Server
Hi andi, You didnt mention your RAM size, disc speed etc so it's quite hard answer your question. As for a true database (RDBMS) system, with serious data, i would not use openbsd. You should check the homepage of your database software distributor and look out for something like "supported os". If openbsd is on the list i m > > Hello, > > It will depend what you want to do with your server. > > Firstly, I suggest you to remove your graphic card if you can. It will > make noise and heat for nothing and will increase your power > consumption. > If you need a "simple home" server, to store/share files on your > network, set-up your owncloud and/or run a database for personal > developments, I think your hardware is good. > > I can't say if OpenBSD is the best system for your use as we don't > know your use. OpenBSD can run a database (postgresql, mysql, redis, > mongo..), but the performance will depend of your workload. > > Best regards, > Charles RAPENNE > > 2013/3/13 Andi : > > Hello everybody, > > > > I'm thinking about putting the openBSD 5.2, in a desktop machine, in > order > > to make this a server. > > > > The hardware configuration is: > > intel i3, 1TB of HD, nvidia 9800. > > > > But I'm wondering about this, if it will be good idea? > > If it's recommended... if openBSD is good to run a database... etc > > > > Any sugestion, critict, whatever... feel free to answer. > > > > Best regards, > > ..:: Andi ::..
Re: snort inline
Hi Justin, First of all, thank you for testing my diff and providing feedback! At the moment, the need to use -k none with Snort inline is expected. Briefly, due to the way packets are processed when divert-packet is used with NAT, the checksums of packets being diverted from the kernel to userspace will be incorrect. That is why Snort needs to be told to ignore the checksums. To avoid having to calculate the checksums twice (once before diverting the packet from kernel to userspace, and once again after reinjecting it from userspace to kernel), my diff only calculates the checksums once on reinjection. I think that's a better spot to do it because the userspace program (which could be something other than Snort) can potentially modify the packets, which would require the checksums to be recalculated again anyway. Perhaps all that needs to be done is for the behavior to be documented. Anyway that's my take on what is going on and what's needed to fix it; perhaps someone else with more experience can chime in. :) Lawrence On Mon, Mar 11, 2013 at 12:33:09PM -0500, Justin Mayes wrote: > So snort was running and I could use my little C test divert program also to > see I was passing packets back and forth thru divert. I never got a snort > alert though even though traffic was passing to and from client. So after > noticing the snort exit output that showed "bad chk sum: 100.000%" I used > the snort -k none option and now snort is alerting also. Just an FYI in case > this is at all related to your work. I have run snort a lot in the past but > never on OpenBSD so I don't know if that's normal or not. > > Justin > > > -Original Message- > From: Justin Mayes > Sent: Thursday, March 07, 2013 4:02 PM > To: 'Lawrence Teo' > Cc: misc@openbsd.org > Subject: RE: snort inline > > This works. Thank you very much. I'll let you know if I run into any issues > but I am able to run snort inline now along with NAT. > > Justin > > > -Original Message- > From: Lawrence Teo [mailto:l...@openbsd.org] > Sent: Wednesday, March 06, 2013 8:55 AM > To: Justin Mayes > Cc: misc@openbsd.org > Subject: Re: snort inline > > Hi Justin, > > Not sure if you still need to use divert-packet with NAT, but if you do, > could you please try the diff at > http://marc.info/?l=openbsd-tech&m=136245826921904&w=2 to see if it works > for you? > > The easiest way to get the diff is: > > ftp -o divert-checksum.diff \ > 'http://marc.info/?l=openbsd-tech&m=136245826921904&q=raw' > > If you do try it, please let me know if it works for you. > > Thanks, > Lawrence > > On Wed, Dec 19, 2012 at 03:09:47PM -0600, Justin Mayes wrote: > > Another update in case there is any interest in running divert-packet > > along with NATing. I ditched snort and wrote a little divert program > > based on the man page to