Re: protect mailserver using spamd

[Peter N. M. Hansteen]

Kevin Chadwick  writes:

>>  We didn't see any noticeable increase in
>> spam received or load on content filterning when going to two minutes
>> IIRC.  YMMV, may contain nuts etc.
>
> Did you see an increase in legitimate mail getting through without
> whitelisting? Or any getting through sooner?

Judging from the few cases where I've actually been looking for a
specific message from a new contact to get through, the time to
clearing greylisting went down to the five minute range or
thereabouts.

The parameters we don't have any control over, such as the other
side's retry frequency, remain a large part of the equation.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Seminario internacional abril 2011 - Dr. Reynaldo PERRONE

[difusion-esa]

Director: Dr. Horacio Serebrinsky - Director Acadimico: Dr. Marcelo R.
Ceberio

La Escuela Sistimica

Argentina es una institucisn que desarrolla actividades de formacisn de
Terapeutas familiares sistimicos, investigacisn y asistencia psicolsgica,
en esta ocasisn tenemos el honor de presentar: Seminario internacional
2011AGRESIVIDAD, AGRESIONES, VIOLENCIA Y PSICOPATOLOGMA
Dr. Reynaldo PERRONE Las observaciones clmnicas realizadas durante
cientos de consultas, han permitido determinar que la capacidad a
defenderse de las amenazas y de los ataques del entorno relacional es
determinante para el equilibrio y la salud mental de las personas.
Una gran parte de las terapias tienen que ver con el sufrimiento
provocado -en las personas que consultan- por la impotencia vivida ante
las agresiones provenientes de los individuos con los que se vive tanto
sea en el marco de la pareja, de la familia o del trabajo.
En un alto porcentaje de casos la causa es la dificultad personal de
aquellos sujetos a instrumentalizar la agresividad;  poner en evidencia
esta falencia y eventualmente, remediarla, parece ser la vma mas acertada
de tratamiento.
En este seminario el Dr. Perrone desarrollara la problematica de la
agresividad, la dialictica de la dominacisn y de la sumisisn, explicara
ciertas derivas psicopatolsgicas de la violencia y evocara algunas formas
de suicidio caractermsticas de este trastorno.
Naturalmente, las lmneas terapiuticas y las ticnicas asociadas seran
desarrolladas ampliamente. SABADO 30 DE ABRILDE 09 A 13 Y DE 15 A 19hs

  * PLAN DE LA PRESENTACISN
Agresividad, agresisn y violencia. Nociones claves
A propssito de la agresividad: una conceptualizacisn innovadora de la
relacisn entre personas y grupos
3 formas de violencia. Secuelas, evolucisn y psicopatologma
Los bajos fondos del suicidio: suicidio como represalia, como
manifestacisn de auto desprecio y como punto final ganador
El smndrome del Angel
Terapia de la falta de agresividad. Ejercicios y ticnicas

  * OBJETIVOS
Conceptualizar la funcisn de la agresividad
Establecer una diferencia entre agresividad, agresisn y violencia
Proponer una lectura de la relacisn interpersonal e inter grupal con
respecto a la agresividad
Analizar la problematica de la violencia, su evolucisn y las secuelas
psicopatolsgicas
Discutir sobre unas formas de suicidio propias a  la violencia
Comunicar un smndrome clmnico
Explicar las modalidades de la terapia de los problemas ligados a la
falta de agresividad

(1) Smntesis del Curriculum Vitae
Graduado en la Universidad Nacional del Litoral, Rosario, Argentina
(1967)
Psychiatria, terapeuta de familia y de pareja
Medico asistente en hospitales psiquiatricos de Suiza (1973-1977)
Medico asistente y responsable de Sector en Paido-psichiatria en el
Hospital Universitario St Jean Bonnefonds de St Etienne, Francia
(1973-1984)
Consultante especializado en problemas de violencia y abusos sexuales en
el Servicio de Salud Escolar de Saint Etienne, Francia (1984-1991)
Psiquiatra en el Servicio de Urgencias en el Hospital Eduard Herriot en
Lyon, Francia (1991-1993).
Psiquiatra consultante en la Sauvegarde de lEnfance en Lyon, Francia
(1994-2006)
Profesor Asociado de Psicopatologma en la Facultad de Psicologma Pierre
Mindez France de Grenoble, Francia (1992-1997)
Fundador y director (1984-1994) del IFATC (Instituto de Formacisn y de
Aplicacisn de Terapias de la Comunicacisn), de Lyon, Francia. Responsable
del mismo Instituto (1997-2008) y actual Director de Estudios del
IFATC.  
Formador de ticnicas de terapia en hospitales y centros de formacisn en
Francia, Europa y Amirica Latina
Formador y supervisor en el marco de diferentes consejos Regionales
franceses : Alpes Marmtimos, Loire, Loire Atlantique, Haute Loire, Rhtne
Alpes
Formador y supervisor en Francia, Suiza, Espaqa, Bilgica, Canada,
Argentina, Guadalupe, Guyana en terapia de familia, en terapia de pareja
y terapia breve
Profesor en Master de Ticnicas de terapia en la Universidad de Salamanca,
en la Universidad del Pams Vasco en San Sebastian y en la Universidad
Complutense de Madrid, Espaqa
Docente en la Escuela de Servicios Sociales en la Universidad St Joseph
en Beirut, Lmbano
Formador de trabajadores sociales, psicslogos, psiquiatras, educadores,
pediatras, jueces, en programas de entrenamiento de la prevencisn y del
tratamiento de violencia y de abusos sexuales en la familia
Autor de numerosos artmculos sobre la violencia, los abusos sexuales y
los defectos de interiorizacisn de la ley
Co-autor del libro + Violencia y abusos sexuales en la familia ; editado
en francis (ESF editores, quinta edicisn) y en espaqol (Paidos, quinta
edicisn)
Autor de numerosas ticnicas inductivas de terapia
Terapeuta y formador en terapia breve

INFORMES E INSCRIPCISN E.S.A.:

Fray Justo S. M. de Oro 1843 (C1414DBC) Cap. Fed.
Te/Fax: 4774-2875/6112 4899-1053

Web: i...@escuelasistemica.com.ar / www.escuelasistemica.com.ar

Auspiciant

Re: Predictable network interface numbering

[Ted Unangst]

On Wed, Feb 2, 2011 at 9:00 AM, Jean H. Theoret  wrote:
> How is it possible to control the network interface numbering assignment 
> order?

The short answer is no.  previous discussion:
http://marc.info/?t=12194157011&r=1&w=2

If you are concerned about this, I believe my previous suggestion
still represents the state of the art (although you may need to make
some adjustments for your environment):
http://marc.info/?l=openbsd-misc&m=122609201024773&w=2

Re: nat static-port option

[Amit Kulkarni]

> Currently there are about 2^32.7 living humans; I expect to live long
> enough to see 2^33.3
> Imagine everyone having at least two devices. How many do you have?

There's a depression coming along. Many would be glad just to have a
job and food. I don't use any such toys, and probably many will
minimize such expenses. So I don't imagine any switch will occur real
soon.

A question to a wireless ISP sysadmin, isn't it easy to use NAT with
cellphone web traffic since they have unique number?

Re: Predictable network interface numbering

[Nick Holland]

On 02/02/11 08:59, Jean H. Theoret wrote:
> This one's got me stumped for a few days now...
> 
> How is it possible to control the network interface numbering assignment 
> order?

barely.

> Here's my specific case: the box has 2 on-board Ethernet interfaces and
> a 3rd one on a PCI-Express card. They come up as:
> 
>re0: PCI-Express card
>re1: on-board interface #1
>re2: on-board interface #2
> 
> A recent event had disabled the PCI card, and the remaining network
> interfaces ended up being reassigned (upon the next reboot, of course) as:
> 
>re0: on-board interface #1
>re1: on-board interface #2
> 
> Could this have been prevented by forcing network interface assignment
> to on-board interface _first_, then the PCI card?

Your problems would have changed.
IN YOUR CASE, it may have changed from a problem you weren't ready for
to a one you were, but you didn't eliminate the problem.

> Or is there a way to
> bind network interface assignment to the adapter's MAC address as
> numbering hint?

Give it a chance and I think you will start to see where the OpenBSD
system is a lot easier.  Yes, when things change in the system, things
change in your config, which can cause breakage.  OpenBSD's device
numbering system is somewhat simplistic, which means it has simple
problems which are easy to fix.  Having worked with similar problems
(and their recovery) on other OSs...ick.

A much better solution to your original problem would be to have spare
parts on hand enabling you to replace the failed re0, in which case you
would have NOTHING to change, ANY screwdriver literate tech could fix
your system and bring it back up without any reconfiguration, and no
sharing of an admin PW (or walking someone through vi over the phone).

Nick.

NSA-The MLM Documentary

[Duke Kevorkian]

While checking out NSA I stumbled over your email address online at
http://www.mail-archive.com

Thought you would want to see this MLM Documentary.it is a two year 
documentary inside the MLM world

www.TheMLMJourney.com

Duke Kevorkian
813-786-8752

Taller de Actualización de Licitaciones de Obra y su Reglamento, Febrero 16 2011.

[Veronica Solis]

186135

[IMAGE]

!Promociones Especiales para grupos!

Capacitacisn Impartida por: Mtro. Gerardo Coronado Lspez

Pms Capacitacisn Efectiva de Mixico presenta:

Taller de Licitaciones para la LEY de Obras Pzblicas y su Reglamento

Experto Consultor Mtro. Gerardo Coronado Lspez

Empresa Registrada ante la STPS Reg. COLG640205CP30005

Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico

Mayores informes responda este correo electrsnico con los siguientes
datos.

