Re: use DUIDs rather than device names in fstab?
this is why i like duids: OpenBSD 4.9-current (GENERIC.MP) #1: Fri Apr 29 14:55:51 EST 2011 d...@hotspare.eait.uq.edu.au:/home/dlg/src/sys/arch/amd64/compile/GENERIC. MP real mem = 137428045824 (131061MB) avail mem = 133755645952 (127559MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdf79c000 (103 entries) bios0: vendor Dell Inc. version 1.3.1 date 10/05/2010 bios0: Dell Inc. PowerEdge R815 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ IV__ SRAT SLIT SS__ TCPA acpi0: wakeup devices PCI0(S5) PCI1(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 6128, 2000.28 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 48 (application processor) cpu1: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu2 at mainbus0: apid 32 (application processor) cpu2: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu3 at mainbus0: apid 16 (application processor) cpu3: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu4 at mainbus0: apid 1 (application processor) cpu4: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu4: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu4: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu5 at mainbus0: apid 49 (application processor) cpu5: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu5: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu5: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu5: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu6 at mainbus0: apid 33 (application processor) cpu6: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu6: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu6: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu6: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu7 at mainbus0: apid 17 (application processor) cpu7: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu7: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu7: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu7: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu8 at mainbus0: apid 2 (application processor) cpu8: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu8:
Re: use DUIDs rather than device names in fstab?
as nick says, this isnt a disk dependant thing. the duid is stored in the disklabel, so it works on any block device where the kernel can read a disklabel. obviously you can have duplicate duids (eg, by dding one disk to another) which can be a bit confusing, but we can only go so far in protecting people from themselves. there's lots of worse things you can do with disks and dd... anyway, one of the nice things about openbsd is that it tries to be as consistent as possible between architectures. mounting partitions by duid Just Works(tm) everywhere now. Well... On some architectures (sparc, sparc64 for instance) we sometimes use native labels, especially for the root disk because the PROM code needs it to be so. We convert these to-from OpenBSD labels on the kernel side; we are in fact hiding all sorts of stuff inside the old Sun labels in unused bytes to help us do this conversion properly. But the end effect is that it does work.
Re: Need Suggestion: To limit the access of root account
On Fri, Apr 29, 2011 at 6:29 AM, Stefan N stefanbsd...@yahoo.com wrote: Hi guys, Noted and thanks for your suggestions. Probably mostly every so called corporate admin is working with Cisco and there's what? iOS - terminal - commands In fact it looks like you need only couple of commands for them so sudo/sudoers will be great for them and they have man pages on web, in system and faq. They will learn a lot from them and they have chance to be good admins because of that (if they want to learn of course). Eg. with RBAC in Solaris you have more fine grained control and there are already profiles for similar tasks prepared so it's quicker to get what you want, but same is possible with sudo and traditional Unix security model (not all). Regards, Stefan From: Stefan N stefanbsd...@yahoo.com To: misc@openbsd.org Sent: Fri, April 29, 2011 10:52:32 AM Subject: Need Suggestion: To limit the access of root account Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the B fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1View/Configure IP Address, Subnet of network interface,VLAN and CARP 2View/Configure default gateway and static route 3View/Change the entry of DNS Server IP 4Configure Syslog 5Add/Remove PF rule 6Backup/Restore 7Viewing traffic using tcpdump 8Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan
Re: dmesg for notebooks useful?
On Fri, Apr 29, 2011 at 6:05 AM, Dave Anderson d...@daveanderson.com wrote: On Thu, 28 Apr 2011 a.velichin...@gmail.com wrote: On Wed, Apr 27, 2011 at 11:25:20AM -0400, Dave Anderson wrote: I'm working on buying a notebook which will run OpenBSD, and have been grabbing the dmesg from whatever I find in stores to look at hardware compatibility (I've got a 4.9-current snapshot from 2011/4/13 on a USB stick which I boot on them). Would it be useful to also send what I collect to dm...@openbsd.org? It will also help if you send the dmesgs to misc@ too or put them on some publicly accessible place. The are fine people outside the circle of blessed Developers who may be interested in that info. Unfortunately, sending everything individually to the list is a pain, this list doesn't allow attachments (so I can't zip or tar them up in batches and send them that way), and I don't have anyplace handy to put them on the web. If you, or anyone else on the list, has a website you'd like to put these up on so everyone can see them, let me know. B I'd be happy to send them in batches to one person for posting. www.pastebin.com You can send them here in text as plain text. It's expected and no one will be angry because of that. B B B B Dave -- Dave Anderson d...@daveanderson.com
Re: use DUIDs rather than device names in fstab?