test easier. I can now see that with nat as > > well as divert-packet on egress rule on external interface the packet > > will get NATed and go out. A reply will come back to external > > interface and then get diverted again and never make it to the client. > > I am as sure as I can be at this point that you cannot divert packets from > a NATed client. > > > > Justin > > > > -Original Message- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > > Of Justin > > Sent: Sunday, November 25, 2012 4:37 PM > > To: misc@openbsd.org > > Subject: Re: snort inline > > > > Quick update. It seems to be a nat problem. If I just test by pinging > > either the 192.168.1.32 interface or the 192.168.0.13 interface it > > works fine and snort sees the packets. Its only when the traffic is NATed > that it fails. > > > > > > > > -Original Message- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > > Of Justin > > Sent: Saturday, November 24, 2012 2:21 PM > > To: misc@openbsd.org > > Subject: snort inline > > > > Anyone running snort 2.9.3.1p0 in inline / IPS mode with 5.2 cuurent? > > From what I read it's possible with pf divert functionality. > > > > This is what I'm doing for testing in pf using simple ping > > > > > > > > Gateway info > > > > internal interface fxp0 - 192.168.1.32 > > > > external interface bce0 - 192.168.0.13 > > > > > > > > Running snort via this cmd line > > > > snort --daq-dir /usr/local/lib/daq -Q --daq ipfw -c > > /etc/snort/snort.conf -v > > > > > > > > Internal interface is in the skip list hence no active rules for it > > > > Pfctl -sr > > > > pass out on bce0 all flags S/SA scrub (reassemble tcp) nat-to (bce0:0) > > > > pass in on bce0 inet all flags S/SA scrub (reassemble tcp) > > > > > > > > This works as expected, I can ping 8.8.8.8 and since no diverting is > > active snort sees nothing > > > > I change rules to this to start diverting to snort > > > > Pfctl -sr > > > > pass out on bce0 all flags S/SA scrub (reassemble tcp) divert-packet > > port > > 8000 nat-to (bce0:0) > > > > pass in o
Re: "offline" mail setup for road warrior
On Sat, Mar 09, 2013 at 12:18:50AM +0100, frantisek holop wrote: > i have my own mail server, that i can setup as i want. > i am travelling with my notebook. my preferred setup would be something > that downloads my mails when i am connected, then i can write answers > locally even when being offline, and these would be sent automatically > (through my server) when i come online again. my mail client is mutt. > > any road warriors living like this with a rock solid well tested setup? I use unison to sync my maildirs (much faster than POP/IMAP) and extsmail [1] to send my e-mail via ssh whenever a connection is found. This is a very simple setup, but it has the advantage that it requires no more config than is needed for normal ssh. I find it much easier than e.g. setting up SMTP/TLS on various machines. It also means that synchronising things across multiple machines works well. I spend huge chunks of time offline (e.g. I'm writing this on a train), and this setup has worked well for me for several years. Yours, Laurie [1] http://tratt.net/laurie/src/extsmail/ in ports as mail/extsmail -- Personal http://tratt.net/laurie/ Software Development Teamhttp://soft-dev.org/ https://github.com/ltratt http://twitter.com/laurencetratt
Re: pf: inline anchor rules in not enough to keep tables in memory?
For the anchor removed if not persistent, I have already writed about this. The answer from Henning : http://marc.info/?l=openbsd-misc&m=133467818116146&w=2 Le 2013-03-13 14:15, Maxim Khitrov a écrit : On Wed, Mar 13, 2013 at 1:59 PM, Michel Blais wrote: I think you must specify the anchor first. Something like : pfctl -a ix1 -t admins -T show That doesn't work. First, it's an unnamed anchor, so I don't think you can specify it with the -a option. Second, inbound connections to port 22 are rejected in the first case, but not in the second. The table is removed as though it was unreferenced, so the pass rule in the anchor doesn't match any source IPs. - Max -- Cordialement / Best regards Michel Blais Administrateur réseau / Network administrator Targo Communications www.targo.ca 514-448-0773
Re: pf: inline anchor rules in not enough to keep tables in memory?