Empresa:

Nombre:

Telifono:

Email:

Nzmero de Interesados:

Y en breve le haremos llegar la informacisn completa del evento.

O bien comunmquense a nuestros telifonos un ejecutivo con gusto le
atendera Tels. (33) 8851-2365, (33)8851-2741.

Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas.

ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn
tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA
PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son
propiedad de sus respectivas corporaciones y se utilizan con fines
informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.

Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.

Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJAOBRA

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAOBRA3 Tenga en cuenta que la gestisn de nuestras bases de
datos es de suma importancia y no es intencisn de la empresa la
inconformidad del receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
obras_publicas_feb.jpg]

Re: nat static-port option

[Martin Schröder]

2011/2/2 Bret S. Lambert :
> On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote:
>> Yeah. And there'll never be more than 2^32 IP devices in the world.
>
> Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna *die*!

Currently there are about 2^32.7 living humans; I expect to live long
enough to see 2^33.3
Imagine everyone having at least two devices. How many do you have?

Best
   Martin

Re: nat static-port option

[Bret S. Lambert]

On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote:
> 2011/2/2 Kevin Chadwick :
> > Also, If you look at the GeoIP lookup data you'll see great swathes were
> > allocated early on and seemingly never actually used.
> 
> Yeah. And there'll never be more than 2^32 IP devices in the world.

Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna *die*!

> 
> Best
>Martin

Re: nat static-port option

[Amit Kulkarni]

You are probably on the right track.

AFAIK, most Indian ISP's have city or state level blocks of IPs. Ultra
big cities like Mumbai, Delhi, Bangalore itself has several blocks. So
theoretically they could NAT the same IP in different cities or
different blocks at the same time, and none the wiser.


> I read, the same ips are being used by ISPS in different parts of the
> world with a kind of global nat.
>
> Also, If you look at the GeoIP lookup data you'll see great swathes were
> allocated early on and seemingly never actually used.

Re: protect mailserver using spamd

[Ted Unangst]

On Wed, Feb 2, 2011 at 1:33 PM, Peter N. M. Hansteen  wrote:
> the initial '451 temporary local problem' response). The other, more
> visible issue is when the sender retries from a different IP address,
> and it turns lottery-like in a hurry (sometimes referred to as the

See that?  If everybody put their outgoing mail server pool behind NAT
we wouldn't have this problem. :)

routing issue with carp

[Peter van Oord van der Vlies]

Hello list,

I have a setup with 2 firewalls (openbsd 4.7 MP ) and using carp for
redundancy.
All systems are using the ip number of the inside carp interface as default
gateway.
There is another router in that subnet that is used to reach another network
so i have static route to that network on the firewall systems.

For example :
clients are in network 10.1.1.0/24 and carp interface ip is 10.1.1.3 and the
other router in het network is 10.1.1.1 . Both firewalls also have a ip number
on the physical interface in that subnet, for example firewall1 has 10.1.1.7
and firewall2 has 10.1.1.8.
The static route on the firewalls is 10.0.0.0/8 via 10.1.1.1 .

Now the problem is that not all traffic goes very well to the 10.0.0.0/8
network, most of the traffic takes longer to complete or connections are
broken sometimes.
The clients are using a terminal client to reach a AS400 system and when they
do some print jobs it takes 10 or 20 times much longer to complete that
print.

The weird thing about this is that when set the client gateway to 10.1.1.7 (
assuming that one is the master) there are no problems , also when i created a
static route on the client for 10.0.0.0/8 via 10.1.1.1 .

Any have clue how to fix this without placing the other router in a different
subnet or using static routes on the clients ?

Many thanks,

Peter

Re: nat static-port option

[Martin Schröder]

2011/2/2 Kevin Chadwick :
> Also, If you look at the GeoIP lookup data you'll see great swathes were
> allocated early on and seemingly never actually used.

Yeah. And there'll never be more than 2^32 IP devices in the world.

Best
   Martin

Re: equivalent of Linux "mount -o bind"

[john slee]

On 3 February 2011 03:13,   wrote:
> Update: I have it on fairly good authority that this behavior is
> considered a bug in the Linux kernel, which will be fixed as soon as
> someone gets around to it. If you are a kernel maintainer and know
> more about this issue, or are willing to fix it, I'd love to hear from
> you!

I'd suggest that

(a) an OpenBSD mailing list probably isn't the best place to talk
 about Linux kernel bugs or go looking for maintainers

(b) you patch your systems. Linux 2.4.9 is of a similar age
 to OpenBSD 3.0, says Google: released nine+ years ago.
 Linux 2.4.20 is a year or so newer than that

(c) you retest with a newer Linux kernel before reporting any
  bugs, once you have located the appropriate non-OpenBSD
  fora in which to do so

That said, I suppose you _could_ use this behaviour to populate
chroots, since you can use it for individual files and directories,
as well as whole filesystems. But OpenBSD preference seems
to be to keep such places as desolate as possible, so what use?

John

Re: protect mailserver using spamd

[Kevin Chadwick]

On Wed, 02 Feb 2011 20:35:34 +0100
pe...@bsdly.net (Peter N. M. Hansteen) wrote:

>  We didn't see any noticeable increase in
> spam received or load on content filterning when going to two minutes
> IIRC.  YMMV, may contain nuts etc.

Did you see an increase in legitimate mail getting through without
whitelisting? Or any getting through sooner?

Re: protect mailserver using spamd

[Kevin Chadwick]

On Wed, 02 Feb 2011 19:33:31 +0100
pe...@bsdly.net (Peter N. M. Hansteen) wrote:

> I could offer mine for public consumption, but I would need
> to sanity check it first for outdated data.

If it's no bother to get and post it, then I'd be interested in the
unsanitised data? Even the problematic domains without ips would do.

Don't forget to plug the project

[Jeremy Chase]

(10 minutes of me helping  debug an ssh config problem proceeds this)

15:34 < tobym> oh wow
15:34 < tobym> that fixed it
15:48 < N1JER> tobym: word
15:48 < N1JER> tobym: you should take this time to donate to the openssh
project
15:49 < tobym> time or money? :)
15:49 < N1JER> either
15:49 < N1JER> :)
15:52 < achin_> yes, the openssh project deserves a lot of love (both the
tangible and untangible kind)
15:52 < tobym> donation sent

--
Jeremy Chase
http://twitter.com/jeremychase

Re: protect mailserver using spamd

[Peter N. M. Hansteen]

OpenBSD Geek  writes:

> Do you think, that it will solve my mistake ?

The devil is in the details, as always, but lowering the minimum wait
before retry means that those who retry faster than 25 minutes will
clear greylisting sooner.  We didn't see any noticeable increase in
spam received or load on content filterning when going to two minutes
IIRC.  YMMV, may contain nuts etc.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: nat static-port option

[Kevin Chadwick]

On Wed, 2 Feb 2011 11:53:35 -0600
patric conant  wrote:

> 2^24=16,777.216
> So they are close.

I read, the same ips are being used by ISPS in different parts of the
world with a kind of global nat.

Also, If you look at the GeoIP lookup data you'll see great swathes were
allocated early on and seemingly never actually used.

SESION GRATIS DEPENDENCIA AFECTIVA

[TALLER DEL PERDON CVL]

Si desea seguir recibiendo nuestros avisos, agregue este remitente a su lista
de contactos admitidos. No es considerado SPAM ningzn correo-e mientras
incluya una forma de ser removido:Seccisn 301, parrafo (a)(2)(C) de S.1618.
Bajo el decreto S.1618 titulo 3ro.Aprobado por el 105 congreso base de las
normativas internacionales sobre SPAM.  REMOVER:
remo...@corporativomexico.com

ПРИБЫЛь в 2011 ___xrj 81738

[Restart]

   __
Mnbne b m`kncnnaknfemhh OPHA[KH b 2011 cnds. 
  "OEPEG@CPSGJ@"



  11 tebp`k 2011, c.Jheb
  (044) 22~91~999

Vek| lepnophrh:
1. P`qqlnrper| `aqnk~rmn mnbs~ qhqrels m`kncnnaknfemhe opha{kh.
2. Ophmvhoh`k|mn oepeqlnrper| m`kncnbne lhpnbnggpemhe.