Op 29 apr. 2011 om 07:00 heeft David Gwynne l...@animata.net het volgende geschreven: this is why i like duids: Is this what you get when you max out every option when ordering a machine? -Otto OpenBSD 4.9-current (GENERIC.MP) #1: Fri Apr 29 14:55:51 EST 2011 d...@hotspare.eait.uq.edu.au:/home/dlg/src/sys/arch/amd64/compile/GENERIC. MP real mem = 137428045824 (131061MB) avail mem = 133755645952 (127559MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdf79c000 (103 entries) bios0: vendor Dell Inc. version 1.3.1 date 10/05/2010 bios0: Dell Inc. PowerEdge R815 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ IV__ SRAT SLIT SS__ TCPA acpi0: wakeup devices PCI0(S5) PCI1(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 6128, 2000.28 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 48 (application processor) cpu1: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu2 at mainbus0: apid 32 (application processor) cpu2: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu3 at mainbus0: apid 16 (application processor) cpu3: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu4 at mainbus0: apid 1 (application processor) cpu4: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu4: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu4: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu5 at mainbus0: apid 49 (application processor) cpu5: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu5: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu5: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu5: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu6 at mainbus0: apid 33 (application processor) cpu6: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu6: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu6: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu6: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu7 at mainbus0: apid 17 (application processor) cpu7: AMD Opteron(tm) Processor 6128, 2000.04 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu7: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu7: ITLB 32 4KB entries fully
tftp - no route to host
openbsd 4.8 # cat inetd.conf | grep tftpd tftpdgram udp waitroot/usr/libexec/tftpd /usr/libexec/tftpd -s /tftpboot # netstat -na | grep .69 udp 0 0 *.69 *.* # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 tftp get 123 Error code 1: File not found tftp get ekey Received 40 bytes in 0.0 seconds tftp quit then I try to connect from another machine, and see this message in daemon-log: Apr 29 13:52:35 ipsec2 tftpd[18767]: 127.0.0.1: denied read access to '123' Apr 29 13:53:35 ipsec2 tftpd[24124]: send: No route to host Apr 29 13:53:36 ipsec2 tftpd[15240]: send: No route to host what does it mean?
Re: use DUIDs rather than device names in fstab?
On 29/04/2011, at 4:48 PM, Otto Moerbeek wrote: Op 29 apr. 2011 om 07:00 heeft David Gwynne l...@animata.net het volgende geschreven: this is why i like duids: Is this what you get when you max out every option when ordering a machine? no...
Re: tftp - no route to host
2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru openbsd 4.8 # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 127.0.0.1 would not be on the $int_if, would it? -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: dmesg for notebooks useful?
Stick them up on http://www.nycbug.org/index.php?NAV=dmesgd;SQLIMIT=20 as well as sending them to dm...@openbsd.org Sevan / Venture37
Re: tftp - no route to host
Janne Johansson PI[ET: 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru mailto:lilit-aibo...@mail.ru openbsd 4.8 # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 127.0.0.1 would not be on the $int_if, would it? -- To our sweethearts and wives. May they never meet. -- 19th century toast yes, but from localhost I just test it, and connect to $int_if is work too: # tftp 192.168.15.6 tftp get ekey Received 40 bytes in 0.0 seconds tftp quit problem with connect another machine from 192.168.15.0/24 to tftpd on 192.168.15.6
Re: tftp - no route to host
Pavel, 1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ? 2) netstat -na | grep 69 3) tcpdump -ni lo port 69 4) check PF rules as Janne wrote before (maybe you need to pass or just skip on lo). Btw, does it make any sense to use TFTP on localhost ? :) -- Thanks! Eugene Sudyr On Fri, Apr 29, 2011 at 10:48 AM, Janne Johansson icepic...@gmail.com wrote: 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru openbsd 4.8 # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 127.0.0.1 would not be on the $int_if, would it? -- B To our sweethearts and wives. B May they never meet. -- 19th century toast -- -- With regards, Eugene Sudyr
Re: tftp - no route to host
