Re: use DUIDs rather than device names in fstab?

[David Gwynne]

this is why i like duids:

OpenBSD 4.9-current (GENERIC.MP) #1: Fri Apr 29 14:55:51 EST 2011
d...@hotspare.eait.uq.edu.au:/home/dlg/src/sys/arch/amd64/compile/GENERIC.
MP
real mem = 137428045824 (131061MB)
avail mem = 133755645952 (127559MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdf79c000 (103 entries)
bios0: vendor Dell Inc. version 1.3.1 date 10/05/2010
bios0: Dell Inc. PowerEdge R815
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ IV__
SRAT SLIT SS__ TCPA
acpi0: wakeup devices PCI0(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 6128, 2000.28 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 48 (application processor)
cpu1: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu2 at mainbus0: apid 32 (application processor)
cpu2: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu3 at mainbus0: apid 16 (application processor)
cpu3: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu4 at mainbus0: apid 1 (application processor)
cpu4: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu4: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu4: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu5 at mainbus0: apid 49 (application processor)
cpu5: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu5: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu5: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu5: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu6 at mainbus0: apid 33 (application processor)
cpu6: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu6: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu6: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu6: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu7 at mainbus0: apid 17 (application processor)
cpu7: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu7:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
cpu7: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu7: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu7: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu8 at mainbus0: apid 2 (application processor)
cpu8: AMD Opteron(tm) Processor 6128, 2000.04 MHz
cpu8:

Re: use DUIDs rather than device names in fstab?

[Theo de Raadt]

as nick says, this isnt a disk dependant thing. the duid is stored in the
disklabel, so it works on any block device where the kernel can read a
disklabel. obviously you can have duplicate duids (eg, by dding one disk to
another) which can be a bit confusing, but we can only go so far in protecting
people from themselves. there's lots of worse things you can do with disks and
dd...

anyway, one of the nice things about openbsd is that it tries to be as
consistent as possible between architectures. mounting partitions by duid Just
Works(tm) everywhere now.

Well...

On some architectures (sparc, sparc64 for instance) we sometimes use
native labels, especially for the root disk because the PROM code
needs it to be so.  We convert these to-from OpenBSD labels on the
kernel side; we are in fact hiding all sorts of stuff inside the old
Sun labels in unused bytes to help us do this conversion properly.

But the end effect is that it does work.

Re: Need Suggestion: To limit the access of root account

[Tomas Bodzar]

On Fri, Apr 29, 2011 at 6:29 AM, Stefan N stefanbsd...@yahoo.com wrote:
 Hi guys,

 Noted and thanks for your suggestions.

Probably mostly every so called corporate admin is working with Cisco
and there's what? iOS -  terminal - commands

In fact it looks like you need only couple of commands for them so
sudo/sudoers will be great for them and they have man pages on web, in
system and faq. They will learn a lot from them and they have chance
to be good admins because of that (if they want to learn of course).

Eg. with RBAC in Solaris you have more fine grained control and there
are already profiles for similar tasks prepared so it's quicker to get
what you want, but same is possible with sudo and traditional Unix
security model (not all).


 Regards,
 Stefan





 
 From: Stefan N stefanbsd...@yahoo.com
 To: misc@openbsd.org
 Sent: Fri, April 29, 2011 10:52:32 AM
 Subject: Need Suggestion: To limit the access of root account


 Hi All,

 I would need some suggestions from you. Currently I am setting up OpenBSD
 Firewall using PF at my working place.
 However, some of my colleagues are not so familiar with the OpenBSD and we
would
 like to take turn to do that. I have the intention that I would like to
limit
 the usage and access the root account.