__
**


1. J`jhe nrwerm{e oephnd{ dk m`knc` m` opha{k| ophlem~rq b 2011 cnds.
2. Hglememhe p`glepnb qr`bjh m`knc` m` opha{k|.
3. Bnglnfmnqr| jnmqnkhdhpnb`mmni sok`r{ m`knc`.
4. G`lem` lernd` +oepbncn qna{rh; oph nopedekemhh b`knbncn dnund` h b`knb{u 
p`qundnb m` nopedekemhe dnundnb h p`qundnb on asuc`krepqjnls lernds m`whqkemh.
5. Nrp`femhe b qnqr`be dnundnb h p`qundnb pegsk|r`rnb noep`vhi, ophundyhuq m` 
oepeundm{i oephnd:
  * eqkh opednok`r` hkh nrcpsgj` a{kh swrem{ on lernds +oepbncn qna{rh; dn 
01.04.2011 c.,  ` qnnrberqrbemmn nrcpsgj` hkh nok`r` nqsyeqrbk~rq onqke 
01.04.2011 c.;
  * j`j swhr{b`r| nqr`rjh RLV (o.5.9);
  * swer qsll m`jnokemm{u sa{rjnb;
  * specskhpnb`mhe aegm`defmni g`dnkfemmnqrh, bngmhjxei dn 01.04.2011 c.
6. Hglememh b onpdje swera rajhu qsll, jaj:
  * bngbparma thmamqnba onlny| nr swpedhrek;
  * qsll{ jaohrak|m{u hmbeqrhvhi, onkswemm{u hg a~dfera;
  * b{okar{ b qbgh q slem|xemhel paglepa sqrabmncn jaohraka.
7. Nqnaemmnqrh nopedekemh dnunda nr peakhgavhh, b qkswae onkswemh vekebncn 
thmamqhpnbamh, oph b{onkmemhh dnkcnqpnwm{u dncnbnpnb.
8. Jaqqnb{i lernd dk opedophrhi FJU.
9. Bhd{ paqundnb: qeaeqrnhlnqr|, adlhmhqrparhbm{e paqund{, paqund{ ma qa{r.
10. Rpeanbamh j ntnplkemh~ dnjslemrnb, ondrbepfda~yhu dnund{ h paqund{. 
Onb{xemhe nrberqrbemmnqrh ga hu opabhk|mne ntnplkemhe.
11. Jaj b{onkmr| rpeanbamhe n qnnrberqrbhh paqundnb, bundyhu b qnqrab 
qeaeqrnhlnqrh, q ophgmamm{l dnundnl. Srnwmemhe b qbgh q }rhl swermni onkhrhjh 
opedophrh: onpdnj nopedekemh qrnhlnqrh megabepxemmncn opnhgbndqrba h 
qrnhlnqrh cnrnbni opndsjvhh, paqopedekemhe nayeopnhgbndqrbemm{u h 
rpamqonprmn-gacnrnbhrek|m{u paqundnb, lernd{ qohqamh garpar, mnplarhbm{e 
onjagarekh.
12. Nrpafemhe b swere adlhmhqrparhbm{u paqundnb. Nqnaemmnqrh bjk~wemh b qnqrab 
paqundnb qsll makncnb h qanpnb, gapaanrmni okar{.
13. Hglememh b onpdje swera paqundnb ma kecjnb{e abrnlnahkh, sqksch qbgh h 
opedqrabhrek|qjhe paqund{, a rajfe b bhde akacnrbnphrek|mnqrh h oepewhqkemhi b 
onk|gs opntqn~gnb hkh paanrndarekei.
14. Ncpamhwemh dk sqksc, onkswemm{u nr mepeghdemrnb on jnmqakrhmcs, 
lapjerhmcs, pejkale, hmfhmhphmcs.
15. Gaoper ma bjk~wemhe b paqund{ qsll nokar{ ga rnbap{, paanr{, sqksch, 
onqrabkemm{e WO-edhmyhjalh. Jaj q mhlh lnfmn qnrpsdmhwar| b mnb{u sqknbhu.
16. Nqnaemmnqrh swera paqundnb, nxhanwmn me bjk~wemm{u b paqund{ opnxk{u ker 
hkh rejsyecn oephnda.
17. Hglememh b waqrh paqundnb dbnimncn magmawemh:
  * ncpamhwemh oph nokare pnkrh b onk|gs mepeghdemra hkh meokarek|yhja maknca 
ma opha{k|; mnbne b swere paqundnb ma naswemhe paanrmhjnb ga qwer opedophrh;
  * capamrhim{e pelnmr{;
  * paqund{ ma qrpaunbamhe;
  * sqramnbkemhe opedek|m{u qsll qsrnwm{u bn bpel jnlamdhpnbjh;
  * swer paqundnb ma qrpaunbamhe paanrmhjnb.
18. Onpdnj oepepaqwera dnundnb h paqundnb b qkswae bngbpara rnbapnb.
19. @lnprhgavh on-mnbnls:
  * onpdnj opnbedemh hmbemraphgavhh NQ ma 01 aopek 2011 cnda dk 
onnazejrmncn swera;
  * nrpafemhe pagmhv{ lefds damm{lh makncnbncn h asucakrepqjncn swernb;
  * paqopedekemhe nazejrnb NQ on 16-rh cpsooal;
  * b{anp lerndnb alnprhgavhh;
  * alnprhgavh melarephak|m{u ajrhbnb.
20. Hglememh b swere noepavhi nqnancn bhda:
  * nrpafemhe noepavhi b hmbak~re q ophlememhel asucakrepqjhu ophmvhonb, b r.w. 
h oph swere jspqnb{u pagmhv;
  * paqwer{ qn qbgamm{lh khvalh;
  * mnbne b onpdje b{okar{ dhbhdemdnb;
  * nqnaemmnqrh swera bn bpel penpcamhgavhh opedophrhi.
21. Ophlememhe k|cnrmni mskebni qrabjh maknca ma opha{k|:
  * rpeanbamh j nazels b{pswjh h spnbm~ gapokar{;
  * sqknbh dk oepeunda sfe deiqrbs~yhu opedophrhi j ophlememh~ mskebni 
qrabjh;
  * bhd{ derek|mnqrh, me ongbnk~yhe oepeirh ma k|cnrm{i pefhl. Jaj nanirh 
rajhe ncpamhwemh;
  * rpeanbamhe na nagarek|mnl hqonk|gnbamhh b rewemhe cnda meoepewhqkemm{u b 
a~dfer qsll dk ononkmemh menanpnrm{u h nanpnrm{u ajrhbnb.
22. Dnonkmhrek|mn sqramnbkemm{e k|cnr{: dk sweam{u gabedemhi mecnqsdapqrbemmni 
tnpl{ qnaqrbemmnqrh, dk opedophrhi }mepcerhweqjni nrpaqkh, dk cnqrhmhwmncn 
ahgmeqa, dk kecjni opnl{xkemmnqrh, dk qsdn- h qalnkernqrpnemh, dk 
acpnlaxhmnqrpnemh, dk jhmelarncpathh, dk jnqlhweqjni nrpaqkh.
23. Onpdnj paqopedekemh paqundnb, nrmnqyhuq j k|cnrhpsel{l h mek|cnrhpsel{l 
on makncs ma opha{k| bhdal derek|mnqrh.
24. Nrber{ ma bnopnq{ swaqrmhjnb. Ma opnrfemhh bqecn qelhmapa hder oplne 
nayemhe q kejrnpnl, wrn daer bnglnfmnqr| onkswhr| jbakhthvhpnbamm{i h 
nanqmnbamm{i nrber ma hmrepeqs~yhi Baq bnopnq. 

__
***

Re: Printing (well anything) using lpd...

[Abel Abraham Camarillo Ojeda]

On Tue, Feb 1, 2011 at 8:59 AM, Manuel Giraud
 wrote:
> Jacob Meuser  writes:
>
>> foomatic is pretty easy to set up.
>
> Thread hijacker here. I tried to setup a lpd/foomatic for a printer over
> network and always end-up with this kind of message in
> /var/log/lpd-errs:
> --8<---cut here---start->8---
> Feb B 1 13:46:29 K lpd[6548]: restarted
> foomatic-rip version 4.0.4.217 running...
> called with arguments: '-w132', '-l66', '-i0', '-n', 'manuel', '-j',
'foo.pdf', '-h', 'K', '/etc/foomatic/HPcolor.ppd'
> Parsing PPD file ...
> Added option Resolution
> Added option PageSize
> Added option Model
> Added option PrintoutMode
> Added option InputSlot
> Added option Duplex
> Added option Quality
> Added option ImageableArea
> Added option PaperDimension
> Added option Font
>
> Parameter Summary
> -
>
> Spooler: lpd
> Printer:
> Shell: /bin/ksh
> PPD file: /etc/foomatic/HPcolor.ppd
> ATTR file:
> Printer model: HP Color LaserJet 4500 hpijs pcl3, 3.10.4.16
> Options: foo.pdf
> Job title: foo.pdf
> File(s) to be printed:
> 
>
> Printing system options:
> Pondering option 'foo.pdf'
> Unknown boolean option "foo.pdf".
> Options from the PPD file:
>
> 
>
> File: 
>
> 
>
> Filetype: PDF
> Process is dying with "Cannot find a writable temp dir.", exit stat 9
> Cleaning up...
> Feb B 1 13:46:58 K lpd[24642]: col: filter 'f' exited (retcode=9)
> Feb B 1 13:48:01 K lpd[24642]: mail sent to user manuel about job foo.pdf on
printer col (FILTERERR)
> Feb B 1 13:48:01 K lpd[24642]: col: job could not be printed (cfA007K)
> --8<---cut here---end--->8---
>
> I'm using 4.8 stable with packages. /etc/foomatic/HPcolor.ppd is a copy
> of
>
/usr/local/share/foomatic/db/source/PPD/HP/hp-color_laserjet_4500-hpijs-pcl3.
ppd.gz
> from the hpijs package.
>
> I've also installed foomatic-filters and my /etc/printcap is:
> --8<---cut here---start->8---
> col|HP Color: \
> B  B  B  B :lp=9100@192.168.0.12:\
> B  B  B  B :af=/etc/foomatic/HPcolor.ppd:\
> B  B  B  B :if=/usr/local/bin/foomatic-rip:\
> B  B  B  B :sd=/var/spool/output:\
> B  B  B  B :lf=/var/log/lpd-errs:\
> B  B  B  B :sh:
> --8<---cut here---end--->8---
>
> Well. Searching the web, this seems to be related to this:
>
http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775
> And might be already fixed in -current (i think i should shut up and
> test then).
> --
> Manuel Giraud
>
>

I think this was fixed in current:

http://marc.info/?l=openbsd-ports&m=128893326227486&w=2

http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filt
ers/revision/241

Greetings.

Re: protect mailserver using spamd

[OpenBSD Geek]

Do you think, that it will solve my mistake ?
Thank you for your replies, everybody.