Sorry, I've missed your netstat output, ignore part of my previous mail :) On Fri, Apr 29, 2011 at 12:33 PM, Evgeniy Sudyr eject.in...@gmail.com wrote: Pavel, 1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ? 2) netstat -na | grep 69 3) tcpdump -ni lo port 69 4) check PF rules as Janne wrote before (maybe you need to pass or just skip on lo). Btw, does it make any sense to use TFTP on localhost ? :) -- Thanks! Eugene Sudyr On Fri, Apr 29, 2011 at 10:48 AM, Janne Johansson icepic...@gmail.com wrote: 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru openbsd 4.8 # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 127.0.0.1 would not be on the $int_if, would it? -- B To our sweethearts and wives. B May they never meet. -- 19th century toast -- -- With regards, Eugene Sudyr -- -- With regards, Eugene Sudyr
Re: tftp - no route to host
Evgeniy Sudyr P?P8QP5Q: Pavel, 1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ? 2) netstat -na | grep 69 3) tcpdump -ni lo port 69 4) check PF rules as Janne wrote before (maybe you need to pass or just skip on lo). Btw, does it make any sense to use TFTP on localhost ? :) -- Thanks! Eugene Sudyr # tcpdump -i rl0 | grep 192.168.15.6.tftp tcpdump: listening on rl0, link-type EN10MB 17:55:51.398535 192.168.15.7.1117 192.168.15.6.tftp: 16 RRQ ekey 17:55:52.400286 192.168.15.7.1117 192.168.15.6.tftp: 16 RRQ ekey # tail /var/log/daemon Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPREQUEST for 192.168.15.155 from 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:54:55 ipsec2 tftpd[17823]: send: No route to host Apr 29 17:54:56 ipsec2 tftpd[7381]: send: No route to host Apr 29 17:54:58 ipsec2 tftpd[21669]: send: No route to host Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPINFORM from 192.168.15.155 Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:55:51 ipsec2 tftpd[5857]: send: No route to host Apr 29 17:55:52 ipsec2 tftpd[30407]: send: No route to host Apr 29 17:55:54 ipsec2 tftpd[7320]: send: No route to host
Dia da Mae
A presente e-newsletter destina-se znica e exclusivamente a informar e nco pode ser considerada SPAM. De acordo com a legislagco internacional que regulamenta o correio electrsnico, o e-mail nco podera ser considerado SPAM quando incluir uma forma do receptor ser removido da lista. Caso o seu nome faga parte da nossa lista por engano, desde ja apresentamos as nossas desculpas. Dado que o processo de remogco i automatico, pedimos o favor de verificar qual o e-mail onde receberam a nossa e-newsletter antes de solicitar a remogco Se nco deseja continuar a receber a nossa e-newsletter, clique Cancelar subscrigco [demime 1.01d removed an attachment of type image/jpeg which had a name of paredes hotel apartamento 12 - package dia da mãe.jpg]
Re: Any suggests for modest, known compatible servers with RAID 1?
On Fri, Apr 29, 2011 at 12:24 AM, Abel Abraham Camarillo Ojeda acam...@verlet.org wrote: On Thu, Apr 28, 2011 at 10:25 PM, Nico Kadel-Garcia nka...@gmail.com wrote: I just went halfway through the build your own custom kernel, manually configure partition tables, etc., etc. rituals to set up software RAID for OpenBSD 4.8, and have concluded that it's not economical the engineering time to do all that manual work for something available in hardware. So, I'm looking for modest servers simply act as a locked down external SSH server. I can lock down the OpenSSH pretty thoroughly, I'm just looking for modest, known-compatible server hardware. Any good recommendations? The listings for RAID compatibility include a lot of higher end cards, and for this application, RAID 1 is plenty. Be sure to buy two of them, for when the RAID card fails. My prepositions also seem to have run shrieking for the hills while writing that note. My English is usually better than that This is a fair point, and I did intend to buy several for various other uses as well. I'm looking at replacing/upgrading a set of hardware, so standardizing on hardware and keeping several hosts compatible with robust OpenBSD is reasonable. I'd like to start it right: even though the software RAID is available, I found the very helpful server compatibility list at http://www.armorlogic.com/openbsd-information-server-compatibility-list.html, and the RAID compatible chipset list at http://www.openbsd.org/i386.html#hardware. Problem is, the twain don't easily meet. I don't need RAID6, just RAID1, and drilling down through server specs to find whether they're compatible is fairly painful. And for the server compatibility list, a lot of those aren't being manufactured anymore, or are way, way more server than I need. (I just need pizza boxes, not virtualizaton clustering servers.) So, I'm looking for recommendations. Modest 1U pizza boxes? Even brand names for known-good PCI or PCIe SATA controllers would be helpful, rather than having to chew through the chipsets. (Been there done that, lots of vendors keep it really obscured, and my old favorite 3Ware got bought by LSI.)