Oups, read too fast. You can name anchor even if those are optional. If you name them, you should be able to access table inside of them via pfctl -a $anchor_name -t admins -T show For exemple for in-brace anchor with name : http://www.openbsd.org/faq/pf/anchors.html Le 2013-03-13 14:15, Maxim Khitrov a écrit : On Wed, Mar 13, 2013 at 1:59 PM, Michel Blais wrote: I think you must specify the anchor first. Something like : pfctl -a ix1 -t admins -T show That doesn't work. First, it's an unnamed anchor, so I don't think you can specify it with the -a option. Second, inbound connections to port 22 are rejected in the first case, but not in the second. The table is removed as though it was unreferenced, so the pass rule in the anchor doesn't match any source IPs. - Max -- Cordialement / Best regards Michel Blais Administrateur réseau / Network administrator Targo Communications www.targo.ca 514-448-0773
Re: pf: inline anchor rules in not enough to keep tables in memory?
On Wed, Mar 13, 2013 at 1:59 PM, Michel Blais wrote: > I think you must specify the anchor first. Something like : > > pfctl -a ix1 -t admins -T show That doesn't work. First, it's an unnamed anchor, so I don't think you can specify it with the -a option. Second, inbound connections to port 22 are rejected in the first case, but not in the second. The table is removed as though it was unreferenced, so the pass rule in the anchor doesn't match any source IPs. - Max
Re: pf: inline anchor rules in not enough to keep tables in memory?
I think you must specify the anchor first. Something like :
pfctl -a ix1 -t admins -T show
Le 2013-03-13 13:55, Maxim Khitrov a écrit :
Hello,
I was a bit surprised by the following behavior when configuring pf on
OpenBSD 5.2. Non-persistent tables that are only referenced by inline
anchor rules, as in the following example, are removed from memory
when pf.conf is loaded.
# Doesn't work (ssh connections are blocked):
table {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from to ix1 port ssh
}
# Works as expected:
table persist {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from to ix1 port ssh
}
After loading the first configuration, 'pfctl -t admins -T show' gives me:
pfctl: Table does not exist.
Referencing the table in the main ruleset, or making it persistent as
in the second example, fixes the problem. Is this by design?
- Max
--
Cordialement / Best regards
Michel Blais
Administrateur réseau / Network administrator
Targo Communications
www.targo.ca
514-448-0773
pf: inline anchor rules in not enough to keep tables in memory?
Hello,
I was a bit surprised by the following behavior when configuring pf on
OpenBSD 5.2. Non-persistent tables that are only referenced by inline
anchor rules, as in the following example, are removed from memory
when pf.conf is loaded.
# Doesn't work (ssh connections are blocked):
table {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from to ix1 port ssh
}
# Works as expected:
table persist {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from to ix1 port ssh
}
After loading the first configuration, 'pfctl -t admins -T show' gives me:
pfctl: Table does not exist.
Referencing the table in the main ruleset, or making it persistent as
in the second example, fixes the problem. Is this by design?
- Max
Re: Server
Hello, It will depend what you want to do with your server. Firstly, I suggest you to remove your graphic card if you can. It will make noise and heat for nothing and will increase your power consumption. If you need a "simple home" server, to store/share files on your network, set-up your owncloud and/or run a database for personal developments, I think your hardware is good. I can't say if OpenBSD is the best system for your use as we don't know your use. OpenBSD can run a database (postgresql, mysql, redis, mongo..), but the performance will depend of your workload. Best regards, Charles RAPENNE 2013/3/13 Andi : > Hello everybody, > > I'm thinking about putting the openBSD 5.2, in a desktop machine, in order > to make this a server. > > The hardware configuration is: > intel i3, 1TB of HD, nvidia 9800. > > But I'm wondering about this, if it will be good idea? > If it's recommended... if openBSD is good to run a database... etc > > Any sugestion, critict, whatever... feel free to answer. > > Best regards, > ..:: Andi ::..
Re: Transferring Multimedia Files from Mac OS X to OpenBSD
[- Wed 13.Mar'13 at 14:21:31 +0100 K.André Braselmann :-] > check out cmus from ports, NOT packages. > http://cmus.sourceforge.net/ > > Look at the Makefile and add your wishes. Build and install it. > Supports nearly everything where it can find the libs for. > Ok, cover art is a MINUS, i mean non-existent. I'll check it out - thanks mate -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Re: Transferring Multimedia Files from Mac OS X to OpenBSD
yeah just tried some of my iTunes purchases and it works perfectly. Sorry for asking what seems now to have been a pointless question. I just didn't want to go to the trouble of transferring 80+GB of data if it was going to be in vain. James -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Re: ospf and multiple areas
On 07/03/13 19:14, Kapetanakis Giannis wrote:
Hi,
I've having trouble configuring multiple areas in ospfd.
System is current.
If I put vlan12 interface in area 0.0.0.7, then vlan12:network is not
announced at all.
If I put it on area 0.0.0.0 then it is announced, but I don't see it as
inter area in remote routers.
How can I add it in area 7?
regards,
Giannis
pf disabled
# cat /etc/ospfd.conf
router-id 192.168.0.5
fib-update yes
stub router no
redistribute connected
redistribute static
area 0.0.0.0 {
interface bge0 {
auth-type crypt
auth-md XX
auth-md-keyid XX
}
}
area 0.0.0.7 {
stub
interface vlan12 {passive}
}
bge0: flags=8843 mtu 1500
lladdr 00:0a:e4:84:41:a5
description: External
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::20a:e4ff:fe84:41a5%bge0 prefixlen 64 scopeid 0x1
inet 192.168.0.5 netmask 0xff00 broadcast 192.168.0.255
bge1: flags=8843 mtu 1500
lladdr 00:0a:e4:84:41:a4
description: Internal
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::20a:e4ff:fe84:41a4%bge1 prefixlen 64 scopeid 0x2
vlan12: flags=8843 mtu 1500
lladdr 00:0a:e4:84:41:a4
description: TEST
priority: 0
vlan: 12 parent interface: bge1
groups: vlan
status: active
inet6 fe80::20a:e4ff:fe84:41a4%vlan12 prefixlen 64 scopeid 0x6
inet 10.0.0.2 netmask 0xff00 broadcast 10.0.0.255
# ospfctl s n
ID Pri StateDeadTime Address Iface Uptime
192.168.0.21 FULL/BCKUP 00:00:30 192.168.0.2 bge0 00:00:25
10.0.1.4 1 FULL/DR 00:00:37 192.168.0.1 bge0 00:00:30
# ospfctl s r
10.0.1.4/32 192.168.0.1 Intra-Area Network 11 00:01:13
# ospfctl s f
*S8 0.0.0.0/0192.168.0.1
*O 32 10.0.1.4/32 192.168.0.1
*C4 10.0.0.0/24link#6
*C0 127.0.0.0/8 link#0
*S8 127.0.0.0/8 127.0.0.1
* 4 127.0.0.1/32 127.0.0.1
*C4 192.168.0.0/24 link#1
*O 32 192.168.0.0/24 192.168.0.5
*S8 224.0.0.0/4 127.0.0.1
# ospfctl s d|grep 10.0.0
nothing
I'm still having problem to setup multiple areas...
Even this simple test fails to work:
# ifconfig lo1 up 10.1.102.1 netmask 255.255.255.0
area 0.0.0.7 {
stub
interface lo1 {passive}
}
redistribute connected (in/out comment) makes no change.
The network is not advertised in 0.0.0.0
If I put the interface in area 0.0.0.0 then it is advertised normally.
I've tried with loopback, vlan, carp and all have the same result.
G
Re: Transferring Multimedia Files from Mac OS X to OpenBSD
2013/3/13 James Griffin > > Is it simply a case of creating a tar file of the music files and > copying them over? Will the encoding (mostly mp4, mp4 and mp4a) be ok to > use "as-is" or will I need to do some extra processing on them using > some tool or other? I've got mplayer and vlc player installed which I > hope I can use to play them, etc. > check out cmus from ports, NOT packages. http://cmus.sourceforge.net/ Look at the Makefile and add your wishes. Build and install it. Supports nearly everything where it can find the libs for. Ok, cover art is a MINUS, i mean non-existent. André
Re: Transferring Multimedia Files from Mac OS X to OpenBSD
[- Wed 13.Mar'13 at 14:10:30 +0100 Roger Wiklund :-] > On Wed, Mar 13, 2013 at 1:54 PM, James Griffin wrote: > > Hi > > > > I have decided to sell my Mac computer as I'm totally skint, being a > > student. But, I would like to preserve the Music and Videos I've got on > > it -- mainly from iTunes -- and transfer them to my OpenBSD system so I > > can play them. > > > > Is it simply a case of creating a tar file of the music files and > > copying them over? Will the encoding (mostly mp4, mp4 and mp4a) be ok to > > use "as-is" or will I need to do some extra processing on them using > > some tool or other? I've got mplayer and vlc player installed which I > > hope I can use to play them, etc. > > > > Has anyone had experience with this type of thing and able to offer some > > info about the steps, if any, I need to take? > > > > Thanks in advance for any help offered. > > > > Best wishes, James. > > > I would say VLC can play almost anything. One problem would be DRM > though, if you bought stuff from iTunes that has DRM, those files are > locked to your iTunes/Mac/Apple ID (not sure which one it is) > > Just go ahead and copy the files before you sell it and test it out on > OpenBSD. There are ways around DRM, for example in iTunes burn the > songs to a CD and then rip them, DRM free. Thanks, I just tar'red up the files and transferred them over. Just playing Eurythmics in VLC now - it works great. I haven't tried the stuff I purchased using iTunes yet. -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Re: Transferring Multimedia Files from Mac OS X to OpenBSD
On Wed, Mar 13, 2013 at 1:54 PM, James Griffin wrote: > Hi > > I have decided to sell my Mac computer as I'm totally skint, being a > student. But, I would like to preserve the Music and Videos I've got on > it -- mainly from iTunes -- and transfer them to my OpenBSD system so I > can play them. > > Is it simply a case of creating a tar file of the music files and > copying them over? Will the encoding (mostly mp4, mp4 and mp4a) be ok to > use "as-is" or will I need to do some extra processing on them using > some tool or other? I've got mplayer and vlc player installed which I > hope I can use to play them, etc. > > Has anyone had experience with this type of thing and able to offer some > info about the steps, if any, I need to take? > > Thanks in advance for any help offered. > > Best wishes, James. > I would say VLC can play almost anything. One problem would be DRM though, if you bought stuff from iTunes that has DRM, those files are locked to your iTunes/Mac/Apple ID (not sure which one it is) Just go ahead and copy the files before you sell it and test it out on OpenBSD. There are ways around DRM, for example in iTunes burn the songs to a CD and then rip them, DRM free.
Transferring Multimedia Files from Mac OS X to OpenBSD
Hi I have decided to sell my Mac computer as I'm totally skint, being a student. But, I would like to preserve the Music and Videos I've got on it -- mainly from iTunes -- and transfer them to my OpenBSD system so I can play them. Is it simply a case of creating a tar file of the music files and copying them over? Will the encoding (mostly mp4, mp4 and mp4a) be ok to use "as-is" or will I need to do some extra processing on them using some tool or other? I've got mplayer and vlc player installed which I hope I can use to play them, etc. Has anyone had experience with this type of thing and able to offer some info about the steps, if any, I need to take? Thanks in advance for any help offered. Best wishes, James. -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