 I have intention to give them the 'more than enough' access for them to do
daily
 administrative tasks as firewall admin like:
 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP
 2.View/Configure default gateway and static route
 3.View/Change the entry of DNS Server IP
 4.Configure Syslog
 5.Add/Remove PF rule
 6.Backup/Restore
 8.Viewing traffic using tcpdump

 Is that possible to make some CLI Menu which will appear to the B fw admin
after
 the login as long as they can do their job.
 Example:

 OpenBSD/i386

 login:bob
 password:

 Please select the task below:

 1View/Configure IP Address, Subnet of network interface,VLAN and CARP
 2View/Configure default gateway and static route
 3View/Change the entry of DNS Server IP
 4Configure Syslog
 5Add/Remove PF rule
 6Backup/Restore
 7Viewing traffic using tcpdump
 8Logout

 Or is there a better way to limit the usage and access of root account by
fw
 admin?

 My intention is: I would like to give enough access for the fw admin to do
their
 job using a simple way.

 Thank you in advance.

 Regards,
 Stefan

Re: dmesg for notebooks useful?

[Tomas Bodzar]

On Fri, Apr 29, 2011 at 6:05 AM, Dave Anderson d...@daveanderson.com wrote:
 On Thu, 28 Apr 2011 a.velichin...@gmail.com wrote:

On Wed, Apr 27, 2011 at 11:25:20AM -0400, Dave Anderson wrote:
 I'm working on buying a notebook which will run OpenBSD, and have been
 grabbing the dmesg from whatever I find in stores to look at hardware
 compatibility (I've got a 4.9-current snapshot from 2011/4/13 on a USB
 stick which I boot on them).

 Would it be useful to also send what I collect to dm...@openbsd.org?

It will also help if you send the dmesgs to misc@ too or put them on some
publicly accessible place.

The are fine people outside the circle of blessed Developers who may be
interested in that info.

 Unfortunately, sending everything individually to the list is a pain,
 this list doesn't allow attachments (so I can't zip or tar them up in
 batches and send them that way), and I don't have anyplace handy to put
 them on the web.

 If you, or anyone else on the list, has a website you'd like to put
 these up on so everyone can see them, let me know. B I'd be happy to send
 them in batches to one person for posting.

www.pastebin.com

You can send them here in text as plain text. It's expected and no one
will be angry because of that.


 B  B  B  B Dave

 --
 Dave Anderson
 d...@daveanderson.com

Re: use DUIDs rather than device names in fstab?

[Otto Moerbeek]

Op 29 apr. 2011 om 07:00 heeft David Gwynne l...@animata.net het volgende
geschreven:

 this is why i like duids:

Is this what you get when you max out every option when ordering a machine?

 -Otto


 OpenBSD 4.9-current (GENERIC.MP) #1: Fri Apr 29 14:55:51 EST 2011

d...@hotspare.eait.uq.edu.au:/home/dlg/src/sys/arch/amd64/compile/GENERIC.
 MP
 real mem = 137428045824 (131061MB)
 avail mem = 133755645952 (127559MB)
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdf79c000 (103 entries)
 bios0: vendor Dell Inc. version 1.3.1 date 10/05/2010
 bios0: Dell Inc. PowerEdge R815
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S4 S5
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ
IV__
 SRAT SLIT SS__ TCPA
 acpi0: wakeup devices PCI0(S5) PCI1(S5)
 acpitimer0 at acpi0: 3579545 Hz, 32 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: AMD Opteron(tm) Processor 6128, 2000.28 MHz
 cpu0:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu0: apic clock running at 200MHz
 cpu1 at mainbus0: apid 48 (application processor)
 cpu1: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu1:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu2 at mainbus0: apid 32 (application processor)
 cpu2: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu2:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu3 at mainbus0: apid 16 (application processor)
 cpu3: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu3:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu4 at mainbus0: apid 1 (application processor)
 cpu4: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu4:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu4: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu4: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu5 at mainbus0: apid 49 (application processor)
 cpu5: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu5:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu5: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu5: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu5: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu6 at mainbus0: apid 33 (application processor)
 cpu6: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu6:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu6: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu6: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu6: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu7 at mainbus0: apid 17 (application processor)
 cpu7: AMD Opteron(tm) Processor 6128, 2000.04 MHz
 cpu7:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
 OW
 cpu7: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line
 16-way L2 cache
 cpu7: ITLB 32 4KB entries fully 