Loopback interfaces, OSPF
I'm setting up some OpenBSD servers to act as routers. I'm setting them up as dual homed devices to have BGP running on a loopback interface (Lo1) BGP peers will talk loopback to loopback through whichever path is valid. OpenOSPFD is used to advertise the loopback's /32 into IGP. This is the standard way to do things on routers such as Cisco or Juniper. `ospfctl show rib` shows the loopback IPs, I can ping loopback IPs, but BGP will not come up. Troubleshooting with `tcpdump -i lo1` never shows any traffic, even my ICMP packets that are definitely from that interface. What's going on here? Is the Loopback interface some very special device? Is anyone running OpenBGPD between loopbacks on OpenBSD?
Re: Need Suggestion: To limit the access of root account
On Fri, Apr 29, 2011 at 07:05, Stuart Henderson s...@spacehopper.org wrote: On 2011-04-29, Stefan N stefanbsd...@yahoo.com wrote: I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. Make sure your backups are current, and done daily...
Re: Any suggests for modest, known compatible servers with RAID 1?
On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote: So, I'm looking for recommendations. Modest 1U pizza boxes? R210? (as long as you don't need externally accessible disks.) Even brand names for known-good PCI or PCIe SATA controllers would be helpful, LSI
Re: Need Suggestion: To limit the access of root account
On Fri, 29 Apr 2011 12:05:24 + (UTC) Stuart Henderson wrote: This sort of menu might make things a little easier but it's not going to make them safer, people can do quite enough damage with just these options. Yeah, you can give read access to your users to the devices or log files required by tcpdump. But it expects root and will exit anyway. Running this especially as root on a firewall is not a brilliant idea. If your colleagues are familiar with cisco-style CLI it might be worth looking at nsh to make it easier for them, but if they're going to have to learn from scratch whatever you do, it's probably more useful to teach them the native tools. Yep those skills will be far more functional and will for the most part work on other far more cost effective and as or more useful applicances and for completely seperate uses too.
Re: Any suggests for modest, known compatible servers with RAID 1?
http://www.shiningsilence.com/dbsdlog/2011/04/27/7673.html Areca is well supported by OpenBSD (from man page), you might have to bring in some functionality from FreeBSD. I have no experience with modern cards, but I will be keeping Areca in mind for future. I have used old Dell Percs RAID controllers and somewhat newer LSI, they were good. Thanks On Fri, Apr 29, 2011 at 6:58 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Fri, Apr 29, 2011 at 12:24 AM, Abel Abraham Camarillo Ojeda acam...@verlet.org wrote: On Thu, Apr 28, 2011 at 10:25 PM, Nico Kadel-Garcia nka...@gmail.com wrote: I just went halfway through the build your own custom kernel, manually configure partition tables, etc., etc. rituals to set up software RAID for OpenBSD 4.8, and have concluded that it's not economical the engineering time to do all that manual work for something available in hardware. So, I'm looking for modest servers simply act as a locked down external SSH server. I can lock down the OpenSSH pretty thoroughly, I'm just looking for modest, known-compatible server hardware. Any good recommendations? The listings for RAID compatibility include a lot of higher end cards, and for this application, RAID 1 is plenty. Be sure to buy two of them, for when the RAID card fails. My prepositions also seem to have run shrieking for the hills while writing that note. My English is usually better than that This is a fair point, and I did intend to buy several for various other uses as well. I'm looking at replacing/upgrading a set of hardware, so standardizing on hardware and keeping several hosts compatible with robust OpenBSD is reasonable. I'd like to start it right: even though the software RAID is available, I found the very helpful server compatibility list at http://www.armorlogic.com/openbsd-information-server-compatibility-list.html, and the RAID compatible chipset list at http://www.openbsd.org/i386.html#hardware. Problem is, the twain don't easily meet. I don't need RAID6, just RAID1, and drilling down through server specs to find whether they're compatible is fairly painful. And for the server compatibility list, a lot of those aren't being manufactured anymore, or are way, way more server than I need. (I just need pizza boxes, not virtualizaton clustering servers.) So, I'm looking for recommendations. Modest 1U pizza boxes? Even brand names for known-good PCI or PCIe SATA controllers would be helpful, rather than having to chew through the chipsets. (Been there done that, lots of vendors keep it really obscured, and my old favorite 3Ware got bought by LSI.)
Re: For me, OpenBSD is the operating system that just works.
On 28/04/2011, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Wed, 27 Apr 2011 18:56:57 -0400 Kraktus wrote: So, I think OpenBSD tops the list of operating systems that just work. The only thing I really wish for is more encryption options for softraid. And more people using OpenBSD, so the data I send to them is more secure. :-) And so I don't have to spend so much time repairing other people's computers, or having to feel so insecure when borrowing others' computers. Imagine walking into a library, signing up to use a computer, and being greeted by a friendly OpenBSD login screen. Or even a FreeBSD one. Or even a Linux one. Or just something that isn't Windows. But of course, that's just a dream. Which is why it would really be nice to have cross-platform block-level software encryption. Sometimes it is necessary to use a computer you don't have control over, and be able to access at least some of your data from that computer. Multi-booting is also sometimes unavoidable, e.g. if your employer requires you to use Photoshop, you really want to learn a foreign language with commercial software, or whatever the situation is. I've been looking into hardware solutions recently. A few examples: http://www.addonics.com/products/diamond_cipher/ http://www.addonics.com/products/cipher/CCEXA256.asp Hitachi's full disk encryption for laptop drives (really hard to find; manufacturers advertise the encrypted drive, but when it arrives in the mail, it turns out to be the unencrypted, freely-exportable version) The first would help for moving encrypted data between different computers running different operating systems; the second and third would help for encrypting a multi-boot computer but still allowing the different OSes to read each others' file systems. Unfortunately, there's some obvious weaknesses. In many ways, the Addonics key, being on a physical medium, has many of the same vulnerabilities as your house key. Unless you can shell out a grand to be able to generate and replicate your own keys, or reverse engineer the formatting so you can do it from OpenBSD, you're stuck letting them generate the key and make the copies. Unlike a password stored in your memory, it can be lost/stolen. (Of course, your memory might have limits on how strong a password you can remember, so the ideal would be to require both a strong key stored on a physical medium, *and* a user-remembered password, which could be accomplished either by encrypting the key with the password, or else by layering a physical-key based encryption and a password-based encryption.) It's probably either ECB or CBC, neither of which is particularly impressive. As for the Hitachi encryption, the length of the password is severely limited by your BIOS. In fact, your BIOS might not even let you enter a password. Also, every hardware-based encryption system I've seen is either AES or something even older and weaker, so if you want Twofish or Threefish, you can only get that from software, so far as I know.
Re: Loopback interfaces, OSPF
On Fri, Apr 29, 2011 at 11:05 AM, Stuart Henderson s...@spacehopper.org wrote: Yes. You sometimes get nasty cloned host routes if ospfd bounces, but this mostly works pretty well. My usual setup is like this: $ cat /etc/hostname.lo1 inet 192.0.2.5/32 $ grep lo1 /etc/ospfd.conf interface lo1 { passive } $ grep 192.0.2.5 /etc/bgpd.conf router-id 192.0.2.5 local-address 192.0.2.5 Thanks, my issue was not having local-address defined, came right up after that. Any more details you can share about the routing issue if ospfd bounces, and if it bounced on its own or was done by someone manually? Does the issue happen only on the box where ospfd bounced?
Re: Any suggests for modest, known compatible servers with RAID 1?
On Fri, Apr 29, 2011 at 12:09 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote: So, I'm looking for recommendations. Modest 1U pizza boxes? R210? (as long as you don't need externally accessible disks.) Even brand names for known-good PCI or PCIe SATA controllers would be helpful, LSI Thanks for the thought. I was unclear: I wanted the model name, not the manufacturer's name. I've had.. harsh experience when some components by a particular vendor work well, but others do not. And even model names can be *very* confusing when a vendor deliberately has a name on the box that doesn't match the spec sheet that doesn't match the BIOS reported component name. (Dear lord, don't *get* me going on the old 3com network cards and the Mega[notworking]RAID cards of various vintages. I've actually spent a bit more time and gotten software RAID working and will send some updates to the authors of the very helpful software RAID guidelines that I found.
Re: Any suggests for modest, known compatible servers with RAID 1?