On Wed, 02 Feb 2011 19:35:47 +0100, pe...@bsdly.net (Peter N. M. Hansteen)
wrote:
> Kevin Chadwick  writes:
> 
>> That's a big part of how it works. You can tune the delay with
>> spamd_flags in /etc/rc.conf.local.
> 
> yes, a box not too far from here has
> 
> spamd_flags="-v -G 2:8:864 -w 1"
> 
> - P

Re: nat static-port option

[patric conant]

Comcast has 15.930 million high-speed internet customers.

According to the wikipedia article.

2^24=16,777.216
So they are close.
How about the smartphone market, are they largely being natted?
Or are we likely to see a doubling of the need for IP addresses in the next
couple of years, as non-smart phones die out.

Is IPv4/64 a reference to IPv6, or a plan to make v4's address space bigger,
without changing it significantly otherwise?

On Wed, Feb 2, 2011 at 11:38 AM, VICTOR TARABOLA CORTIANO <
vt...@c3sl.ufpr.br> wrote:

> There would be more ip adresses if some greedy companies didn't
> take a lot of addresses for themselves...

Re: nat static-port option

[Ted Unangst]

On Wed, Feb 2, 2011 at 11:23 AM, Martin Schrvder  wrote:
> 2011/2/2 Henning Brauer :
>> who sez that your made up isp has to hand out network-wide unique IPs
>> to his customers?
>
> AFAIK Comcast already has >2^24 customers.

And they seem to be doing just fine.  What's the problem again?

Re: protect mailserver using spamd

[Peter N. M. Hansteen]

Kevin Chadwick  writes:

> That's a big part of how it works. You can tune the delay with
> spamd_flags in /etc/rc.conf.local.

yes, a box not too far from here has

spamd_flags="-v -G 2:8:864 -w 1"

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: protect mailserver using spamd

[Peter N. M. Hansteen]

OpenBSD Geek  writes:

> But when spamd is enabled, mails take a long time(sometimes a day or less)
> to arrive in our box. Sometimes, we don't receive mails.
> Disabled (spamd), all works fine. I don't understand why it doesn't work
> fine, i read spamd(8) man page.

This sounds like you're seeing senders that for one reason or the
other do not play well with greylisting.  Senders that have not
contacted you for a while will see an initial delay anyway (the length
of which is mainly a function of how soon they retry delivery after
the initial '451 temporary local problem' response). The other, more
visible issue is when the sender retries from a different IP address,
and it turns lottery-like in a hurry (sometimes referred to as the
google effect).

> What i have done to enable spamd, perhaps i'm wrong somewhere ...
>
> In pf.conf, i added :
> table  persist
> table  persist file "/etc/mail/nospamd"

If you can't get the other end to set up for proper timely retries,
you will have to populate nospamd with the IP addresses of the
outgoing MXes in the problematic sites (edit the file, reload your PF
config).  I could offer mine for public consumption, but I would need
to sanity check it first for outdated data.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: protect mailserver using spamd

[Kevin Chadwick]

On Wed, 02 Feb 2011 21:39:51 +0400
OpenBSD Geek  wrote:

> But when spamd is enabled, mails take a long time(sometimes a day or less)
> to arrive in our box. Sometimes, we don't receive mails.

That's a big part of how it works. You can tune the delay with
spamd_flags in /etc/rc.conf.local.

Some servers like hotmail don't follow the rfcs of four hours retry,
giving up after an hour which is why the default delay is 25 mins.

25 * 2 = >1h and 3rd attempt

Other servers maybe even more stupid or keep using different ips which
you can white list or not care about.

Routing table growing large, full of IP6 routes I don't recognise

[James Stocks]

My OpenBSD 4.6 system (which is on a Soekris net5501) seems to have a large
number of routes in its IP6 routing table.  I don't understand why.  For
example:

--snip--
ff02::1:ff00:115%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:116%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:117%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:118%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:119%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:11a%vr1   link#2 UHc0
0 - 4 vr1
ff02::1:ff00:11b%vr1   link#2 UHc0
0 - 4 vr1
--snip--

Like I say, there are many such entries:

# netstat -nr | grep ff02:: | wc -l
2514

In case it is relevant, I use a the IPv6 tunnel broker service at
tunnelbroker.net.  The system has been running with this configuration for
over 400 days and has otherwise been very reliable.

Is this harmful?  Where did these routes come from?

Many thanks,
James.

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: nat static-port option

[Henning Brauer]

* Martin Schrvder  [2011-02-02 18:35]:
> 2011/2/2 Henning Brauer :
> > who sez that your made up isp has to hand out network-wide unique IPs
> > to his customers?
> AFAIK Comcast already has >2^24 customers.
> Any major chinese or indian ISP has or will have >2^24 customers.
> Heck, even DTAG will probably have >2^24 devices in their network soon.

so?

> NAT is a band-aid.

ah right, I forgot that you get to decide that.

> So Comcast has to apply more band-aids under their band-aid?
> Can you even imagine the problems a potential chinese ISP with say
> 2^28 devices will have with v4?
> Do you think this is sane?

at least 2^24 times saner than ipvshit.

> PS: I'm NOT claiming that v6 is the perfect answer.

it's not an answer at all.

i'm outta here, have fun playing with vshit in your sandbox.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

protect mailserver using spamd

[OpenBSD Geek]

Hi, 
I use OpenBSD 4.7 Release, with Sendmail MTA. 
All works fine, i can send and receive mails on the box.
But when spamd is enabled, mails take a long time(sometimes a day or less)
to arrive in our box. Sometimes, we don't receive mails.
Disabled (spamd), all works fine. I don't understand why it doesn't work
fine, i read spamd(8) man page.

What i have done to enable spamd, perhaps i'm wrong somewhere ...

In pf.conf, i added :
table  persist
table  persist file "/etc/mail/nospamd"

pass in on egress proto tcp from any to any port smtp \
rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in on egress proto tcp from  to any port smtp

in my /etc/rc.conf.local :
spamd_flags=""

enable spamd-setup in root crontab

Run spamd : /usr/libexec/spamd

verify : netstat -anf inet | grep LISTEN 
Listen on 8025 and 8026 ports

If someone can help me.
Thank you very much.

Re: equivalent of Linux "mount -o bind"

[Kevin Chadwick]

On Wed, 2 Feb 2011 09:13:04 -0800
travis+ml-openbsd-m...@subspacefield.org wrote:

> I have it on fairly good authority that this behavior is
> considered a bug in the Linux kernel

So what's wrong with user rights and what exactly is the use of this
(when this bug is fixed) apart from for confusion especially when adding
lines of possibly buggy code to the kernel?

Strange, in an attempt to answer a question that as far as I can see
no-one asked you've made me ask the question you attempted to answer???

Re: OpenVPN client on OpenBSD

[Emile Sanders]

Errr...sorry for the double-post...it's my first time using a mailing list
and I thought my first e-mail wasn't going through so I sent another
one...please ignore the first post...

Re: nat static-port option

[VICTOR TARABOLA CORTIANO]

There would be more ip adresses if some greedy companies didn't
take a lot of addresses for themselves...

Re: Predictable network interface numbering

[Adriaan]

On Wed, Feb 2, 2011 at 3:00 PM, Jean H. Theoret  wrote:
> This one's got me stumped for a few days now...
>
> How is it possible to control the network interface numbering assignment
order?
>
> Here's my specific case: the box has 2 on-board Ethernet interfaces and
> a 3rd one on a PCI-Express card. They come up as:
>
>   re0: PCI-Express card
>   re1: on-board interface #1
>   re2: on-board interface #2
>
> A recent event had disabled the PCI card, and the remaining network
> interfaces ended up being reassigned (upon the next reboot, of course) as:
>
>   re0: on-board interface #1
>   re1: on-board interface #2
>
> Could this have been prevented by forcing network interface assignment
> to on-board interface _first_, then the PCI card? Or is there a way to
> bind network interface assignment to the adapter's MAC address as
> numbering hint?

According to the guy who will bring his Consistent Network Device
Naming to Fedora15 even
numbering based on MAC address has it's weaknesses. See his comment to
@not-a-fanboy dated January 26, 2011 at 10:13 am at
http://domsch.com/blog/?p=455

It is not an answer to your question, I know ;)

Re: nat static-port option

[Martin Schröder]

2011/2/2 Henning Brauer :
> who sez that your made up isp has to hand out network-wide unique IPs
> to his customers?

AFAIK Comcast already has >2^24 customers.
Any major chinese or indian ISP has or will have >2^24 customers.
Heck, even DTAG will probably have >2^24 devices in their network soon.

NAT is a band-aid.
So Comcast has to apply more band-aids under their band-aid?
Can you even imagine the problems a potential chinese ISP with say
2^28 devices will have with v4?
Do you think this is sane?

Best
   Martin

PS: I'm NOT claiming that v6 is the perfect answer.

Re: ipsec packets don't show up at destination enc0 interface

[Paul Suh]

That seems to have fixed it, thanks!


--Paul


On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote:

> On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote:
>
>> Folks,
>>
>> I'm running 4.8-stable on one end and 4.5-stable at the other of a
>> site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
>> working before upgrading the 4.5-stable end.) The tunnel is configured
using
>> ipsec.conf and ipsecctl, and the relevant portions of the configs are:
>
> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>
>   -Otto
>
>>
>> 4.8 side
>> --
>> ike esp from $internal_subnet \
>>to $outpost_subnet \
>>local $fios_tunnel_host \
>>peer $outpost_tunnel_host
>>
>> 4.5 side
>> --
>> ike passive esp from $local_network to $remote_network peer
>> $remote_gateway_ip
>>
>> The flows and SAs that come up are:
>>
>> 4.8 side
>> --
>> FLOWS:
>> flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79
srcid
>> 71.163.154.173/32 dstid 64.237.99.79/32 type use
>> flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79
srcid
>> 71.163.154.173/32 dstid 64.237.99.79/32 type require
>>
>> SAD:
>> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
>> hmac-sha2-256 enc aes
>> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
>> hmac-sha2-256 enc aes
>>
>> 4.5 side
>> --
>> FLOWS:
>> flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
>> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
>> flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
>> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require
>>
>> SAD:
>> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
>> hmac-sha2-256 enc aes
>> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
>> hmac-sha2-256 enc aes
>>
>> Relevant pf rules are:
>>
>> 4.8 side
>> --
>> pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173
port
>> = isakmp keep state
>> pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173
keep
>> state
>> pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79
port
>> = isakmp keep state
>> pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79
keep
>> state
>>
>> 4.5 side
>> --
>> pass log quick on enc0
>> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79
port
>> 500
>> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173
port
>> 500
>> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79
port
>> 4500
>> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173
port
>> 4500
>> pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
>> pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173
>>
>>
>> The security associations come up just fine, and I can see packets going
into
>> the tunnel at the 4.8 end on enc0, and I can see the packets going out
over
>> ESP to the destination, but they never show up on enc0 at the 4.5 end.
What's
>> really frustrating is that
>>
>>  a) other tunnels to Sonicwall devices work just fine from the 4.8 side
>>
>>  b) I am upgrading the device that is now 4.8 from a 4.5 installation, 
>> and
the
>> tunnel worked just fine before.
>>
>> Any ideas on what might be happening or how to further troubleshoot this?
>>
>>
>>
>> --Paul
>>
>> [demime 1.01d removed an attachment of type application/pkcs7-signature
which had a name of smime.p7s]

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

OpenVPN client on OpenBSD

[Emile Sanders]

Has anyone ever gotten OpenVPN to run as a client successfully with a VPN
subscription? OpenBSD seems to be the only OS I can't get OpenVPN up
successfully on for some reason, and I'd like to make it work. So I've
confirmed it's not a server-side issue as I've tested it on other operating
systems as well as other people who are currently using the VPN service
without a problem (except none of them are on OpenBSD).

The issue is that when I connect with OpenVPN, it's apparently "connected",
but I can't seem to ping the gateway, any websites such as Google, nor use
any internet-relying services such as browsing to a website or going on IRC.

I am running OpenBSD 4.8 release, with almost a default install. I've just
got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the
barebones/fresh install.

Here are some logs/configs:

/etc/hostname.tun0
$ cat /etc/hostname.tun0
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn

/* I'd like to mention here that even after rebooting, the tun0 interface
does NOT come up. An ifconfig shows that it is still down, and OpenVPN is
not started up at boottime. I have no idea why /etc/hostname.tun0 isn't
being read. */

OpenVPN client config:
$ cat /etc/client.ovpn
# VPN config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet

proto tcp-client
remote [vpn url] 11000
remote [vpn ip] 11000
connect-retry 10


proto udp
remote [vpn url] 11000
remote [vpn ip] 11000


/* The square brackets contain the URL and IP address of the VPN service I
connect to. I filtered them out as to not spam/advertise their service. */

OpenVPN connection log:

$ sudo openvpn --config /etc/openvpn/client.ovpn
Wed Feb  2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2]
built on Aug 10 2010
Wed Feb  2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or
higher to call user-defined scripts or executables
Wed Feb  2 10:19:53 2011 WARNING: file 'cert.dat' is group or others
accessible
Wed Feb  2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0
ET:0 EL:0 ]
Wed Feb  2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4
ET:0 EL:0 ]
Wed Feb  2 10:19:53 2011 Local Options hash (VER=V4): '91138c76'
Wed Feb  2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Wed Feb  2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Wed Feb  2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194
Wed Feb  2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000
Wed Feb  2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000,
sid=a16fdfdd b22d9c39
Wed Feb  2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=
example.com/CN=example.com_CA/emailAddress=ad...@example.com
Wed Feb  2 10:19:54 2011 VERIFY OK: nsCertType=SERVER
Wed Feb  2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=
example.com/CN=server/emailAddress=ad...@example.com
Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 256 bit key
Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 256 bit key
Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Wed Feb  2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb  2 10:20:02 2011 [server] Peer Connection Initiated with [vpn
ip]:11000
Wed Feb  2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Feb  2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route
10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS
10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart
120,ifconfig 10.100.2.106 255.255.255.0'
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route-related options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Wed Feb  2 10:20:04 2011 ROUTE default_gateway=192.168.1.1
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 destroy
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 create
Wed Feb  2 10:20:04 2011 NOTE: Tried to delete pre-existing tun/tap instance
-- No Problem if failure
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 10.100.2.106 netmask
255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Wed Feb  2 10:20:04 2011 TUN/TAP device /dev/tun0 opened
Wed Feb  2 10:20:07 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -netmask
255.255.255.255
add net [vpn ip]: gateway 192.168.1.1
Wed Feb  2 10:20:07 2011 /sbin/route add -net 0.0.0.0 10.100.2.1

Re: equivalent of Linux "mount -o bind"

[travis+ml-openbsd-misc]

On Fri, Jan 28, 2011 at 03:52:53PM -0800, Travis H. wrote:
> So I'm curious if there's something in OpenBSD that's similar to the
> "mount -o bind /dir1 /dir2" to make dir1 appear where dir2 is.

For those who asked, one sample use is for something like this:

Starting with the 2.4-series Linux kernels, it has been possible to
mount a filesystem simultaneously in two different places. "Aha!" you
might think, as I did. "Then surely we can mount the backups read-only
in /snapshot, and read-write in /root/snapshot at the same time!"

Alas, no. Say your backups are on the partition /dev/hdb1. If you run
the following commands,

mount /dev/hdb1 /root/snapshot
mount --bind -o ro /root/snapshot /snapshot

then (at least as of the 2.4.9 Linux kernel--updated, still present in
the 2.4.20 kernel), mount will report /dev/hdb1 as being mounted
read-write in /root/snapshot and read-only in /snapshot, just as you
requested. Don't let the system mislead you!

In the example above, the second mount call will cause both of the
mounts to become read-only, and the backup process will be unable to
run. Scratch this one.

Update: I have it on fairly good authority that this behavior is
considered a bug in the Linux kernel, which will be fixed as soon as
someone gets around to it. If you are a kernel maintainer and know
more about this issue, or are willing to fix it, I'd love to hear from
you!
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: PF match counter seems to be hitting a limit

[Steve Johnson]

Ok, thanks for the tip. I've removed the settings through sysctl, but
unfortunately I still see those alerts being triggered, then mostly resolved
during the next check.

The system seems to have some issues during heavy UDP session bursts (the
monitoring system issues a stream of requests to a couple hundred systems),
yet all system resources seem OK. I have looked at port switches and there
are no Ethernet errors either.

Any other hints or settings I should look at would be very appreciated.

The connections are going through Intel PRO/1000 PT interfaces. Here's the
DMESG, in case.

Thanks again.



OpenBSD 4.8 (GENERIC.MP) #335: Mon Aug 16 09:09:20 MDT 2010
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3483697152 (3322MB)
avail mem = 3377143808 (3220MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (66 entries)
bios0: vendor Dell Inc. version "2.2.6" date 02/05/2008
bios0: Dell Inc. PowerEdge 1950
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ
TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.29 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: apic clock running at 332MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG
cpu1: 6MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG
cpu2: 6MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG
cpu3: 6MB 64b/line 16-way L2 cache
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus -1 (PE2P)
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 12 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 14 (COMP)
acpicpu0 at acpi0: C3
acpicpu1 at acpi0: C3
acpicpu2 at acpi0: C3
acpicpu3 at acpi0: C3
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 4 int 16
(irq 6)
ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
pci5 at ppb4 bus 8
ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 9
ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12
pci7 at ppb6 bus 1
mfi0 at pci7 dev 0 function 0 "Symbios Logic SAS1078" rev 0x04: apic 4 int
16 (irq 6), Dell PERC 6/i integrated
mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM
scsibus0 at mfi0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 69376MB, 512 bytes/sec, 142082048 sec total
ppb7 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0x12: apic 4 int 16
(irq 0)
pci8 at ppb7 bus 10
em0 at pci8 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4
int 16 (irq 6), address 00:15:17:19:96:98
em1 at pci8 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4
int 17 (irq 5), address 00:15:17:19:96:99
ppb8 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x12
pci9 at ppb8 bus 11
ppb9 at pci0 dev 6 function 0 "Intel 5000 PCIE x8" rev 0x12: apic 4 int 16
(irq 0)
pci10 at ppb9 bus 12
em2 at pci10 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4
int 16 (irq 6), address 00:15:17:19:95:84
em3 at pci10 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4
int 17 (irq 5), address 00:15:17:19:95:85
ppb10 at pci

OpenVPN client on OpenBSD

[crazy]

Has anyone been able to successfully use OpenVPN on OpenBSD with a 
VPN service? For some reason OpenBSD is the only OS I can't get my 
VPN subscription working on and I'd like to make it work.

I am running OpenBSD 4.8-release, on an almost-fresh install. I 
only pkg_added openvpn, firefox, scrotwm, and p7zip.

I have my client.ovpn and cert.dat in my /etc/openvpn directory.

Contents of /etc/hostname.tun0 :

up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn

Contents of /etc/openvpn/client.ovpn :

# VPN config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet

proto tcp-client
remote [vpn url] 11000
remote [vpn ip] 11000
connect-retry 10


proto udp
remote [vpn url] 11000
remote [vpn ip] 11000


The information within square brackets I removed as to not 
advertise the service.

Logs of connecting to VPN:

$ sudo openvpn --config client.ovpn 
Password:
Wed Feb  2 10:14:39 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 
[SSL] [LZO2] built on Aug 10 2010
Wed Feb  2 10:14:39 2011 NOTE: OpenVPN 2.1 requires '--script-
security 2' or higher to call user-defined scripts or executables
Wed Feb  2 10:14:39 2011 WARNING: file 'cert.dat' is group or 
others accessible
Wed Feb  2 10:14:39 2011 Control Channel MTU parms [ L:1543 D:140 
EF:40 EB:0 ET:0 EL:0 ]
Wed Feb  2 10:14:39 2011 Data Channel MTU parms [ L:1543 D:1450 
EF:43 EB:4 ET:0 EL:0 ]
Wed Feb  2 10:14:39 2011 Local Options hash (VER=V4): 'bf6006bf'
Wed Feb  2 10:14:39 2011 Expected Remote Options hash (VER=V4): 
'3ce6ab7f'
Wed Feb  2 10:14:39 2011 Attempting to establish TCP connection 
with [vpn ip]:11000 [nonblock]
Wed Feb  2 10:14:40 2011 TCP connection established with [vpn 
ip]:11000
Wed Feb  2 10:14:40 2011 Socket Buffers: R=[16384->65536] S=[16384-
>65536]
Wed Feb  2 10:14:40 2011 TCPv4_CLIENT link local: [undef]
Wed Feb  2 10:14:40 2011 TCPv4_CLIENT link remote: [vpn ip]:11000
Wed Feb  2 10:14:40 2011 TLS: Initial packet from [vpn ip]:11000, 
sid=8683dadf 709ff51b
Wed Feb  2 10:14:42 2011 VERIFY OK: depth=1, 
/C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=
ad...@example.com
Wed Feb  2 10:14:42 2011 VERIFY OK: nsCertType=SERVER
Wed Feb  2 10:14:42 2011 VERIFY OK: depth=0, 
/C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@ex
ample.com
Wed Feb  2 10:14:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 256 bit key
Wed Feb  2 10:14:46 2011 Data Channel Encrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Wed Feb  2 10:14:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 256 bit key
Wed Feb  2 10:14:46 2011 Data Channel Decrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Wed Feb  2 10:14:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb  2 10:14:46 2011 [server] Peer Connection Initiated with 
[vpn ip]:11000
Wed Feb  2 10:14:49 2011 SENT CONTROL [server]: 'PUSH_REQUEST' 
(status=1)
Wed Feb  2 10:14:49 2011 PUSH: Received control message: 
'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-
option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 
120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.112 
255.255.255.0'
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: timers and/or timeouts 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --socket-flags option 
modified
Wed Feb  2 10:14:49 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No 
kernel support)
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --ifconfig/up options 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: route options modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: route-related options 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
option options modified
Wed Feb  2 10:14:49 2011 ROUTE default_gateway=192.168.1.1
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 destroy
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 create
Wed Feb  2 10:14:49 2011 NOTE: Tried to delete pre-existing tun/tap 
instance -- No Problem if failure
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 10.100.1.112 netmask 
255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0
Wed Feb  2 10:14:49 2011 TUN/TAP device /dev/tun0 opened
Wed Feb  2 10:14:51 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -
netmask 255.255.255.255
add net [vpn ip]: gateway 192.168.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 
-netmask 255.255.255.0
add net 10.100.1.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 Initialization Sequence Completed

ifconfig while I left the 

Re: nat static-port option

[Henning Brauer]

* Martin Schrvder  [2011-02-02 16:45]:
> 2011/2/2 Henning Brauer :
> > * Martin Schrvder  [2011-02-02 15:06]:
> >> Unless you are an ISP with more than 2^24 customers.
> > you are talking bullshit. there is oh so much v4 space allocated that
> Currently an ISP with more then 2^24 customers can't NAT them all
> (as 10/8 has only 2^24 addresses) or has to allocate more than one
> /8 for his customers, which makes routing etc. more difficult.

you are talking bullshit, still.

who sez that your made up isp has to hand out network-wide unique IPs
to his customers?

why do i even waste time on some ipvshit advocate that acts like a
politician claiming we have to eat shit because there wouldn't be an
alternative, making up a case out of nothing to "prove" his case?

> > as if one incompetent isp mattered.
> I'm sure most chinese and indian ISPs will agree.

you sure know what you're talking about, that's obvious.


look at the oh so bright future yourself, look at the code required to
deal with that misdesigned piece of shit.
did i just say "designed"? sorry. it's obvious that nothing remotely
related to design was involved.

u_int8_t
mask2prefixlen(in_addr_t ina)
{
if (ina == 0)
return (0);
else
return (33 - ffs(ntohl(ina)));
}

u_int8_t
mask2prefixlen6(struct sockaddr_in6 *sa_in6)
{
u_int8_t l = 0, *ap, *ep;

/*
 * sin6_len is the size of the sockaddr so substract the offset of
 * the possibly truncated sin6_addr struct.
 */
ap = (u_int8_t *)&sa_in6->sin6_addr;
ep = (u_int8_t *)sa_in6 + sa_in6->sin6_len;
for (; ap < ep; ap++) {
/* this "beauty" is adopted from sbin/route/show.c ... */
switch (*ap) {
case 0xff:
l += 8;
break;
case 0xfe:
l += 7;
return (l);
case 0xfc:
l += 6;
return (l);
case 0xf8:
l += 5;
return (l);
case 0xf0:
l += 4;
return (l);
case 0xe0:
l += 3;
return (l);
case 0xc0:
l += 2;
return (l);
case 0x80:
l += 1;
return (l);
case 0x00:
return (l);
default:
fatalx("non continguous inet6 netmask");
}
}

return (l);
}


-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: nat static-port option

[Martin Schröder]

2011/2/2 Henning Brauer :
> * Martin Schrvder  [2011-02-02 15:06]:
>> Unless you are an ISP with more than 2^24 customers.
>
> you are talking bullshit. there is oh so much v4 space allocated that

Currently an ISP with more then 2^24 customers can't NAT them all
(as 10/8 has only 2^24 addresses) or has to allocate more than one
/8 for his customers, which makes routing etc. more difficult.

> as if one incompetent isp mattered.

I'm sure most chinese and indian ISPs will agree.

Best
   Martin

Skola stranih jezika (multimedija) na AKCIJI. Dobicete kurs za 27 stranih jezika u kompletu ukoliko porucite odmah i to nije sve!!!

[TOTALNA RASPRODAJA!]

 - This mail is a HTML mail. Not all elements could be shown in plain text
mode. -

NEVEROVATNA PONUDA ZA SAMOSTALNO UCENJE STRANIH JEZIKA!

na akciji!

Ukoliko ste ljubitelj
stranih
jezika
, znate nekoliko
jezika
ili biste voleli da ih naucite, mozete da zamislite situaciju u kojoj sledeci
strani jezik koji biste zeleli da naucite pronalazite za nekoliko sekundi u
elektronskoj (multimedijalnoj) formi, ne troseci dragoceno vreme na odlazak do
skole
stranih
jezika
koje su preskupe ili na kupovinu neproverenih multimedijalnih kurseva po mnogo
vecim cenama od ove nase koju mi trenutno nudimo (pr. cena "neproverenog'
multimedijalnog kursa za jedan jezik iznosi vise od nase cene za kurs koji
cak
27
jezika
).
Kursevi za sve jezike su obradjeni detaljno!

SVE NA JEDNOM MESTU !

Sledeci jezici su obuhvaceni ovim programom
: ?English(UK), English (US), French, Greek, German, Spanish(Lat.Am.), Spanish
(Spain), Italian, Japanese, Latin, Russian, Arabic, Chinese, Danish, Hebrew,
Hindi, Indonesian, Korean, Polish, Portuquese, Swahili, Swedish, Thai,
Turkish, Vietnamese, Welsh,  Dutch?.

Sadrzaj komleta
Rosetta Stone- programi za ucenje
stranih
jezika
su zvanicno proglaseni za najkvalitetnije i najlakse programe. Veoma
jednostavan za upotrebu, dovoljno je da dvd ubacite u racunar i program ce
automatski biti pokrenut( nije potrebna nikakva instalacija).
Najbolji i najnagradjivaniji multimedijalni program za ucenje kako  engleskog
tako i  ostalih
stranih
jezika
.. Ovaj kurs ce poboljsati vase znanje iz nekog od mnogobrojnih obradjenih
jezika
bez obzira na kom ste nivou, pocetnik ili zelite da usavrsite jezik. Program
sadrzi vise kurseva-nivoa za sve jezike: OSNOVNI, SREDNJI, NAPREDNI, POSLOVNI.
Sa preko 1000 sati ucenja ovaj program je trenutno najobimniji i najuspjesniji
na trzistu. Program obuhvata citanje, pisanje, slusanje, govor, recnik,
gramatiku i kulturu. Sam program pravi plan za Vas koliko da vezbate dnevno,
proverava koliko ste presli, nivo Vaseg znanja, uci Vas pravilnom izgovoru
reci, gramatici, priprema Vas za prave, realne dijaloge, osmisljava diktate za
Vas, ukrstenice. Ukoliko imate mikrofon proverava tacnost vaseg izgovora. Uvek
cete imati pravi pokazatelj nivoa na kome je Vase znanje, po tome koliko ste
presli i sa kojom tacnoscu. Mozete poceti sa ucenjem od osnovnog kursa ili ako
ste sigurni u svoje znanje jednostavno preskocite neki od kurseva i predjite
na visi nivo a zatim se vratite i obnovite gradivo. Samo od Vas zavisi kako
cete organizovati svoje vreme i kojom brzinom cete napredovati.
Ovaj program koristi hiljade fotografija pracenih zvukom za obja?njenje i
predstavljanje novih reci. Kori?cenjem ovog programa mo?ete na vrlo lak i
jednostavan nacin nauciti jedan od mnogobrojnin
jezika
..

Komplet na dvd sadrzi porgram za ucenje
27
stranih
jezika
u multimedijalnoj formi po promo ceni od 1899,oo rsd (dinara).

Troskove slanja (brzom postom) placamo mi
! Placanje tek po preuzimanju!
Ukoliko porucite ovu neverovatnu ponudu besplatno cete dobiti kurs poslovnog
engleskog na 4 diska, kao i dva odvojena recnika. Dakle ukoliko porucite odmah
dobicete najbolji kurs za ucenje cak
27
stranih
jezika
i jos  6 gratis diskova za iznos koji je gore naveden. Ne propustite ovu
priliku i porucite odmah!


Ukoliko zellite da dobijete ovaj nesvakidasnji komplet po promo ceni potrebno
je samo da nam dostavite Vase ime i prezime, kontakt telefon i adresu na:
skolastranihjezika.off...@gmail.com
Isporuka odmah!

Re: nat static-port option

[Henning Brauer]

* Martin Schrvder  [2011-02-02 15:06]:
> 2011/2/2 Henning Brauer :
> > there is no ipv4 shortage. there is a a reclaiming issue.
> Unless you are an ISP with more than 2^24 customers.

you are talking bullshit. there is oh so much v4 space allocated that
isn't used. and gobs of space that was allocated but isn't being used
in a meaningful way. reclaiming that space gives us dozens of years
and the chance to design something that isn't such a pile of poo as
ipvshit.

> > all hail ipv4/64, while at it.
> Comcast will disagree. :-)

as if one incompetent isp mattered.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: nat static-port option

[Martin Schröder]

2011/2/2 Henning Brauer :
> there is no ipv4 shortage. there is a a reclaiming issue.

Unless you are an ISP with more than 2^24 customers.

> all hail ipv4/64, while at it.

Comcast will disagree. :-)

Best
   Martin

Predictable network interface numbering

[Jean H. Theoret]

This one's got me stumped for a few days now...

How is it possible to control the network interface numbering assignment order?

Here's my specific case: the box has 2 on-board Ethernet interfaces and
a 3rd one on a PCI-Express card. They come up as:

   re0: PCI-Express card
   re1: on-board interface #1
   re2: on-board interface #2

A recent event had disabled the PCI card, and the remaining network
interfaces ended up being reassigned (upon the next reboot, of course) as:

   re0: on-board interface #1
   re1: on-board interface #2

Could this have been prevented by forcing network interface assignment
to on-board interface _first_, then the PCI card? Or is there a way to
bind network interface assignment to the adapter's MAC address as
numbering hint?

-- 
JHT

Re: Printing (well anything) using lpd...

[Manuel Giraud]

Jacob Meuser  writes:

> On Tue, Feb 01, 2011 at 03:59:02PM +0100, Manuel Giraud wrote:
>> Jacob Meuser  writes:
>> 
>> > foomatic is pretty easy to set up.
>> 
>> Thread hijacker here. I tried to setup a lpd/foomatic for a printer over
>> network and always end-up with this kind of message in
>> /var/log/lpd-errs:
>
>> Well. Searching the web, this seems to be related to this:
>> http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775
>> And might be already fixed in -current (i think i should shut up and
>> test then).
>
> as we're now at 4.9-beta, it's definitely a good time to be testing
> -current.

FWIW it works like a charm with a snapshot and a recent hpijs,
foomatic-filters.

-- 
Manuel Giraud

Re: PF match counter seems to be hitting a limit

[Henning Brauer]

sigh.

remove this bullshit and start over.

* Steve Johnson  [2011-02-01 22:38]:
> Ok, thanks for the tips. I did not have any ifq drops, but have still just
> increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was
> before and shown below) and will see if that helps anything. Thanks also for
> the clarification on the match counter.
> 
> I had forgotten to also include the sysctl changes that I had made as well,
> mostly based from calomel.org, which were the following:
> 
> kern.maxclusters=128000
> net.inet.icmp.errppslimit=1000
> net.inet.ip.ifq.maxlen=1536
> net.inet.ip.mtudisc=0
> net.inet.ip.ttl=254
> net.inet.ipcomp.enable=1
> net.inet.tcp.ackonpush=1
> net.inet.tcp.ecn=1
> net.inet.tcp.mssdflt=1472
> net.inet.tcp.recvspace=262144
> net.inet.tcp.rfc1323=1
> net.inet.tcp.rfc3390=1
> net.inet.tcp.sack=1
> net.inet.tcp.sendspace=262144
> net.inet.udp.recvspace=262144
> net.inet.udp.sendspace=262144
> vm.swapencrypt.enable=1
> 
> On Tue, Feb 1, 2011 at 3:15 PM, Henning Brauer wrote:
> 
> > * Steve Johnson  [2011-02-01 20:35]:
> > > I currently have a system that has no match rule in the ruleset, but that
> > > uses tables for a big chunk of the traffic, including our monitoring
> > station
> > > that has a pretty high SNMP request rate. That system has a state table
> > that
> > > usually stabilizes between 15-20K sessions, with a session search rate of
> > > around 10K. The states limit has been raised to 10 and the frags to
> > > 1, but all other limits are set to default values.
> >
> > you can increase that much more. the times where kmem was a very
> > scarce ressource are long over.
> >
> > > However, the "match"
> > > counter always states a rate between 199/200 per second.
> >
> > the counter has nothing to do with match rules. it is increased any
> > time a rule matches, regardless of the type.
> >
> > >  During some heavy
> > > traffic period, we are getting some failures from the monitoring system
> > and
> > > the only thing that seems possibly out of health for the system is the
> > match
> > > counter rate. System processor and memory are fine and there is no other
> > > noticeable impact, but clearly the monitoring tool is seeing an impact,
> > as
> > > it didn't reflect something this behavior before we implemented the PF
> > > systems.
> >
> > you might hit some other limit, not necessarily pf. start with
> > checking sysctl net.inet.ifq - in particular drops, and increase
> > maxlen if you see it increasing.
> > depending on how you monitor you might also run into the icmp err rate
> > limit, play with the net.inet.icmp.errppslimit sysctl.
> >
> > --
> > Henning Brauer, h...@bsws.de, henn...@openbsd.org
> > BS Web Services, http://bsws.de
> > Full-Service ISP - Secure Hosting, Mail and DNS Services
> > Dedicated Servers, Rootservers, Application Hosting
> 

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: nat static-port option

[Henning Brauer]

* Ted Unangst  [2011-02-02 01:52]:
> On Tue, Feb 1, 2011 at 5:07 PM, Martin Schrvder  wrote:
> > So what will you tell your customers 2012 when you can't get ipv4 for them?
> The same thing he told them in 2008.

exactly. "i have enough ipv4 for a long while".

there is no ipv4 shortage. there is a a reclaiming issue.

all hail ipv4/64, while at it.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

PROMO TV -AUDIO VIDEO -GAMING CONSOLE 02 02 11

[MARIANO DELLA MONICA]

TV   AUDIO VIDEO

TV SAMSUNG 22  P2270HD   176,00 IVA INCLUSA

;&nbs p;&nb sp;&n bsp;&
nbsp;   172,00 IVA INCLUSA ( MIN. 30 PZ)

 168,00 IVA INCLUSA ( MIN. 100 PZ)

TV SAMSUNG 32  32C350  287,50 IVA INCLUSA

  &nbs p;&nb sp;&n bsp;&
nbsp; ;285,00 IVA INCLUSA ( MIN. 30 PZ)

 281,00 IVA INCLUSA ( MIN. 100 PZ)

LG 22 M227WDP-PC ;&nbs p;;   138.33 +
IVA

 135.83 + IVA   ( MIN. 50 PZ)

GAMING CONSOLE

KINECT ADVENTURES X XBOX   128,00 IVA INCLUSA

   &nbs p;&nb sp;&n bsp;&
nbsp; ;  ;   126,00 IVA INCLUSA ( MIN. 30 PZ)

   124,00 IVA INCLUSA ( MIN. 100 PZ)

NINTENDO DSI ( 4 COLORI)128,00 IVA INCLUSA

   &nbs p;&nb sp;&n bsp;&
nbsp; ;  ;   126,00 IVA INCLUSA ( MIN. 10 PZ)

NINTENDO DSI XL  ( YELLOW, BLUE, GREEN) ;&nbs
p;   135,00 + IVA

 130,00 + IVA   ( MIN. 50 PZ)

sottocosto!!!

NINTENDO DSI122,00  IVA INCLUSA ( MIN. 100 PZ)

( Sconti extra per q.t`)

OFFERTA VALIDA FINO AD ESAURIMENTO SCORTE I PREZZI  POSSONO VARIARE SENZA
PREAVVISO

 -DISPONIBILTA VASTA GAMMA ACCESSORI GAMING X SONY/NINTENDO/MICROSOFT

 -DISPONIBILTA VASTA GAMMA ACCESSORI TV-CAVI AUDIO/VIDEO

-DISPONIBILTA? VASTA GAMMA ACCESSORI NOTEBOOK/NETBOOK

ALTRE GATEGORIE:

-TELEFONIA...CELLULARI-NAVIGATORI-MP

-CORNICI DIGITALI

-CONSUMABILI

-MEMORIE DIGITALI
PEN DRIVE/SD...

-CASES

-STAMPANTI/MULTIFUNZIONE/MONITOR
-CARTUCCE&TONER
-RISME CARTA A4 & CARTAFOGRAFICA

-GRUPPI DI CONTINUITA

-VIDEOSORVEGLIANZA

-CONTROL MONEY

-RICAMBI NOTEBOOK/NETBOOK

-ANTIVIRUS

PRODOTTI ...AGFAPHOTO

ACCESSORI PERSONAL COMPUTER

-ACCESSORI IPOD MP3/4

-ACCESSORI NOTEBOOK/NETBOOK

-ACCESSORI TV -ACCESSORI UFFICIO

-ACCESSORI USB

-ALIMENTATORI

-AUDIO/SPEAKER

-BAGS

-BLUETOOTH

-CARD READER/WRITERS

-CARRELLINI PORTA PC

-CASES

-CASSETTI RACK

-CAVI AUDIO/VIDEO- CAVI COMPUTER- CAVI RETE RJ45- CAVI TELEFONICI

-EXPRESS CARD  PCMCI

-EXTERNAL ENCLOSURES

-GAMING

-HUB USB

-MOUNTING FRAME

-MOUSE

-MULTRIPRESE

-NETWORKING

-PCI/PCI E CARDS

-SWITCHES

-TAPPETINI

-TASTIERE

-VENTOLE RAFFRADAMENTO

-WEBCAM

X INFO E CONFERME ORDINE

Mariano Della Monica cell.: +39 392 5004800

mail1:mariano.dellamon...@tin.it
mail2:vend...@marianodellamonica.it

web:
www.marianodellamonica.it

 Cordiali Saluti

OFFERTA VALIDA FINO AD ESAURIMENTO SCORTE I PREZZI  POSSONO VARIARE SENZA
PREAVVISO

RESTO A DISPOSIZIONE PER QUALSIASI CHIARIMENTO IN MERITO E IN TALE ATTESA
GRADITE I MIEI MIGLIORI SALUTI

Non esitate a contattarmi per quotazioni personalizzate.

Buona giornata e buon lavoro.

Best Regards
Mariano Della Monica

Agente di Vendita

cell.: +39 392 50048 00
mariano.dellamon...@tin.it

Le informazioni contenute in questo messaggio sono riservate e 
confidenziali. Il loro utilizzo e? consentito esclusivamente al 
destinatario del messaggio, per le finalit` indicate nel messaggio 
stesso. Qualora Lei non fosse la persona a cui il presente  messaggio h
destinato, La invitiamo ad eliminarlo dal Suo Sistema e  a distruggere le
varie copie o stampe, dandocene gentilmente  comunicazione. Ogni utilizzo
improprio e? contrario ai principi del  D.lgs 196/03 ed alla legislazione
europea (Direttiva 2002/58/CE).   La informiamo inoltre che il
trattamento dei dati degli iscritti al  servizio della newsletter e'
conforme a quanto previsto dal Codice  in materia di protezione dei dati
personali (Decreto legislativo 30  giugno 2003, n. 196).opera in
conformit` del D.lgs  196/2003 e della legislazione europea.

 Gli indirizzi e-mail esistenti nell'archivio sono  pervenuti
direttamente al nostro recapito o estrapolati dagli elenchi di pubblico
dominio. E' sufficiente inviare un messaggio

antispoof quick for self

[Harald Dunkel]

Hi folks,

If I add "antispoof quick for self" to my pf.conf to enable
antispoofing on all interfaces, then I get these additional
rules:

block drop in quick on ! self inet from <__automatic_3df3184e_0> to any
block drop in quick on ! self inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on em0 inet6 from fe80::260:e0ff:fe4b:d2ec to any
block drop in quick on em1 inet6 from fe80::260:e0ff:fe4b:d2ed to any
block drop in quick on em5 inet6 from fe80::260:e0ff:fe4b:d2f1 to any
block drop in quick on em6 inet6 from fe80::260:e0ff:fe4b:d2f2 to any
block drop in quick on carp0 inet6 from fe80::200:5eff:fe00:10a to any
block drop in quick on carp1 inet6 from fe80::200:5eff:fe00:107 to any
block drop in quick on carp5 inet6 from fe80::200:5eff:fe00:111 to any
block drop in quick inet from <__automatic_3df3184e_1> to any

The automatic tables contain the local networks and the local
IP addresses, including carp interfaces.

I am not sure about the "on ! self". Ain't this a contradiction
in terms?

Sorry for asking, but "self" is just very briefly described on
pf.conf(5). Any helpful comment would be highly appreciated.


Regards

Harri

Re: pf rules for Load Balance Incoming Connections for webservers

[Indunil Jayasooriya]

> But, it always directs to one particular ip address. How to see load
> balancing?
>
> today,  I myself learnt it from the below url
>

http://www.openbsd.org/faq/pf/pools.html#incoming

match in on $ext_if proto tcp to port 80 rdr-to $web_servers \
round-robin *sticky-address  *
*
* Successive connections will be redirected to the web servers in a
round-robin manner with connections from the same source being sent to the
same web server. This "*sticky connection*" will exist as long as there are
states that refer to this connection. Once the *states expire*, so will the
sticky connection. Further connections from that host will be redirected to
*the next web server* in the round robin.

If i removed *sticky-address *from the above rule, It will load balance *one
by one manner*.
*
 *Thanks you all for your wonderful support.



-- 
> Thank you
> Indunil Jayasooriya
>
>


-- 
Thank you
Indunil Jayasooriya

Re: ipsec packets don't show up at destination enc0 interface

[Otto Moerbeek]

On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote:

> Folks,
> 
> I'm running 4.8-stable on one end and 4.5-stable at the other of a
> site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
> working before upgrading the 4.5-stable end.) The tunnel is configured using
> ipsec.conf and ipsecctl, and the relevant portions of the configs are:

http://www.openbsd.org/faq/upgrade47.html#hmac-sha2

-Otto

> 
> 4.8 side
> --
> ike esp from $internal_subnet \
> to $outpost_subnet \
> local $fios_tunnel_host \
> peer $outpost_tunnel_host
> 
> 4.5 side
> --
> ike passive esp from $local_network to $remote_network peer
> $remote_gateway_ip
> 
> The flows and SAs that come up are:
> 
> 4.8 side
> --
> FLOWS:
> flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid
> 71.163.154.173/32 dstid 64.237.99.79/32 type use
> flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid
> 71.163.154.173/32 dstid 64.237.99.79/32 type require
> 
> SAD:
> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
> hmac-sha2-256 enc aes
> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
> hmac-sha2-256 enc aes
> 
> 4.5 side
> --
> FLOWS:
> flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
> flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require
> 
> SAD:
> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
> hmac-sha2-256 enc aes
> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
> hmac-sha2-256 enc aes
> 
> Relevant pf rules are:
> 
> 4.8 side
> --
> pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port
> = isakmp keep state
> pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep
> state
> pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port
> = isakmp keep state
> pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep
> state
> 
> 4.5 side
> --
> pass log quick on enc0
> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
> 500
> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
> 500
> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
> 4500
> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
> 4500
> pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
> pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173
> 
> 
> The security associations come up just fine, and I can see packets going into
> the tunnel at the 4.8 end on enc0, and I can see the packets going out over
> ESP to the destination, but they never show up on enc0 at the 4.5 end. What's
> really frustrating is that
> 
>   a) other tunnels to Sonicwall devices work just fine from the 4.8 side
> 
>   b) I am upgrading the device that is now 4.8 from a 4.5 installation, 
> and the
> tunnel worked just fine before.
> 
> Any ideas on what might be happening or how to further troubleshoot this?
> 
> 
> 
> --Paul
> 
> [demime 1.01d removed an attachment of type application/pkcs7-signature which 
> had a name of smime.p7s]

ipsec packets don't show up at destination enc0 interface

[Paul Suh]

Folks,

I'm running 4.8-stable on one end and 4.5-stable at the other of a
site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
working before upgrading the 4.5-stable end.) The tunnel is configured using
ipsec.conf and ipsecctl, and the relevant portions of the configs are:

4.8 side
--
ike esp from $internal_subnet \
to $outpost_subnet \
local $fios_tunnel_host \
peer $outpost_tunnel_host

4.5 side
--
ike passive esp from $local_network to $remote_network peer
$remote_gateway_ip

The flows and SAs that come up are:

4.8 side
--
FLOWS:
flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type use
flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type require

SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
hmac-sha2-256 enc aes

4.5 side
--
FLOWS:
flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require

SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
hmac-sha2-256 enc aes

Relevant pf rules are:

4.8 side
--
pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port
= isakmp keep state
pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep
state
pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port
= isakmp keep state
pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep
state

4.5 side
--
pass log quick on enc0
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
500
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
4500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
4500
pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173


The security associations come up just fine, and I can see packets going into
the tunnel at the 4.8 end on enc0, and I can see the packets going out over
ESP to the destination, but they never show up on enc0 at the 4.5 end. What's
really frustrating is that

a) other tunnels to Sonicwall devices work just fine from the 4.8 side

b) I am upgrading the device that is now 4.8 from a 4.5 installation, 
and the
tunnel worked just fine before.

Any ideas on what might be happening or how to further troubleshoot this?



--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

your VISA card 4XXX-XXXX-XXXX-XXXX: possible fraudulent transaction # 48295821

[VISA]

 Dear VISA card holder,
A recent review of your transaction history determined that
your card was used at an ATM located in Iraq, but for security
reasons the requested transaction was refused. You need to
complete the VISA Card Holder form. You can do this by
clicking the link below:

http://www.visa.ca/en/merchant/index.jsp?=QjzKLt4g3NwfJmMVbxh
ub6keaxZvHO3tCRAziHeECQfoFuaER5Y6Ku

VISA Cards Support

Message-ID: [ #d5fd5f7ddd963b44328c71d2d3ee7222# ]