tftp - no route to host

[pavel pocheptsov]

openbsd 4.8

# cat inetd.conf | grep tftpd
tftpdgram   udp waitroot/usr/libexec/tftpd  
/usr/libexec/tftpd -s /tftpboot

# netstat -na | grep .69
udp  0  0  *.69   *.*

# cat /etc/pf.conf | grep tftp
pass in on $int_if inet proto udp from any to $int_if port tftp

# tftp 127.0.0.1
tftp get 123
Error code 1: File not found
tftp get ekey
Received 40 bytes in 0.0 seconds
tftp quit

then I try to connect from another machine,
and see this message in daemon-log:

Apr 29 13:52:35 ipsec2 tftpd[18767]: 127.0.0.1: denied read access to '123'
Apr 29 13:53:35 ipsec2 tftpd[24124]: send: No route to host
Apr 29 13:53:36 ipsec2 tftpd[15240]: send: No route to host

what does it mean?

Re: use DUIDs rather than device names in fstab?

[David Gwynne]

On 29/04/2011, at 4:48 PM, Otto Moerbeek wrote:


 Op 29 apr. 2011 om 07:00 heeft David Gwynne l...@animata.net het volgende
geschreven:

 this is why i like duids:

 Is this what you get when you max out every option when ordering a machine?

no...

Re: tftp - no route to host

[Janne Johansson]

2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru

 openbsd 4.8
 # cat /etc/pf.conf | grep tftp
 pass in on $int_if inet proto udp from any to $int_if port tftp
 # tftp 127.0.0.1


127.0.0.1 would not be on the $int_if, would it?

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: dmesg for notebooks useful?

[Sevan / Venture37]

Stick them up on http://www.nycbug.org/index.php?NAV=dmesgd;SQLIMIT=20 as well
as sending them to dm...@openbsd.org




Sevan / Venture37

Re: tftp - no route to host

[lilit-aibolit]

Janne Johansson PI[ET:



2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru 
mailto:lilit-aibo...@mail.ru


openbsd 4.8
# cat /etc/pf.conf | grep tftp
pass in on $int_if inet proto udp from any to $int_if port tftp
# tftp 127.0.0.1


127.0.0.1 would not be on the $int_if, would it?

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

yes, but from localhost I just test it,
and connect to $int_if is work too:

# tftp 192.168.15.6
tftp get ekey
Received 40 bytes in 0.0 seconds
tftp quit

problem with connect another machine from 192.168.15.0/24
to tftpd on 192.168.15.6

Re: tftp - no route to host

[Evgeniy Sudyr]

Pavel,

1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ?
2) netstat -na | grep 69
3) tcpdump -ni lo port 69
4) check PF rules as Janne wrote before (maybe you need to pass or
just skip on lo). Btw, does it make any sense to use TFTP on localhost
? :)

--
Thanks!
Eugene Sudyr

On Fri, Apr 29, 2011 at 10:48 AM, Janne Johansson icepic...@gmail.com
wrote:
 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru

 openbsd 4.8
 # cat /etc/pf.conf | grep tftp
 pass in on $int_if inet proto udp from any to $int_if port tftp
 # tftp 127.0.0.1


 127.0.0.1 would not be on the $int_if, would it?

 --
 B To our sweethearts and wives. B May they never meet. -- 19th century
toast





--
--
With regards,
Eugene Sudyr

Re: tftp - no route to host

[Evgeniy Sudyr]

Sorry, I've missed your netstat output, ignore part of my previous mail :)

On Fri, Apr 29, 2011 at 12:33 PM, Evgeniy Sudyr eject.in...@gmail.com
wrote:
 Pavel,

 1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started
?
 2) netstat -na | grep 69
 3) tcpdump -ni lo port 69
 4) check PF rules as Janne wrote before (maybe you need to pass or
 just skip on lo). Btw, does it make any sense to use TFTP on localhost
 ? :)

 --
 Thanks!
 Eugene Sudyr

 On Fri, Apr 29, 2011 at 10:48 AM, Janne Johansson icepic...@gmail.com
wrote:
 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru

 openbsd 4.8
 # cat /etc/pf.conf | grep tftp
 pass in on $int_if inet proto udp from any to $int_if port tftp
 # tftp 127.0.0.1


 127.0.0.1 would not be on the $int_if, would it?

 --
 B To our sweethearts and wives. B May they never meet. -- 19th century
toast





 --
 --
 With regards,
 Eugene Sudyr




--
--
With regards,
Eugene Sudyr

Re: tftp - no route to host

[lilit-aibolit]

Evgeniy Sudyr P?P8QP5Q:

Pavel,

1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ?
2) netstat -na | grep 69
3) tcpdump -ni lo port 69
4) check PF rules as Janne wrote before (maybe you need to pass or
just skip on lo). Btw, does it make any sense to use TFTP on localhost
? :)

--
Thanks!
Eugene Sudyr
  

# tcpdump -i rl0 | grep 192.168.15.6.tftp
tcpdump: listening on rl0, link-type EN10MB
17:55:51.398535 192.168.15.7.1117  192.168.15.6.tftp: 16 RRQ ekey
17:55:52.400286 192.168.15.7.1117  192.168.15.6.tftp: 16 RRQ ekey

# tail /var/log/daemon
Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPREQUEST for 192.168.15.155 from 
6c:62:6d:0c:56:f9 via rl0
Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 
6c:62:6d:0c:56:f9 via rl0

Apr 29 17:54:55 ipsec2 tftpd[17823]: send: No route to host
Apr 29 17:54:56 ipsec2 tftpd[7381]: send: No route to host
Apr 29 17:54:58 ipsec2 tftpd[21669]: send: No route to host
Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPINFORM from 192.168.15.155
Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 
6c:62:6d:0c:56:f9 via rl0

Apr 29 17:55:51 ipsec2 tftpd[5857]: send: No route to host
Apr 29 17:55:52 ipsec2 tftpd[30407]: send: No route to host
Apr 29 17:55:54 ipsec2 tftpd[7320]: send: No route to host

Dia da Mae

[Paredes Hotel]

A presente e-newsletter destina-se znica e exclusivamente a informar e nco
pode ser considerada SPAM. De acordo com a legislagco internacional que
regulamenta o correio electrsnico, o e-mail nco podera ser considerado SPAM
quando incluir uma forma do receptor ser removido da lista. Caso o seu nome
faga parte da nossa lista por engano, desde ja apresentamos as nossas
desculpas. Dado que o processo de remogco i automatico, pedimos o favor de
verificar qual o e-mail onde receberam a nossa e-newsletter antes de solicitar
a remogco  Se nco deseja continuar a receber a nossa e-newsletter, clique
Cancelar subscrigco

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
paredes hotel apartamento 12 - package dia da mãe.jpg]

Re: Any suggests for modest, known compatible servers with RAID 1?

[Nico Kadel-Garcia]

On Fri, Apr 29, 2011 at 12:24 AM, Abel Abraham Camarillo Ojeda
acam...@verlet.org wrote:
 On Thu, Apr 28, 2011 at 10:25 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
 I just went halfway through the build your own custom kernel,
 manually configure partition tables, etc., etc. rituals to set up
 software RAID for OpenBSD 4.8, and have concluded that it's not
 economical the engineering time to do all that manual work for
 something available in hardware.

 So, I'm looking for modest servers simply act as a locked down
 external SSH server. I can lock down the OpenSSH pretty thoroughly,
 I'm just looking for modest, known-compatible server hardware. Any
 good recommendations? The listings for RAID compatibility include a
 lot of higher end cards, and for this application, RAID 1 is plenty.



 Be sure to buy two of them, for when the RAID card fails.


My prepositions also seem to have run shrieking for the hills while
writing that note. My English is usually better than that

This is a fair point, and I did intend to buy several for various
other uses as well. I'm looking at replacing/upgrading a set of
hardware, so standardizing on hardware and keeping several hosts
compatible with robust OpenBSD is reasonable. I'd like to start it
right: even though the software RAID is available, I found the very
helpful server compatibility list at
http://www.armorlogic.com/openbsd-information-server-compatibility-list.html,
and the RAID compatible chipset list at
http://www.openbsd.org/i386.html#hardware.

Problem is, the twain don't easily meet. I don't need RAID6, just
RAID1, and drilling down through server specs to find whether they're
compatible is fairly painful. And for the server compatibility
list, a lot of those aren't being manufactured anymore, or are way,
way more server than I need. (I just need pizza boxes, not
virtualizaton clustering servers.)

So, I'm looking for recommendations. Modest 1U pizza boxes? Even brand
names for known-good PCI or PCIe SATA controllers would be helpful,
rather than having to chew through the chipsets. (Been there done
that, lots of vendors keep it really obscured, and my old favorite
3Ware got bought by LSI.)

Loopback interfaces, OSPF

[falz]

I'm setting up some OpenBSD servers to act as routers. I'm setting
them up as dual homed devices to have BGP running on a loopback
interface (Lo1) BGP peers will talk loopback to loopback through
whichever path is valid. OpenOSPFD is used to advertise the loopback's
/32 into IGP. This is the standard way to do things on routers such as
Cisco or Juniper.

`ospfctl show rib` shows the loopback IPs, I can ping loopback IPs,
but BGP will not come up. Troubleshooting with `tcpdump -i lo1` never
shows any traffic, even my ICMP packets that are definitely from that
interface. What's going on here? Is the Loopback interface some very
special device? Is anyone running OpenBGPD between loopbacks on
OpenBSD?

Re: Need Suggestion: To limit the access of root account

[Bryan]

On Fri, Apr 29, 2011 at 07:05, Stuart Henderson s...@spacehopper.org wrote:
 On 2011-04-29, Stefan N stefanbsd...@yahoo.com wrote:
 I would need some suggestions from you. Currently I am setting up OpenBSD
 Firewall using PF at my working place.


Make sure your backups are current, and done daily...

Re: Any suggests for modest, known compatible servers with RAID 1?

[Stuart Henderson]

On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote:

 So, I'm looking for recommendations. Modest 1U pizza boxes?

R210? (as long as you don't need externally accessible disks.)

 Even brand
 names for known-good PCI or PCIe SATA controllers would be helpful,

LSI

Re: Need Suggestion: To limit the access of root account

[Kevin Chadwick]

On Fri, 29 Apr 2011 12:05:24 + (UTC)
Stuart Henderson wrote:

 This sort of menu might make things a little easier but it's not going
 to make them safer, people can do quite enough damage with just these
 options.
 

Yeah, you can give read access to your users to the devices or log
files required by tcpdump. But it expects root and will exit anyway.
Running this especially as root on a firewall is not a brilliant idea.

 If your colleagues are familiar with cisco-style CLI it might be
 worth looking at nsh to make it easier for them, but if they're going
 to have to learn from scratch whatever you do, it's probably more
 useful to teach them the native tools.

Yep those skills will be far more functional and will for the most
part work on other far more cost effective and as or more useful
applicances and for completely seperate uses too.

Re: Any suggests for modest, known compatible servers with RAID 1?

[Amit Kulkarni]

http://www.shiningsilence.com/dbsdlog/2011/04/27/7673.html

Areca is well supported by OpenBSD (from man page), you might have to
bring in some functionality from FreeBSD. I have no experience with
modern cards, but I will be keeping Areca in mind for future. I have
used old Dell Percs RAID controllers and somewhat newer LSI, they were
good.