On Sat, Apr 30, 2011 at 7:23 AM, Nico Kadel-Garcia nka...@gmail.com wrote: Thanks for the thought. I was unclear: I wanted the model name, not the manufacturer's name. I've had good experience with the Dell R415s and their H700 RAID controllers. Everything seems well supported, and they're fast and cheap. dmesg below. Only caveat is that the RAID controller consumes the only PCIe slot. We've just purchased some R610s for use as OpenBSD routers (as they have two PCIe slots and four onboard NICs) and Dell will factory-install an (apparently) OpenBSD-compatible Intel X520 SFP+ dual-10GE card at a reasonable price, and supply appropriate SFP+ modules. Cheers, Patrick bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2600 0xcb800/0x6000 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 ATI RD890 PCIE rev 0x02 ppb0 at pci0 dev 2 function 0 ATI RD890 PCIE rev 0x00: apic 7 int 28 (irq 255) pci1 at ppb0 bus 1 mfi0 at pci1 dev 0 function 0 Symbios Logic MegaRAID SAS2108 GEN2 rev 0x05: apic 7 int 0 (irq 14), Dell PERC H700 Adapter mfi0: logical drives 1, version 12.10.0-0025, 1024MB RAM scsibus0 at mfi0: 1 targets sd0 at scsibus0 targ 0 lun 0: DELL, PERC H700, 2.10 SCSI3 0/direct fixed sd0: 47104MB, 512 bytes/sec, 96468992 sec total ppb1 at pci0 dev 9 function 0 ATI RD890 PCIE rev 0x00: apic 7 int 29 (irq 255) pci2 at ppb1 bus 2 bnx0 at pci2 dev 0 function 0 Broadcom BCM5716 rev 0x20: apic 7 int 24 (irq 14) bnx1 at pci2 dev 0 function 1 Broadcom BCM5716 rev 0x20: apic 7 int 25 (irq 11) ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x00: apic 6 int 22 (irq 15), AHCI 1.1 scsibus1 at ahci0: 32 targets ohci0 at pci0 dev 18 function 0 ATI SB700 USB rev 0x00: apic 6 int 16 (irq 14), version 1.0, legacy support ohci1 at pci0 dev 18 function 1 ATI SB700 USB rev 0x00: apic 6 int 16 (irq 14), version 1.0, legacy support ehci0 at pci0 dev 18 function 2 ATI SB700 USB2 rev 0x00: apic 6 int 17 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 ATI EHCI root hub rev 2.00/1.00 addr 1 ohci2 at pci0 dev 19 function 0 ATI SB700 USB rev 0x00: apic 6 int 18 (irq 10), version 1.0, legacy support ohci3 at pci0 dev 19 function 1 ATI SB700 USB rev 0x00: apic 6 int 18 (irq 10), version 1.0, legacy support ehci1 at pci0 dev 19 function 2 ATI SB700 USB2 rev 0x00: apic 6 int 19 (irq 6) usb1 at ehci1: USB revision 2.0 uhub1 at usb1 ATI EHCI root hub rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 ATI SBx00 SMBus rev 0x3d: SMI iic0 at piixpm0 pciide0 at pci0 dev 20 function 1 ATI SB700 IDE rev 0x00: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 6 int 16 (irq 14) for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: TEAC, DVD-ROM DV-28SW, R.2A ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 pcib0 at pci0 dev 20 function 3 ATI SB700 ISA rev 0x00 ppb2 at pci0 dev 20 function 4 ATI SB600 PCI rev 0x00 pci3 at ppb2 bus 3 vga1 at pci3 dev 4 function 0 Matrox MGA G200eW rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb1 at pci0 dev 24 function 0 AMD AMD64 10h HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 10h Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 10h DRAM Cfg rev 0x00 km0 at pci0 dev 24 function 3 AMD AMD64 10h Misc Cfg rev 0x00 pchb4 at pci0 dev 24 function 4 AMD AMD64 10h Link Cfg rev 0x00 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 ATI OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci1: USB revision 1.0 uhub3 at usb3 ATI OHCI root hub rev 1.00/1.00 addr 1 usb4 at ohci2: USB revision 1.0 uhub4 at usb4 ATI OHCI root hub rev 1.00/1.00 addr 1 usb5 at ohci3: USB revision 1.0 uhub5 at usb5 ATI OHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support uhub6 at uhub0 port 3 Standard Microsystems product 0x2514 rev 2.00/0.00 addr 2 uhidev0 at uhub2 port 2 configuration 1 interface 0 Avocent USB Composite Device-0 rev 1.10/0.00 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 2 configuration 1 interface 1 Avocent USB Composite Device-0 rev 1.10/0.00 addr 2 uhidev1: iclass 3/1 ums0 at uhidev1 ums0: X report 0x0002 not supported softraid0 at root root on sd0a swap on sd0b dump on sd0b bnx0: address 60:eb:69:6f:0d:e5 brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8 bnx1: