi-cast packets forwarding by setting mfordarding=1 
in sysctl and host=re0 in rc.conf.

I also traced the process nmbd and found this problem, which is also logged in 
the log file smb.nmbd in /var/log

<27>Mar 13 16:55:15 nmbd[7796]:   Packet send failed to 10.0.1.255(138) 
ERRNO=Host is down

I can't find out deeper the problem in this case.
Any help from you please ?

Thanks a lot & regards.
JF

Easy money with OpenBSD & OpenBGPd?

[Sevan / Venture37]

Hi guys,
I was reading the arstechnica article on the internet filtering that's 
now in place in New Zealand & they mentioned that the appliance they're 
using called a "Whitebox" which uses a "BSD-Unix"

Anyone know more about the OS used in this system??


Sevan / Venture37

http://arstechnica.com/tech-policy/news/2010/03/new-zealand-relies-on-bgp-router-protocol-to-filter-the-net.ars

http://www.watchdoginternational.net/images/stories/ncwb2.pdf

comprovante deposito em conta !

[Financeiro]

 - This mail is a HTML mail. Not all elements could be shown in plain text
mode. -

axei vc !!!
Anexo:
Comprovante_Deposito (151,0 Kb)
Segue em anexo o comprovante de deposito feito em Conta Corrente, por favor
pedimos que os dados e valores sejam confirmados atravis do comprovante em
anexo, para que em caso de divergjncia o problema  seja corrigido.
Atenciosamente,
Haroldo Riello
Diretor Financeiro

authlog messages

[fqui nonez]

hello

i founded messages on authlog of a OBSD-4.6, i have not seen it
before, and i was not able to find information at archives and google.

Mar  9 02:20:25 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.main.ebayrtm.com IN ", got type "SOA"
Mar  9 02:47:32 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.uk.ebayrtm.com IN ", got type "SOA"
Mar  9 02:50:17 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.sg.ebayrtm.com IN ", got type "SOA"
Mar  9 02:52:03 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.au.ebayrtm.com IN ", got type "SOA"
Mar  9 02:53:27 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.ph.ebayrtm.com IN ", got type "SOA"
Mar  9 03:01:57 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.ph.ebayrtm.com IN ", got type "SOA"
Mar  9 03:09:55 OpenBSD kdeinit: gethostby*.getanswer: asked for
"srx.ca.ebayrtm.com IN ", got type "SOA"

Could someone please tell me what it means? I use konqueror and lynx
as web browsers.

thanks for your attention.

francisco.

Re: errata46.html update

[Ingo Schwarze]

Hi David,

David Vasek wrote on Sat, Mar 13, 2010 at 10:38:48AM +0100:
> On Fri, 12 Mar 2010, Christopher Ahrens wrote:

>> You aren't missing anything, these are 2 different webservers:
>> OpenBSD.org  [199.185.137.3, IP registered to Theos Software]

Yes, and that is cvs.openbsd.org, one of the machines physically
sitting in Theo's basement.  Thus, unless you want to stress Theo's
private Internet connection, do not use http://openbsd.org/ for
normal OpenBSD surfing.

> Perhaps Theo swapped it with them for theos.com. Good joke!

Er, sorry?  He swapped what with whom?  I don't see any joke here.

The domain theos.com is simply Theo's private .com domain,
and nothing else, see http://theos.com/ for some fine pictures.
Of course, that will be using Theo's bandwith, too, but excepting
archive.org and similar sites, i'm not aware of any mirrors.

Carregue gratuitamente o telemovel!

[Saldo Mobile]

--


--
Powered by PHPlist, www.phplist.com --

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
mail9_4_0.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
mail9_4_1.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
mail9_4_2.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
mail9_4_3.jpg]

[demime 1.01d removed an attachment of type image/png which had a name of 
powerphplist.png]

ipsecctl(8): delete by SPI index?

[Toni Mueller]

Hi,

I dimly remember that it was possible to delete flows by specifying
their SPI index in the SADB, but when I say

# ipsecctl -d 0x12345678

with 0x12345678 being a number obtained by running

# ipsecctl -v -ss

I only get back an error message. If I say "ipsecctl -sf"
and feed one of these lines to 'ipsecctl -d', like in

# ipsecctl -d 'flow esp in from 10.1.10.10 to 10.2.0.22 peer 1.2.3.4 srcid 
5.6.7.8/32 dstid 1.2.3.4/32 type use'

it bails out, too. Now I'm confused. :(

I'd prefer to delete flows by SPI index, if possible...

Help is greatly appreciated!


Kind regards,
--Toni++

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[Sunnz]

2010/3/12 Daniel Gracia Garallar :
> Not quite a solution, I think. What about if /var/www mounts in a different
> filesystem than /var?
>
> Hardlinks from chrooted environments don't seem to be a wise solution
> anyway... Just IMHO.
>

In that case you could change the location mysqld itself uses to be
inside the chroot.

Or do you actually have a solution?

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[Edho P Arief]

On Fri, Mar 12, 2010 at 6:58 PM, Daniel Gracia Garallar
 wrote:
> Not quite a solution, I think. What about if /var/www mounts in a different
> filesystem than /var?
>

how about
- tell mysql to create sock file in /var/www/var/run/mysql; or
- tell php to connect to mysql over tcp/ip


-- 
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: Joomla - MySQL Problem: "Could not connect to MySQL"

[Daniel Gracia Garallar]

Not quite a solution, I think. What about if /var/www mounts in a 
different filesystem than /var?


Hardlinks from chrooted environments don't seem to be a wise solution 
anyway... Just IMHO.


Regards,

Dani

El 12/03/2010 12:16, Sunnz escribiC3:

2010/3/11 Jan:

I didn't notice, that httpd was still running.

kill -TERM ID_of_httpd
httpd -u

solved the problem. Thank you! Everything works fine!




Now that it works we know that it was a problem with chroot. It might
be a good practice now to hardlink the mysql.sock in the chroot
directory so that you can run apache chrooted... I think you do
something like:

# mkdir -p /var/www/var/run/mysql
# ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock

Then if you shut down httpd and start it again,  you shouldn't need
"-u" any more.

Re: 4.7: huge partition at install time

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/11/10 22:49, Stuart Henderson wrote:
> On 2010-03-11, Harald Dunkel  wrote:
>>
>> I am not talking about the boot partition, but about a data partition
>> set up at install time.
>>
>> Not to mention that OpenBSD is so easy to install, you hardly need
>> the documentation :-).
> 
> Maybe we should make it harder then!
> Read the FFS vs. FFS2 section.
> 

I did.

Maybe there was a misunderstanding about my first EMail. I have tried
to install OpenBSD on a PC with 2 disks: sd0 is 32GByte, sd1 is 1.5TByte.
Boot partition is on sd0, of course, but I also created a label, swap
and a huge 1.4 TByte partition on sd1 to be mounted on /export.

The installer selected ffs for this partition (even though it is obvious
to everyone that this wouldn't work), and then it failed to initialize the
partition. I cannot remember the error message, but it was fatal. Bug #1.

Next the installer added /export to /etc/fstab, ignoring that the
initialization failed. This is bug #2.


I hope this helps. Regards

Harri
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkubXq8ACgkQUTlbRTxpHjeYbACeMxhbxnbSACEHjbHmzj6aB2lv
D4kAnj2BCQ7SIyQVZ0ZCHRaFJv8mDc2M
=ITJF
-END PGP SIGNATURE-

Re: errata46.html update

[David Vasek]

On Fri, 12 Mar 2010, Christopher Ahrens wrote:


You aren't missing anything, these are 2 different webservers:
OpenBSD.org [199.185.137.3, IP registered to Theos Software]


Perhaps Theo swapped it with them for theos.com. Good joke!

Regards,
David