Thanks

On Fri, Apr 29, 2011 at 6:58 AM, Nico Kadel-Garcia nka...@gmail.com wrote:
 On Fri, Apr 29, 2011 at 12:24 AM, Abel Abraham Camarillo Ojeda
 acam...@verlet.org wrote:
 On Thu, Apr 28, 2011 at 10:25 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
 I just went halfway through the build your own custom kernel,
 manually configure partition tables, etc., etc. rituals to set up
 software RAID for OpenBSD 4.8, and have concluded that it's not
 economical the engineering time to do all that manual work for
 something available in hardware.

 So, I'm looking for modest servers simply act as a locked down
 external SSH server. I can lock down the OpenSSH pretty thoroughly,
 I'm just looking for modest, known-compatible server hardware. Any
 good recommendations? The listings for RAID compatibility include a
 lot of higher end cards, and for this application, RAID 1 is plenty.



 Be sure to buy two of them, for when the RAID card fails.


 My prepositions also seem to have run shrieking for the hills while
 writing that note. My English is usually better than that

 This is a fair point, and I did intend to buy several for various
 other uses as well. I'm looking at replacing/upgrading a set of
 hardware, so standardizing on hardware and keeping several hosts
 compatible with robust OpenBSD is reasonable. I'd like to start it
 right: even though the software RAID is available, I found the very
 helpful server compatibility list at
 http://www.armorlogic.com/openbsd-information-server-compatibility-list.html,
 and the RAID compatible chipset list at
 http://www.openbsd.org/i386.html#hardware.

 Problem is, the twain don't easily meet. I don't need RAID6, just
 RAID1, and drilling down through server specs to find whether they're
 compatible is fairly painful. And for the server compatibility
 list, a lot of those aren't being manufactured anymore, or are way,
 way more server than I need. (I just need pizza boxes, not
 virtualizaton clustering servers.)

 So, I'm looking for recommendations. Modest 1U pizza boxes? Even brand
 names for known-good PCI or PCIe SATA controllers would be helpful,
 rather than having to chew through the chipsets. (Been there done
 that, lots of vendors keep it really obscured, and my old favorite
 3Ware got bought by LSI.)

Re: For me, OpenBSD is the operating system that just works.

[Kraktus]

On 28/04/2011, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote:
 On Wed, 27 Apr 2011 18:56:57 -0400
 Kraktus wrote:

 So, I think OpenBSD tops the list of operating systems that just
 work. The only thing I really wish for is more encryption options for
 softraid.

 And more people using OpenBSD, so the data I send to them is more
 secure. :-)

And so I don't have to spend so much time repairing other people's
computers, or having to feel so insecure when borrowing others'
computers.

Imagine walking into a library, signing up to use a computer, and
being greeted by a friendly OpenBSD login screen. Or even a FreeBSD
one. Or even a Linux one. Or just something that isn't Windows. But of
course, that's just a dream.

Which is why it would really be nice to have cross-platform
block-level software encryption. Sometimes it is necessary to use a
computer you don't have control over, and be able to access at least
some of your data from that computer. Multi-booting is also sometimes
unavoidable, e.g. if your employer requires you to use Photoshop, you
really want to learn a foreign language with commercial software, or
whatever the situation is.

I've been looking into hardware solutions recently. A few examples:
http://www.addonics.com/products/diamond_cipher/
http://www.addonics.com/products/cipher/CCEXA256.asp
Hitachi's full disk encryption for laptop drives (really hard to find;
manufacturers advertise the encrypted drive, but when it arrives in
the mail, it turns out to be the unencrypted, freely-exportable
version)

The first would help for moving encrypted data between different
computers running different operating systems; the second and third
would help for encrypting a multi-boot computer but still allowing the
different OSes to read each others' file systems. Unfortunately,
there's some obvious weaknesses. In many ways, the Addonics key, being
on a physical medium, has many of the same vulnerabilities as your
house key. Unless you can shell out a grand to be able to generate and
replicate your own keys, or reverse engineer the formatting so you can
do it from OpenBSD, you're stuck letting them generate the key and
make the copies. Unlike a password stored in your memory, it can be
lost/stolen. (Of course, your memory might have limits on how strong a
password you can remember, so the ideal would be to require both a
strong key stored on a physical medium, *and* a user-remembered
password, which could be accomplished either by encrypting the key
with the password, or else by layering a physical-key based encryption
and a password-based encryption.) It's probably either ECB or CBC,
neither of which is particularly impressive. As for the Hitachi
encryption, the length of the password is severely limited by your
BIOS. In fact, your BIOS might not even let you enter a password.
Also, every hardware-based encryption system I've seen is either AES
or something even older and weaker, so if you want Twofish or
Threefish, you can only get that from software, so far as I know.

Re: Loopback interfaces, OSPF

[falz]

On Fri, Apr 29, 2011 at 11:05 AM, Stuart Henderson s...@spacehopper.org
wrote:
 Yes.  You sometimes get nasty cloned host routes if ospfd bounces,
 but this mostly works pretty well.  My usual setup is like this:

 $ cat /etc/hostname.lo1
 inet 192.0.2.5/32

 $ grep lo1 /etc/ospfd.conf
interface lo1 { passive }

 $ grep 192.0.2.5 /etc/bgpd.conf
 router-id 192.0.2.5
 local-address 192.0.2.5

Thanks, my issue was not having local-address defined, came right up
after that.

Any more details you can share about the routing issue if ospfd
bounces, and if it bounced on its own or was done by someone manually?
Does the issue happen only on the box where ospfd bounced?

Re: Any suggests for modest, known compatible servers with RAID 1?

[Nico Kadel-Garcia]

On Fri, Apr 29, 2011 at 12:09 PM, Stuart Henderson s...@spacehopper.org wrote:
 On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote:

 So, I'm looking for recommendations. Modest 1U pizza boxes?

 R210? (as long as you don't need externally accessible disks.)

 Even brand
 names for known-good PCI or PCIe SATA controllers would be helpful,

 LSI

Thanks for the thought. I was unclear: I wanted the model name, not
the manufacturer's name. I've had.. harsh experience when some
components by a particular vendor work well, but others do not. And
even model names can be *very* confusing when a vendor deliberately
has a name on the box that doesn't match the spec sheet that doesn't
match the BIOS reported component name. (Dear lord, don't *get* me
going on the old 3com network cards and the Mega[notworking]RAID
cards of various vintages.

I've actually spent a bit more time and gotten software RAID working
and will send some updates to the authors of the very helpful software
RAID guidelines that I found.

Re: Any suggests for modest, known compatible servers with RAID 1?

[Patrick Coleman]

On Sat, Apr 30, 2011 at 7:23 AM, Nico Kadel-Garcia nka...@gmail.com wrote:
 Thanks for the thought. I was unclear: I wanted the model name, not
 the manufacturer's name.

I've had good experience with the Dell R415s and their H700 RAID
controllers. Everything seems well supported, and they're fast and
cheap. dmesg below.

Only caveat is that the RAID controller consumes the only PCIe slot.
We've just purchased some R610s for use as OpenBSD routers (as they
have two PCIe slots and four onboard NICs) and Dell will
factory-install an (apparently) OpenBSD-compatible Intel X520 SFP+
dual-10GE card at a reasonable price, and supply appropriate SFP+
modules.

Cheers,

Patrick

bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2600
0xcb800/0x6000 0xec000/0x4000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 ATI RD890 PCIE rev 0x02
ppb0 at pci0 dev 2 function 0 ATI RD890 PCIE rev 0x00: apic 7 int 28 (irq 255)
pci1 at ppb0 bus 1
mfi0 at pci1 dev 0 function 0 Symbios Logic MegaRAID SAS2108 GEN2
rev 0x05: apic 7 int 0 (irq 14), Dell PERC H700 Adapter
mfi0: logical drives 1, version 12.10.0-0025, 1024MB RAM
scsibus0 at mfi0: 1 targets
sd0 at scsibus0 targ 0 lun 0: DELL, PERC H700, 2.10 SCSI3 0/direct fixed
sd0: 47104MB, 512 bytes/sec, 96468992 sec total
ppb1 at pci0 dev 9 function 0 ATI RD890 PCIE rev 0x00: apic 7 int 29 (irq 255)
pci2 at ppb1 bus 2
bnx0 at pci2 dev 0 function 0 Broadcom BCM5716 rev 0x20: apic 7 int
24 (irq 14)
bnx1 at pci2 dev 0 function 1 Broadcom BCM5716 rev 0x20: apic 7 int
25 (irq 11)
ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x00: apic 6 int
22 (irq 15), AHCI 1.1
scsibus1 at ahci0: 32 targets
ohci0 at pci0 dev 18 function 0 ATI SB700 USB rev 0x00: apic 6 int
16 (irq 14), version 1.0, legacy support
ohci1 at pci0 dev 18 function 1 ATI SB700 USB rev 0x00: apic 6 int
16 (irq 14), version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 ATI SB700 USB2 rev 0x00: apic 6 int
17 (irq 11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 ATI EHCI root hub rev 2.00/1.00 addr 1
ohci2 at pci0 dev 19 function 0 ATI SB700 USB rev 0x00: apic 6 int
18 (irq 10), version 1.0, legacy support
ohci3 at pci0 dev 19 function 1 ATI SB700 USB rev 0x00: apic 6 int
18 (irq 10), version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 ATI SB700 USB2 rev 0x00: apic 6 int 19 (irq 6)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 ATI EHCI root hub rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 ATI SBx00 SMBus rev 0x3d: SMI
iic0 at piixpm0
pciide0 at pci0 dev 20 function 1 ATI SB700 IDE rev 0x00: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 6 int 16 (irq 14) for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0: TEAC, DVD-ROM DV-28SW, R.2A ATAPI
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5
pcib0 at pci0 dev 20 function 3 ATI SB700 ISA rev 0x00
ppb2 at pci0 dev 20 function 4 ATI SB600 PCI rev 0x00
pci3 at ppb2 bus 3
vga1 at pci3 dev 4 function 0 Matrox MGA G200eW rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb1 at pci0 dev 24 function 0 AMD AMD64 10h HyperTransport rev 0x00
pchb2 at pci0 dev 24 function 1 AMD AMD64 10h Address Map rev 0x00
pchb3 at pci0 dev 24 function 2 AMD AMD64 10h DRAM Cfg rev 0x00
km0 at pci0 dev 24 function 3 AMD AMD64 10h Misc Cfg rev 0x00
pchb4 at pci0 dev 24 function 4 AMD AMD64 10h Link Cfg rev 0x00
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 ATI OHCI root hub rev 1.00/1.00 addr 1
usb3 at ohci1: USB revision 1.0
uhub3 at usb3 ATI OHCI root hub rev 1.00/1.00 addr 1
usb4 at ohci2: USB revision 1.0
uhub4 at usb4 ATI OHCI root hub rev 1.00/1.00 addr 1
usb5 at ohci3: USB revision 1.0
uhub5 at usb5 ATI OHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
uhub6 at uhub0 port 3 Standard Microsystems product 0x2514 rev
2.00/0.00 addr 2
uhidev0 at uhub2 port 2 configuration 1 interface 0 Avocent USB
Composite Device-0 rev 1.10/0.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 2 configuration 1 interface 1 Avocent USB
Composite Device-0 rev 1.10/0.00 addr 2
uhidev1: iclass 3/1
ums0 at uhidev1
ums0: X report 0x0002 not supported
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx0: address 60:eb:69:6f:0d:e5
brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8
bnx1: