Re: hardware needed for network stack performance work
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: Wednesday, June 13, 2007 1:30 PM To: Jack J. Woehr Cc: [EMAIL PROTECTED] Org Subject: Re: hardware needed for network stack performance work On Jun 13, 2007, at 11:02 AM, Theo de Raadt wrote: However I wish there were some large companies out there using and relying in pf, who could just decide (right now) Suggestion for tapping the Large Company resource for OpenBSD: 1) Create an OpenBSD User Survey a) should include questions that identifies user classes such as Private Dude and Large Company b) should allow user to self-identify if willing for followup surveys and appeals 2) Place survey a) on website b) on the next CDROM 3) Use info garnered through survey to a) craft appeals on website b) create email appeals to self-identified users in correct classes. Sounds silly perhaps to the more typical OpenBSD user, but if indeed there is Large Company use of OpenBSD those admins/users will be more responsive to the survey-and-appeal paradigm than our typical lone wolf users. All fundraising suggestions should be written on the back of a $100 bill and sent to Theo.
Re: Problem routing 10.x.x.x networks through a firewall
John Brahy wrote: Hello, I am having a problem routing IP traffic on my network. my firewall has three interfaces. | +-+--+ | P2P - t1 | | router | | 10.1.2.1 | +-+--+ | +-+--+ | 10.1.2.2 | | router | | 10.1.3.1 | +-+--+ | +-+--+ +---+ | 10.1.3.2 | | DMZ host | | firewall +-+ 10.1.15.10 | | 10.1.1.1 | +---+ +-+--+ | +-+--+ | 10.1.11.100 | ++ I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default10.1.3.1 UGS 03 - em0 10.1.3/24 link#1 UC 10 - em0 10.1.3.1 00:b0:a2:89:13:45 UHLc1 1469 - em0 10.1.11/24 link#3 UC 00 - em2 10.1.15/24 link#2 UC 00 - em1 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 10 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Any help would be greatly appreciated. Thanks! John You have a network behind a network. The router that is connected to the internet only knows about the networks that it is directly attached to. You would need to tell the external router about the innermost network through a static route.
/etc/rc.local changes not picked up by first insecurity report
Running 4.0 RELEASE in i386. I installed yesterday, and today, received my nice daily insecurity output. I love this report because it is a great way to document my initial configuration changes. I noticed that it didn't pick up my changes to /etc/rc.local that I made to start mysql. Looking in /var/backups, I do see etc_rc.local.current, but it contains my changed version. Is /var/backups seeded with initial versions that match the files in the install? Thoughts? -- Will Backman Network Administrator Coastal Enterprises, Inc.
amd64 4.0 on Dell 2950 install problem
I have a Dell 2950, and I'm trying to install the amd64 port of 4.0 release. Install goes fine until the card tries to get an IP address from dhcp. Then I get: Fatal protection fault in supervisor mode. Trap type 4 code 0 rip802c279c cs 8 rflags 10286 cr 2 4a8f40 cpl 7 rsp 80006bea7c50 Syncing disks...done The operating system has halted. The system only has 2BG of RAM at this point, so I know that 64bit isn't needed, but I thought it would be fun to test. This message to misc@ says that the 2950 is fully supported, but maybe just in i386. http://marc.theaimsgroup.com/?l=openbsd-miscm=116293042602445w=2 Perhaps there is a kernel config that I can do to at least get it installed. Any ideas? -- Will Backman Network Administrator Coastal Enterprises, Inc.
Re: layout of filesystems on OpenBSD
Robert Urban wrote: to me, this just looks like a horrible mess. I have never understood why people should be so keen on creating thousands of microscopic filesystems. For me, the advantage of being able to have several classes of filesystem content all take advantage of the available free space of a filesystem/partition far outweighs any need to segregate classes of filesystem content into separate partitions. I agree that it looks like overcomplication. I only create partitions when I will be using different mount options, for example noexec and nosuid stuff.
Re: proposed patch for ifconfig(8) man page
Bob Beck wrote: * Jason McIntyre [EMAIL PROTECTED] [2006-11-07 11:25]: On Tue, Nov 07, 2006 at 06:52:19PM +0100, Igor Sobrado wrote: Can I suggest adding atalk(4), inet6(4), ipsec(4), pf(4), pflog(4), eon(5), hostapd(8), and tcpdump(8) to the SEE ALSO section of ifconfig(8)? I think that, as these manual pages are being cited in the ifconfig(8) manual page, they should be added to this section. Just want to check the opinion on this change before submitting a PR. The proposed patch is added to this message. once upon a time i was inclined to go by the rule that if a man page referred to another, it should be listed in the SEE ALSO. i no longer think that though, since invariably i see overly large SEE ALSO, most of which is ignored anyway. so now my personal opinion is somewhere along the lines of if reading this man page will help the reader understand this man page, i should include it in SEE ALSO. i am now sorely tempted to kill about 2/3 of the references in SEE ALSO, rather than actually add to it. it is much more important that stuff which uses ifconfig(8) (the various interfaces and so on) all point to ifconfig(8), rather than the other way round. we do not have an eon(5) man page, btw, but there was a fine piece of vinyl called void dweller which eon released about 15 years ago... start the machine! I hear you in general jmc, but ifconfig is a bit of an odd duck. To give you an example. let us answer the simple question of how do I join wireless network bob - the answer from the lists is use ifconfig - ok, so if I read the man page for ifconfig, there is notably no examples of doing this, however, for example, there are examples of doing in in wi(4) - and very similar examples in ath(4) Similarly, the same examples are repeated in ral(4).. See what I mean? you really do need those see also entries as a dummy to be able to find a reasnoable example in the man pages at the moment. and I am a firm believer in the man page should have real examples - failing that we end up with linux faq's. Unfortunately ifconfig is probably the nastiest example of a man page to have this discussion with. Should we be re-coalescing those examples back into ifconfig(8)? The core problem is simple - a user will be told use ifconfig to do something not use ath - so they start at the ifconfig(8) point. What's the best way to make that as painless as possible? -Bob I could see pointing people to the hostname.if(5) man page. I think most new users will not use the ifconfig command. Maybe an example could go in there?
help with uaudio device
I'm trying to get an external usb audio device working on 4.0 release: uaudio0 at uhub1 port 2 configuration 1 interface 0: FORTEMEDIA FM1083, rev 1.10/0.01, addr 2 uaudio0: ignored audio interface with 2 endpoints uaudio0: audio rev 1.00, 5 mixer controls audio1 at uaudio0 I'm a little confused about making the right devices in the /dev directory and how to properly create the symlinks. I did try pointing /dev/audio at /dev/audio1, but xmms just said that there was permissions denied on /dev/audio. Full dmesg bekow: # dmesg OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Genuine Intel(R) CPU T2300 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,EST,TM2 cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130a2c06000a2c cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1667 MHz (1404 mV): speeds: 1667, 1000 MHz real mem = 526483456 (514144K) avail mem = 472281088 (461212K) using 4256 buffers containing 26427392 bytes (25808K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/13/06, BIOS32 rev. 0 @ 0xffa10, SMBIOS rev. 2.4 @ 0xf6eb0 (62 entries) bios0: Dell Inc. Latitude D620 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa980/224 (12 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371 ISA and IDE rev 0x00) pcibios0: PCI bus #12 is the last bus bios0: ROM list: 0xc/0xe800! 0xce800/0x1800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM MCH rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03: aperture at 0xeff0, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: irq 10 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: Sigmatel STAC9220 (rev. 34.1), HDA version 1.0 azalia0: codec: 0x04x/0x14f1 (rev. 0.0), HDA version 0.9 azalia0: codec[1]: No support for modem function groups azalia0: codec[1]: No audio function groups audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 11 ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 12 wpi0 at pci2 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: irq 11, address 00:18:de:8a:2e:4c ppb2 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01 pci3 at ppb2 bus 9 bge0 at pci3 dev 0 function 0 Broadcom BCM5752 rev 0x02, BCM5752 A2 (0x6002): irq 5bge0: firmware handshake timed out , address 00:15:c5:52:68:4a brgphy0 at bge0 phy 1: BCM5752 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 3 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 9 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe1 pci4 at ppb3 bus 3 cbb0 at pci4 dev 1 function 0 O2 Micro OZ69[17]2 CardBus rev 0x40: irq 5 cbb0: bad Vcc request. sock_ctrl 0x501aa88, sock_status 0x50123e9 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 4 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801GBM SATA rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SAMSUNG HM080II wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TSSTcorp, CDRW/DVD TSL462D, DE01 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: SMI iic0 at
Month of the Kernel bug fuzzing tools
Anyone tried these fuzzing tools on OpenBSD? http://projects.info-pull.com/mokb/ What's the purpose of the MoKB ? Publish one bug on daily basis for the month of November, 2006. Show tools and procedures useful for testing the strength and quality of kernel code (ex. networking, filesystem handling) in existing operating systems (Mac OS X, FreeBSD, Solaris, GNU/Linux, etc).
sensorsd.conf multiple thresholds for the same sensor allowed?
Is it possible to specify multiple thresholds for the same sensor in /etc/sensorsd.conf? For example: hw.sensors.2:low=50F:high=70F:command=/bin/echo Ambient Temp %2 | /usr/bin/mail -s Hardware Sensors Warning [EMAIL PROTECTED] hw.sensors.2:low=55F:high=68F:command=/bin/echo Ambient Temp %2 | /usr/bin/mail -s Hardware Sensors Warning [EMAIL PROTECTED] When I run sensorsd, all I get in /var/log/daemon is: sensorsd[19211]: startup, 1 watches for 33 sensors When the temperature crossed both high values, I didn't get two emails. I'm doing this so I can get a sense of which direction the temp is going.
Re: OpenBSD Audio series other than bsdtalk ?
Jon Simola wrote: On 10/25/06, Douglas Hunter [EMAIL PROTECTED] wrote: Other than bsdtalk, NYCBUG and some rare one off taster programmes are there any recordings of talks about OpenBSD (OGG or MP3) available on the web ? I'm really hoping someone recorded Theo's talk at the CUUG last night. I've seen the slides from a few presentations floating around, but audio to accompy them would be icing on the cake. If anyone has recorded any bsd related audio and wants to send it to me, I'd be glad to include it in bsdtalk. -- Will
spamd statistics
Some interesting spamd statistics gathered from /var/log/daemon: From 8am Oct 22 to noon Oct 23: 19112 connected messages from spamd, which means connections from IPs that are not in the whitelist. 2247 inbound messages from spamlogd, which mean connection from IPs that are already on the whitelist. That means only about 10% of the connections coming into our mail server are from whitelist servers. Thank you spamd for stopping the 90% crap! Spamd has been running for 76 days, and spamdb has 32752 entries. We only have about 100 mail accounts on our server.
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
Steve Williams wrote: Hi, I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy default gateway. Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many). It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure). On my computer at home, I notice these entries when I do a spamdb | more and see something like: GREY|205.152.59.48|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1161297659|1161312059|1161312059|1|0 On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way. I am 99% sure that I have seen on the internet SOMEWHERE a whitelist of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the zombie hosts. Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? Thanks, Steve Williams I've found that some servers retry too quickly, such as Yahoo. Spamd ignores retries that come too quickly, so I ended up lowering the passtime parameter from the default of 25 minutes to 5 minutes because I saw yahoo servers retrying a few times every 7 minutes. I have no idea how wise this is, but it works for me so far.
spamd tolower or (char)tolower
While wandering around the source code to spamd looking to see if trapping was case insensitive, I noticed a slight difference in how spamd and spamdb convert addresses to all lower case: Spamd does the following in the greyupdate function: for (i = 0; trap[i] != '\0'; i++) if (isupper(trap[i])) trap[i] = tolower(trap[i]); But spamdb does it slightly different, which was added in the latest patch: for (i = 0; ip[i] != '\0'; i++) if (isupper(ip[i])) - ip[i] = tolower(ip[i]); + ip[i] = (char)tolower(ip[i]); I'm not a C coder, so I don't really know what I'm talking about. I was able to answer my own question about case, but this slight difference in code was just something I noticed. -- Will
spamdb man page - greytrap address
In the man page for spamdb, it states: If adding or deleting a SPAMTRAP address (-T), key should be specified as an email address: [EMAIL PROTECTED] But this only works with quotes around the address for me, ie: [EMAIL PROTECTED] Should the man page be updated, or am I doing something wrong? -- Will
Re: Oldest Server you run
Falk Husemann wrote: Hello List! We're trying to put an old server to good use again and would like to know what's exactly the oldest machine running OpenBSD? As machine we defined something with processor, ram, network, hard disk and a connection to the internet. So no Newton or toaster (at least not if there's no disk being toasted). Thank you in advance, Falk The oldest one I have in production is a PIII 667 from 2001. Not that old I guess.
multiple ways to build a kernel in docs
In the FAQ for building a kernel: http://www.openbsd.org/faq/faq5.html#Building After the make, it says to do a make install. In the section about following stable: http://www.openbsd.org/stable.html#building It instead says to backup the old kernel move the new kernel into the right place. The second way makes me feel better, knowing that I have a copy of the old kernel. Does the make install step in the first example do the same thing?
Re: multiple ways to build a kernel in docs
Henning Brauer wrote: * Greg Thomas [EMAIL PROTECTED] [2006-09-26 22:36]: Having just done it with make install for the first time, I'd always copied and moved it manually, it looks like it saves the previous kernel as /obsd. it actually replaces the kernel atomically by doing mv /path/to/new/bsd /nbsd rm /obsd ln bsd obsd mv nbsd bsd so even when the power goes out somewhere in between, you always have a valid /bsd. Should all documentation suggest the make install, or is there a reason that the docs for following stable show a different way of doing it?
Re: Experience with isakmpd/ipsec in production?
Have you experienced any interoperability problems when establishing tunnels with peers that run other implementations (cisco, checkpoint, etc)? And if so, how do you work around those? None--after finding the correct initial configuration everything just worked and continued to. One example of our finding the correct initial configuration when connecting OpenBSD VPN to a SonicWall VPN. http://cisx1.uma.maine.edu/~wbackman/vpn/ Things are a lot more simple now, thanks to ipsecctl.
Aladdin eToken (WSO) to donate
Any OpenBSD developers interested in an Aladdin eToken (WSO)? -- Will Backman Network Administrator Coastal Enterprises, Inc.
spamd and TLS on port 25
Am I correct in assuming that spamd and TLS on port 25 don't get along? -- Will
Re: spamd and TLS on port 25
Darrin Chandler wrote: On Thu, Aug 10, 2006 at 09:39:56AM -0400, Will H. Backman wrote: Am I correct in assuming that spamd and TLS on port 25 don't get along? -- Will Remember that you get *either* spamd *or* your MTA. So there's no getting along to deal with. However, if the connecting party *requires* TLS then it would have a problem with spamd. Is that the trouble you're having? Yes. I'm protecting a Microsoft Exchange server with spamd on an openbsd bridge. Because Microsoft Outlook uses Microsoft's way of having MUAs talk to MTAs, there is no problem there. I also enabled IMAPS (port 993) and SMTP-TLS (port 25) on the Exchange Server so that normal mail clients like Thunderbird can play along. Because I require TLS and SMTP-AUTH for relaying purposes, I'm in a bind. My real problem is getting Exchange to do SMTP-TLS on a different port, so this is really a non-openbsd issue. I guess I was just asking to make sure, and also to see if people had dealt with situation like this. I can imagine that openbsd and spamd are used to protect all kinds of pesky MTAs. By the way, I just have to keep saying thanks for openbsd and spamd. Greylisting has been really effective for my organization. I've been running it for 6 days and it has done a great job.
spamd and spamlogd syslog level
Does anyone know why spamd and spamlogd log to syslog at different log levels. It isn't too hard to change syslog.conf to include daemon.debug in order to capture output from spamlogd, but why the difference?
spamd greylist and stutter/delay
I have spamd get up in a simple greylist mode, but I left the default /etc/spamd.conf file intact. I'm not running spamd-setup. By default, spamd is stuttering for 10 seconds, but watching /var/log/daemon, I also noticed that connections from spews and other lists are lasting for over 400 seconds. Does spamd do anything else with /etc/spamd.conf besides set up white and black lists? Does this file effect the stutter or delay of connections? By the way, spamd really does a great job.
Re: simple spamd greylisting on transparent bridge
Will H. Backman wrote: Will H. Backman wrote: Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct. Replying to myself: Would the above rules also trap outbound connections from my MTA? I would want my MTA to be able to make outbound connections through the bridge. Should I add something to the rdr line to only redirect connections coming into the bridge? Maybe rdr on $ext_if pass inet... I think I have the answer now, thanks to those who replied to me. 1. Create bridge, but you need an IP because spamd needs to talk back. 2. Add pf=YES and spamd_flag=-g to /etc/rc.conf.local 3 Simple /etc/pf.conf table spamd-white persist rdr pass on egress inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port spamd pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd Place this system in-line between Internet and your Mail Server. Your Mail server should be connected to the bridge interface that doesn't have an IP. Now when a new SMTP connection comes in, it gets redirected to spamd and greylisted. When spamd eventually puts the outside MTA in spamd-white, connection just passes through the bridge unmolested. Your Mail Server should always be able to send outbound SMTP without being caught in the rdr rule. As far as I can tell, no need to allow forwarding between interfaces, because traffic passes through over the bridge. Now to see if this setup help more than it hurts.
simple spamd greylisting on transparent bridge
Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct.
Re: simple spamd greylisting on transparent bridge
Will H. Backman wrote: Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct. Replying to myself: Would the above rules also trap outbound connections from my MTA? I would want my MTA to be able to make outbound connections through the bridge. Should I add something to the rdr line to only redirect connections coming into the bridge? Maybe rdr on $ext_if pass inet...
Re: GRE tunnel setup problem?
Alex Berdan wrote: Hi All, I set up a GRE tunnel between two sites to have the broadcast/multicast passing between the two but nothing is passing! I'm not using for the moment any firewall and the configuration straight forward as per man gre. 192.168.1.2/24 | | | |-- 192.168.1.1/24 Gateway A 10.0.0.1/24 |--- | internet | |--- 172.16.2.2 Gateway B 192.168.3.1/24 |-- | | | 192.168.3.2/24 On Gateway A I have: ifconfig gre0 create ifconfig gre0 192.168.1.1 192.168.3.1 netmask 255.255.255.255 link1 up ifconfig gre0 tunnel 10.0.0.1 172.16.2.2 For the Gateway B I have: ifconfig gre0 create ifconfig gre0 192.168.3.1 192.168.1.1 netmask 255.255.255.255 link1 up ifconfig gre0 tunnel 172.16.2.2 10.0.0.1 The Windows broadcast that I have behind 192.168.1.0/24 is not passing through the GRE tunnel which is UP and running. Also the OSPF which is multicasting is not passing through the gre0 interface. Pinging the internal interfaces in both sites is working. Tcpdump on the gre0 interface is not showing anything. Could you please can you give me any clue on how should I debug? Alex You have different logical networks on either side of the tunnel, which means routing is involved. Broadcasts do not cross network routers by default, which prevents everyone's broadcasts from crossing the entire Internet (a good thing).
where is gif tunnel syntax in the man pages
I can't seem to find the man page that mentions the tunnel option for gif interfaces. There is a lot of information out there on the net, but I don't see it in the man page for gif or hostname.if. Also, is it true that giftunnel is the old syntax? -- Will
best place to specify ipv6 default route
The man page for mygate says that one can add an IPv6 gateway address to /etc/mygate, but it doesn't seem to add an entry to the routing table upon reboot. I'm not using rtsol anywhere. Most of my searching on the internet shows people adding a line to the /etc/hostname.gif0 file, i.e: !route -n add -host -inet6 default 2001:470:1f00:::244 Adding the line to the hostname.if file does work, but putting the gateway IPv6 address in /etc/mygate doesn't. What is the suggested way to do this? This is on 3.9-RELEASE. Thanks in advance. -- Will
Re: best place to specify ipv6 default route
Darrin Chandler wrote: On Tue, Jul 18, 2006 at 04:37:23PM -0400, Will H. Backman wrote: The man page for mygate says that one can add an IPv6 gateway address to /etc/mygate, but it doesn't seem to add an entry to the routing table upon reboot. I'm not using rtsol anywhere. Most of my searching on the internet shows people adding a line to the /etc/hostname.gif0 file, i.e: !route -n add -host -inet6 default 2001:470:1f00:::244 Adding the line to the hostname.if file does work, but putting the gateway IPv6 address in /etc/mygate doesn't. What is the suggested way to do this? This is on 3.9-RELEASE. Are you using *any* dhcp, by chance? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | It did have dhcp when I installed, but then I changed the /etc/hostname.xl0 to contain only inet IP NETMASK.
Logging failed console login attempts
Is my memory fuzzy? The console on OpenBSD 3.9 release doesn't seem to log unknown username or failed login attempts anywhere. It does keep a count of failed logins for an existing account, which is displayed upon successful login. Somehow I remember the console being more verbose in previous releases.
Re: Logging failed console login attempts
Dimitry Andric wrote: Will H. Backman wrote: The console on OpenBSD 3.9 release doesn't seem to log unknown username or failed login attempts anywhere. See this commit: http://www.openbsd.org/cgi-bin/cvsweb/src/etc/syslog.conf#rev1.14 Make the default syslog.conf not make the console and root logins unusable when problems occur. Provide commented out examples showing people how to direct output to /dev/console or as messages to root, for situations where such output might acutally be useful, rather than something that keeps you from fixing a problem due to the screen getting spewed at. I guess I was expecting more to show up in /var/log/secure or authlog, or messages. I tried some random wrong password for the root account, and also tried accounts like rott, and all I got was: /var/log/secure Jul 13 09:30:30 star login: 1 LOGIN FAILURE ON ttyC0, root /var/log/messages Jul 13 09:30:30 star login: 1 LOGIN FAILURE ON ttyC0
Re: apply updates to kernel and userland without recompiling?
Joe wrote: I manage a few openbsd 3.9-release firewalls and I need to update the OS, but I don't want to cvsup and recompile on each system. Is there a documented/recommended way to do update a system by creating a tarball or package of what was upgraded? I'm looking to apply security fixes to systems running 3.9-RELEASE. No custom cruft. No compiler on the firewalls either. I think make release is a popular one: http://www.openbsd.org/faq/faq5.html#Release
Re: UTF-8 text editor
Mackan wrote: On 10 jul 2006, at 20.43, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] Is there any UTF-8-aware text editor (for terminal use) available for OpenBSD? Vi(m) and similar is out of question for me, I never learned those. As ubiquitous as vi is on Unix, it seems a shallow reason. Really, it takes all of 15 minutes to pick up what you need for vi/vim. Install a copy somewhere and spend a few minutes on vimtutor and you should find it pretty straightforward. DS You are probably right about that. We'll see. I just upgraded my server OS from Debian/Linux to OpenBSD. But it seems that in the case of Unicode-aware applications I made a big downgrade. I really want I simple editor with unicode, for myself and my users. Mackan What was lacking from Debian/Linux that made you decide to switch to OpenBSD?
Re: tcpdump on enc0
Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? And for the record -- since some people found that question beyond the pale -- I have been tcpdumping enc0 all morning and I am seeing no traffic, inspite of the fact that I have active SAs up and running. And why? Because the man page doesn't mention that tcpdump ignores the host parameter when used with enc0 (this is something someone else was kind enough to point out, proving that the question wasn't pointless). So -- let's try this -- let's fix the man page, instead of being snarky and blaming the person asking the question. Thank you for your help. I think that is very clear, after all the src and dst addresses are part of the ipsec encapsulated header, and not of a regular IP header. The host specifier of tcpdump only applies to IP headers. -Otto Perhaps the lesson learned is: Include the command you are typing with any help request.
Re: Support Needed for GPS and Time Signal Station Receiver Development
Have you looked at gpsd, which is BSD licensed? According to the author, they have very good device detection, so maybe you could use their device info database. http://gpsd.berlios.de/ -- Willg
license for getopt.c?
While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ -- Will
Re: license for getopt.c?
Ted Unangst wrote: On 5/31/06, Will H. Backman [EMAIL PROTECTED] wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ it would be helpful if you mentioned *which* getopt.c. the one in libc (before it was deleted) certainly did have a license. i also doubt david wrote the file in question if that's why you're asking. Here is where I found it: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/getopt/
head.c usage function
Looking at /bin/head source code. The usage function uses: fputs(usage: head [-n line_count] [file ...]\n, stderr); While many other programs use: fprintf(stderr, usage: arch [-ks]\n); Is there a difference? Is one preferred? Yes, I know. I should take a C programming course.
Re: basic questions regarding patching, errata and stable branch
Tobias Weisserth wrote: Hi everybody, I am still trying to sort out some of the information on the OpenBSD website about how to follow a specific branch and what are the benefits of each method. I understood what STABLE, CURRENT and RELEASE are and how to follow them. I still have some difficulties figuring out what the difference between stable and release+applied errata is: Starting with 2.7, OpenBSD provides a source tree that contains important patches and fixes (i.e. those from the errata plus others which are obvious and simple, but do not deserve an errata entry) and makes it available via CVS in addition to the current source. from http://www.openbsd.org/stable.html So having a release and applying patches to it is not exactly the same as following the stable branch. How far are those methods apart? I have read that mixing up checked out subsystems from CVS like src, ports and XF4 cannot be done across different branches without breaking the system at some time. Let's assume I don't want to spend the extra compile time and bandwidth following stable and I'll stick with the release and apply the patches. How does that leave me with ports? Is it safe to use a release, apply the errata and checkout/use the ports from CVS stable? If not, what alternative do I have? Mixing and matching of patching solutions can be done if you understand how everything works, but new users should pick one method and stick with it. from http://www.openbsd.org/faq/faq10.html#Patches Is this what I was reffering at? I guess the best solution would be to follow stable but speaking honestly this seems like a lot of wasted bandwidth and CPU time for a few small changes at best? kind regards and thanks, Tobias W. On production systems, I'd suggest using the Release version and apply the errata. If you need a feature or fix that is only in stable, then use that. If there is a feature or bug that is not fixed in stable, then choose between new hardware or going with current. For messing around and having fun with OpenBSD, I'd install from snapshots.
Re: 002_xorg.patch compile error i386
Didier Wiroth wrote: Hello, The answer is the same as previous posts ;-) 1) man 8 release 2) tcl and tk installed ( or perhaps old versions - pkg_add -u) 3) clean sources? if not, delete your sources and refetch them 4) do not build in your src directory!!! - see man 8 release (use for example: mkdir /usr/XF4bld cd /usr/XF4bld lndir /usr/src/XF4 make build) good luck didier i've got identical problem with compiling X after applying patch on two i386 machines. Or use this section of the FAQ: http://www.openbsd.org/faq/faq5.html#Xbld The patch might mislead people, as it says: Apply by doing: cd /usr/src/XF4 patch -p0 002_xorg.patch And then rebuild and install X: make build
Re: /dev/rst[01] Question
dave feustel wrote: I have just installed OpenBSD 3.9 and I am running into some strangeness. What are the devices /dev/rst[01]used for? Thanks, Dave rewinding tape device, usually for backups.
002 patch and priv sep
002 patch for 3.9 says crash it and to execute malicious code within the X server. What side of the privilege separated X does this apply to? -- Will Happy I don't install X on my servers Backman
Evaluating load average
I'm looking for some hints on evaluating load average. I have a new system that is showing load averages over .50 most of the time, but I don't see that it is doing much according to systat vmstat. I figured that this machine would be way overpowered for the job it is doing. Is load average (like what is displayed in uptime) really a good indicator? What tips do people have for profiling? -- Will Here is the dmesg: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 2146807808 (2096492K) avail mem = 1952808960 (1907040K) using 4278 buffers containing 107442176 bytes (104924K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 01/09/06, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb4b0/320 (18 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #11 is the last bus bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x09 ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP331 Channel 0 rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: irq 7 Dell 16d 32b ami0: FW 521X, BIOS vH430, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec, 143114240 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets ppb2 at pci1 dev 0 function 2 Intel IOP331 Channel 1 rev 0x06 pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel MCH PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:13:72:55:29:53 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3, address 00:13:72:55:29:54 ppb7 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x09 pci8 at ppb7 bus 8 ppb8 at pci8 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci9 at ppb8 bus 9 ppb9 at pci8 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci10 at ppb9 bus 10 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 7 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 5 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb10 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci11 at ppb10 bus 11 vga1 at pci11 dev 13 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: TEAC, CD-ROM CD-224E-N, 3.AB SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask efe5 netmask efed ttymask ffef
Patch make question
001_sendmail.patch for 3.9 says: make obj make depend make make install Is there anything wrong with make obj make depend make make install ? -- Will
Ethereal Problems
From http://www.incidents.org/ Yes, if you use Ethereal, it is time to upgrade. According an advisory posted by Frsirt, 28 vulnerabilities has been identified in Ethereal which could be exploited by remote attackers to compromise a vulnerable system or cause a denial of service. Thanks for removing it from ports a long time ago. -- Will
Re: install sets as packages
Daniel Ouellet wrote: Will H. Backman wrote: Would there be a benefit to use the pkg_ tools to install and manage the install sets? I fail to see the point of it really. The install set is done at install time, or to add it if you miss it at the install. Plus packages tools is there to take care of dependency, etc. To remove all applications and add new one, or upgraded one. The install set are for the system and if there is upgrade to it, it's a patch. You wouldn't want someone to do: sudo pkg_delete etc39.tgz or sudo pkg_delete base39.tgz for example would you? If so, I wonder how you would still use the server? I could imagine some benefits. Add the xserv39.tgz install set, get xbase xshare and xfont maybe. I'm not sure of the dependencies. Also packages can include post install scripts, such as making the device nodes, etc. I also don't know if the package upgrade kung-fu could eventually help upgrade the base install sets such as etc. It was mostly a half baked question anyway. Food for thought. -- Will
Re: Mounting remote filesystems from OpenBSD to OS X
Hans-Joerg Hoexer wrote: On Thu, Apr 20, 2006 at 02:11:36PM +0100, Constantine A. Murenin wrote: Hi, I have an OpenBSD (file-)server at a remote location on the internet that is around 137ms away from an OS X 10.4 laptop. Is there a way to securely mount OpenBSD's filesystems from OS X in such a setting? consider using ipsec. From OSX, make sure to use mount_nfs -P when connection to an OpenBSD NFS server. It won't work without the -P.
install sets as packages
As no answer came up after a little searching on google and the openbsd FAQ... Would there be a benefit to use the pkg_ tools to install and manage the install sets? The pkg_ tools seem to be a fairly elegent system. So if money and time and developers grew on trees, would it be a reasonable goal? Just a simple design question. Yes, the installer works, so why fix what isn't broke. Yes, I'm a regular user asking other people to do work. (actually, I'm not asking for anything except knowledge). Yes, the package management system may not fit on the install floppy. I sure hope I didn't miss the FAQ entry that already answers this question. -- Will
Server Compatibility List
I don't know if this has been posted before, but I found a nice openbsd server compatibility list: To ensure availability of appropriate server hardware platforms for Profense, Armorlogic is testing new server models from major manufacturers on an ongoing basis. It is our goal to provide our customers with server hardware platforms that are easily available in major parts of the world. Therefore, we only test/support standard and pre-configured server hardware from HP, Dell, IBM, Sun and Fujitsu-Siemens. http://www.armorlogic.com/openbsd_information_server_compatibility_list.html This list gave the the information I needed to go ahead and order the server for my shiny new 3.9 CDs. -- Will
Re: Patch for asynch sendmail vulnerability on OPENBSD_3_6 stable
Michael Flanagan wrote: I found myself needing up apply the recent patch for sendmail against an aging 3.6 stable box. I took the sendmail patch for the 3.7 stable branch and applied it against 3.6 stable. It applied cleanly with the exception of a half dozen hunks in a couple of files. I merged those by hand and am up and running with a rebuilt sendmail. In case this saves anyone a little time, I've created a diff of what I'm running against 3.6 stable. It applies cleanly. You can find it here: http://pokernut.net/wp-content/OPENBSD36_sendmail.patch Michael Does anyone know of any tests for the problem? How would I test such an unofficial patch? I never did see anything that said OpenBSD was affected by the problem, and I'm always hoping that some of the OS level protections might help in situations like this.
Re: OpenBGP: aggregating routes / set neighbor next-hop
On Cisco I configured neighbor 10.0.0.2 next-hop-self, but how to do this with openbgp? that, again, is sth nobody ever asked for or missed :) however, the (completely untested except for compilation) diff below should add set nexthop self. Index: bgpd.h How come Cisco doesn't send me the source code to feature updates when I request them? Cisco must be too busy counting my money. :)
3.9 patch 001 needed for CD release?
I assume this is an obvious question, but I just wanted to be sure. Was the release that was sent to the CD manufacturer created before the 3.9 001 errata? -- Will
Future licensing trouble for Sendmail
No, this isn't another Sendmail needs to be replaced because there was a security hole email. I was following the thread on BugTraq regarding the Sendmail vulnerability, and saw this from Theo (Mar 24 2006): Luckily within a few months you will be able to tell Sendmail how to disclose their bugs because their next version is going to come out with a much more commercial licence. Then you can pay for it, and then you can complain too. Is this a hint that there might be a license issues that would cause problems with OpenBSD, or am I reading too much into that statement? -- Will
Re: Small office with BSD blueprint
Will H. Backman wrote: Looking for feedback on a basic blueprint for a small office using BSD. Situation: Small office with maybe five workstations. Question: What would an all BSD setup look like? Solution that comes to mind: * Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories. * Full install with whatever desktop environment is chosen. * automount home directories. * Instead of NIS, maybe cron job to rsyc files like /etc/passwd, /etc/hosts, /etc/printcap from central server. Does anyone out there have a similar setup? -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org I still don't know if there is much of a consensus. There is one document (http://www.openbsdsupport.org/sharedhomes.html) that is a little old, but I think it describes the traditional Unix way of doing things. I think someone with only a little Unix experience could follow that document. Combined with a network-ready printer, mail/DNS services provided by their ISP, and an inexpensive router, one could have a simple and workable solution. It should be possible to set up a simple environment without hiring a Unix/Network engineer. I'd like to thank everyone for their comments and suggestions.
Re: flash plugin mozilla-firefox
Hannah Schroeter wrote: Hello! On Tue, Mar 21, 2006 at 10:29:50AM -0500, Roy Morris wrote: Try this http://www.openbsd.org/faq/faq13.html#javaflash Nowadays, the recommendation to fetch a flashplugin and install it by hand is outdated. There's /usr/ports/www/opera/opera-flashplugin. Kind regards, Hannah. Is that i386 only?
Re: flash plugin mozilla-firefox
Hannah Schroeter wrote: Hello! On Tue, Mar 21, 2006 at 10:42:31AM -0500, Will H. Backman wrote: Hannah Schroeter wrote: On Tue, Mar 21, 2006 at 10:29:50AM -0500, Roy Morris wrote: Try this http://www.openbsd.org/faq/faq13.html#javaflash Nowadays, the recommendation to fetch a flashplugin and install it by hand is outdated. There's /usr/ports/www/opera/opera-flashplugin. Is that i386 only? Just look yourself *sigh*. ONLY_FOR_ARCHS= i386 in the ports makefile tells enough, doesn't it? Kind regards, Hannah. I actually new the answer already. It was more of a dig against flash and proprietary software for an OS that is ported to so many architectures.
Small office with BSD blueprint
Looking for feedback on a basic blueprint for a small office using BSD. Situation: Small office with maybe five workstations. Question: What would an all BSD setup look like? Solution that comes to mind: * Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories. * Full install with whatever desktop environment is chosen. * automount home directories. * Instead of NIS, maybe cron job to rsyc files like /etc/passwd, /etc/hosts, /etc/printcap from central server. Does anyone out there have a similar setup? -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: Small office with BSD blueprint
Joachim Schipper wrote:
On Mon, Mar 20, 2006 at 09:53:30AM -0500, Will H. Backman wrote:
Looking for feedback on a basic blueprint for a small office using BSD.
Situation: Small office with maybe five workstations.
Question: What would an all BSD setup look like?
Solution that comes to mind:
* Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories.
* Full install with whatever desktop environment is chosen.
* automount home directories.
* Instead of NIS, maybe cron job to rsyc files like /etc/passwd,
/etc/hosts, /etc/printcap from central server.
Does anyone out there have a similar setup?
No, but I wanted to have that, so I might have a couple of ideas.
- A separate firewall is good for security, and very easy.
Yes, firewall/NAT router is assumed. Could even be a simple $40 Linksys
box.
- Building an install script is good, but see below ...
- Rdist(1) is also very useful. Build a complete client install on the
server, then call rdist to update all clients. As long as you do some
simple things right - like not wiping /tmp or some of the files in
/etc that change when you get a DHCP lease or under /etc/ssh or
somesuch - this works perfectly.
Rdist *is* a bit old; cfengine or somesuch will be more modern, but I
find that rdist with a largish Makefile does exactly what I want.
I'm looking for as simple and generic as possible. I'm not sure what
would be the most simple.
- DHCP is not generally useful, unless you implement ...
Do you usually assign static IPs?
- ... netboot, which is massively cool and very easy on the admin
And why not {N,A}FS-mount /home? That way, automounting is not necessary.
I guess a straight NFS mount could be easier. Fewer config files to
mess with.
Joachim
Re: Small office with BSD blueprint
John R. Shannon wrote: Will H. Backman wrote: Looking for feedback on a basic blueprint for a small office using BSD. Situation: Small office with maybe five workstations. Question: What would an all BSD setup look like? Solution that comes to mind: * Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories. * Full install with whatever desktop environment is chosen. * automount home directories. * Instead of NIS, maybe cron job to rsyc files like /etc/passwd, /etc/hosts, /etc/printcap from central server. Does anyone out there have a similar setup? -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org I have that. I suppose I can send details on what I've setup if you want. Let me make some comments relative to your solution: 1. You want more that one server for availability. If your single server goes down, all 5 employees will be non-productive. Is there a simple way to provide high availability for home directories? I don't care if IMAP is still running if the home directories are down. 2. I don't see a firewall. I assume something like a $40 linksys. 3. I don't see a backup solution. This is critical. Yes, that would be included also. Then we can start the whole dump vs. tar vs. pax vs. amanda debate. I'll stick with dump, given that it used for the examples in the FAQ for OpenBSD. 4. You might consider a network printer rather than sharing one through your server.
Re: Small office with BSD blueprint
Peter wrote: --- Joachim Schipper [EMAIL PROTECTED] wrote: [snip] Do you usually assign static IPs? Yes, on a small LAN such as this - why not? It cuts out one bad idea (DHCP), and does not have any disadvantages I can see. Except maybe that you need to update the DNS server(s) on all the Windows boxes if it changes. And yes, that's happened to me... Why is DHCP a bad idea? -- Peter Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Perhaps I should also explain the reason for my original post. There is a lot of choice, which is a good thing for the well informed. While there can never be the right way, I don't see a lot of material out there that describes the most common way to deal with the typical scenarios.
Re: Small office with BSD blueprint
Will H. Backman wrote: Looking for feedback on a basic blueprint for a small office using BSD. Situation: Small office with maybe five workstations. Question: What would an all BSD setup look like? Solution that comes to mind: * Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories. * Full install with whatever desktop environment is chosen. * automount home directories. * Instead of NIS, maybe cron job to rsyc files like /etc/passwd, /etc/hosts, /etc/printcap from central server. Does anyone out there have a similar setup? Also, am I crazy for avoiding NIS in a small, trusted network like a small office?
Re: Reminder about the X Aperture
Daniel Ouellet wrote: Sorry for my ignorance on the subject and this issue and the use of X all together. Not critical what so ever by any long shoot, but I was curious as to if there is some window manage that actually DO NOT need any of the X stuff all together? Meaning something that obviously will not be like KDE, or GNome for sure, not even remotely close to it, but anything like that, that works well and don't need ANY X stuff? Don't need or use the aperture stuff as well? I hope my question make some kind of senses. What's your favorite if any actually exists? Thanks Daniel PS: I guess my total ignorance on that specific subject show right! (: The only one that comes to mind is screen, but I don't think it is what you are looking for.
Re: php in cgi mode suphp missing(?) from packages
Brandon Mercer wrote: Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? 2) Why doesn't OBSD have a package for php that includes the CGI version? 3) Why doesn't OBSD have a suphp package? Is there any special reason? I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Suggestions would be very welcome :) Ok, you've convinced me now my suggestion: Port it! We here at Openbsd like to SUAC! Good luck! Brandon For a program to become other users, it must have root privs. It must be used with caution. I don't know if there is enough confidence in php yet.
Re: Openbgpd kernel tuning
Henning Brauer wrote: * Marcel Prisi [EMAIL PROTECTED] [2006-03-08 16:42]: OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. the only thing you might want to change is net.inet.ip.ifq.maxlen the default is a little low for routing at higher speeds. 250 seems a good compromise for many higher-bandwidth routers. What is the easiest way to know when you are hitting the limit? Does it just drop new connections?
Re: make build error on 3.9 (-current) i386
Reza Muhammad wrote: Hi guys, I was just updating my source tree through cvsup, and I've been following -current for a while. There hadn't been any problems before. But today, make build returned errors. The last time I cvsup'd was today around 10pm (GMT +7), and here's some of the log: Edit src/sys/arch/sparc/include/param.h Add delta 1.35 2006.02.28.18.24.18 miod Edit src/sys/dev/ic/atw.c Add delta 1.43 2006.02.28.06.52.35 jsg Edit src/sys/dev/mii/ciphy.c Add delta 1.10 2006.02.28.08.13.47 jsg Add delta 1.11 2006.02.28.12.37.15 jsg Edit src/sys/dev/mii/ciphyreg.h Add delta 1.2 2006.02.28.08.13.47 jsg Edit src/sys/kern/uipc_usrreq.c Add delta 1.31 2006.02.27.23.38.11 miod Edit src/usr.bin/ssh/session.c Add delta 1.197 2006.02.28.01.10.21 djm Now, after reinstalling a new kernel, I did a make build, and got these errors: nroff -Tascii -mandoc -/usr/src/usr.sbin/httpd/src/support/apxs.8 src/support/apxs.cat8 nroff -Tascii -mandoc -/usr/src/usr.sbin/httpd/src/support/suexec.8 src/support/suexec.cat8 make: no target to make *** Error code 2 Stop in /usr/src/usr.sbin/httpd (line 628 of /usr/src/usr.sbin/httpd/ Makefile.bsd-wrapper). *** Error code 1 Stop in /usr/src/usr.sbin. *** Error code 1 Stop in /usr/src (line 73 of Makefile). Can anyone help me with it? Thanks for the help. -Reza Speaking of CVSup: Are a lot of people using CVSup, CVSsyc, manual CVS, or something else?
Re: integrating windows client and server with openbsd servers
-Original Message- From: [EMAIL PROTECTED] on behalf of Gustavo Rios Sent: Fri 2/24/2006 9:39 PM To: misc@openbsd.org Subject: integrating windows client and server with openbsd servers Hey folks, i am in need to make windows and openbsd machines to live together and happy. I have kerberos, nis, storage server in openbsd and would like to them to server windows clients and servers. I have users on my nfs openbsd server and my users are on a nis server too. One very important thing is that user accessing their file should see the same view regardless the client they are (windows or openbsd). I saw MS SFU could help, but have never used it. CygWin has a similar solution too. I have no experience or someone perspective where i could base myself. /thanks a lot for your time and cooperation. Best regards. This might help with some problems, anthough it covers MIT Kb. http://calnetad.berkeley.edu/documentation/test_environment/kerb_interop_trip -ups.html
3.8 mountd -n
Trying to get OS X to mount an openbsd nfs share. I can force OS X to use reserved ports by using mount_nfs -P from the command line, but users mounting from the finder don't have that option. OpenBSD man page for mountd says that there is an -n option to allow mounting from unreserved ports, but running mountd with that option doesn't seem to make a difference. Any ideas? Also, if this flag worked, I'm not sure how one would put it in /etc/rc.conf.local Thanks in advance.
Re: 3.8 mountd -n
Will H. Backman wrote: Trying to get OS X to mount an openbsd nfs share. I can force OS X to use reserved ports by using mount_nfs -P from the command line, but users mounting from the finder don't have that option. OpenBSD man page for mountd says that there is an -n option to allow mounting from unreserved ports, but running mountd with that option doesn't seem to make a difference. Any ideas? Also, if this flag worked, I'm not sure how one would put it in /etc/rc.conf.local Thanks in advance. Replying to myself: On http://www.openbsd.org/plus31.html, I see: Remove requirement for reserved ports in the NFS server by using the vfs.nfs.norsvport sysctl(8) But sysctl says third level name norsvport in vfs.nfs.norsvport is invalid Searching the archives for vfs.nfs.norsvport show a message that it was later removed. Am I chasing a silly idea?
More reasons to like OpenBSD
Just a note to the OpenBSD community: I have been helping a friend clean up after a security incident with a PHP web app that hadn't been patched on a Linux server. I run the same app on OpenBSD, and I worry a lot less. I still patch my PHP apps because it would be stupid to assume that OpenBSD would always protect me, but looking at how the exploit happened, I see that OpenBSD's apache chroot would have prevented that particular attack. So: * Developers: Thanks for the proactive security! * Users: Put the effort into making your stuff work in the chroot. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
web FAQ 15 correction?
Possible correction? http://openbsd.org/faq/faq15.html#Intro Invoking pkg_add(1) with the -u flag and no package name will just examine all installed packages for updated versions. When a package has dependencies, they are also examined for updates. pkg_add -u now also does the upgrade, doesn't it?
Re: NIS server/client on OpenBSD
Edd Barrett wrote: On 2/10/06, Budhi Setiawan [EMAIL PROTECTED] wrote: Dear All, Can you give me a link HOWTO/FAQ/tutorial to create a NIS server/client on OpenBSD. Found this on google, but dont know how accurate it is. http://www.openbsdsupport.org/sharedhomes.html I could have swore it was in the FAQ. Regards Edd For some general theory, which makes the man pages easier to understand: http://docs.sun.com/app/docs/doc/806-4077/6jd6blbd7?a=view
Status of pkg_add -u?
How functional and safe is pkg_add -u at this point? Also, I just wanted to say thanks for the hard work on the pkg_* tools. They just keep getting better. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: OpenBSD hardware router
Kenny Mann wrote: I'm looking for something that which I can slap OpenBSD 3.8 on and use it as a router. This will be used for a house (~ 4 people) and I'm looking for something small in form factor and that which doesn't run hot because it will run in a closet. I'm seeking to replace our D-Link router because it seems to lock up on an occasion and this seem like a fun little project to do. I'd also like it to have wireless capabilities as well. Anyone know where I can start looking or can point in a direction to start? Or are my hopes too high and I should just get a PC and make it happen that route (pun not intended)? Kenny Mann If you are trying not to spend a lot of money, you could find an almost free laptop (200 - 300 mhz) and use that. Cost will go up if you don't already have some PCMCIA or USB ethernet and wireless cards.
Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.
Shane J Pearson wrote: What an incredible load of tripe!... From:http://interviews.slashdot.org/article.pl?sid=06/01/26/131246 Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true. ~~~ Shane J Pearsonshanejp netspace net au -| We need to do more than just complain. We need to provide solid evidence that he is wrong, and make sure it is known.
NYCBUG dmesg tracker
For those of you who are sending dmesg output to the developers, you may also want to post your dmesg to the New York City BSD Users Group dmesg tracker. From their site: Upload your dmesg so others can see your kernel boot messages and related troubleshooting details. Each dmesg is searchable for particular hardware, error messages, etc. and can help others as a reference for their BSD system. The filter provided looks only in the dmesg and works best with single word searches. http://www.nycbug.org/index.php?NAV=dmesgd -- Will Backman BSDTalk - Podcast http://bsdtalk.blogspot.com
Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.
Rob W wrote: http://www.securityfocus.com/bid/16375 is minor but important enough to report? A way to remotly crash a OpenBSD box is minor? From http://openbsd.org/security.html: Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security. It requires to qualify as a root explort/possible root explorit to get a security announce? Sorry, I don't get it. By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. 1: Has this been verified to actually cause a panic on OpenBSD, or did OpenBSD just add the fixes to pf in CVS for the benefit of other operating systems? 2: How common is the use of those rules?
Release Song License
Are the OpenBSD Release songs also BSD licenced? The lyrics page doesn't specify. I wanted to know if they are podcast safe.
NFS Book offer
Would any OpenBSD developer be interested in the book NFS Illustrated? http://www.awprofessional.com/bookstore/product.asp?isbn=0201325705redi r=1 I'll ship it to you. It got it for free, but it is over my head. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
OpenBSD VMWare image too popular
I've just crossed the 10,000 downloads of the OpenBSD VMWare image since I posted it a few weeks ago. Unfortunately, it is a little too popular for the people providing my bandwidth. Is anyone else willing to host the file? I'll just point my page to you. You would be looking at about a terabyte a month of transfer if it keeps going at this rate. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: OpenBSD VMWare image too popular
Jasper Lievisse Adriaanse wrote: On Thu, 5 Jan 2006 13:41:50 -0500 Will H. Backman [EMAIL PROTECTED] wrote: I've just crossed the 10,000 downloads of the OpenBSD VMWare image since I posted it a few weeks ago. Unfortunately, it is a little too popular for the people providing my bandwidth. Is anyone else willing to host the file? I'll just point my page to you. You would be looking at about a terabyte a month of transfer if it keeps going at this rate. Enjoy: http://wbackman.humppa.nl/ Cheers, Jasper -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org Thanks to everyone who is willing to mirror this file. I have links to four mirrors on my site now.
Re: VPN packets not passing remote gateway [RESOLVED... sorta]
Jason Dixon wrote: On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote: On 4 jan 2006, at 05.57, Jason Dixon wrote: After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. Your manual setup only included one SA (SPI 0x100a), and you always need atleast two, as an SA is unidirectional. I tried that too before moving over to ISAKMP. It was still behaving the same, but it was probably user error. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Here is the most simple manual keying setup I could make: I can create a manually keyed host to host vpn with two lines in /etc/ipsec.conf On the other host, just make sure to swap the IPs, spi numbers and the auth and enc keys. They key values are for testing only. flow esp from 192.168.71.129 to 192.168.71.128 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 0x:0x0001 enckey 0x:0x0001
Re: Blowfish still good enough?
Ted Unangst wrote: On 12/31/05, Travers Buda [EMAIL PROTECTED] wrote: The Nazis thought their Enigma machine was perfect. Do you know why Enigma was broken? Primarily because the operators didn't follow procedure and made a series of other mistakes (This doesn't seem too important). As is typical, the problem was not with the crypto, it was with the idiots using it. I guess any encryption algorithm is limited by entropy. Given that most users choose bad passwords, the algorithm doesn't matter that much. What is the point of trillions of possible keys when people choose from only a few hundred thousand? I'd just say no to any passwords.
Possible error in vpn(8) man page
According to the vpn(8) man page: Paragraph just before section header for Creating IPsec Flows [manual keying] Note that when no authentication and encryption algorithms are defined, ipsecctl(8) will automatically use HMAC-SHA2-256 for authentication and AES-128 in countermode for encryption. Therefore the authentication key needs to be 256 bits long; the encryption key 128 bits. For details see ipsec.conf(5). If I create an ipsec.conf file that does not define an authentication or encryption algorithm, I get warnings if my encryption key is less than 160 bits. Man page states that it must be at least 128.
OpenBSD is popular as a VM image
Just an update on the popularity of the OpenBSD 3.8 VM image: Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826 hits on the file with just over 277 gigs of traffic created by those downloads. Not bad for only a few days. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: Unable to build Gateway route
martin wrote: --- Jason Crawford [EMAIL PROTECTED] wrote: IP - 209.216.76.1 Netmask - 255.255.255.252 GW - 209.216.77.6 Either a typo in your netmask, or a typo in your gateway, since your gateway IP does not belong to the current netmask you assigned to your external IP. I have a feeling it's a typo in the netmask as that's a very very small one. Jason Jason. The figures are correct (I wondered about the unusual GW when I first rx'd it but they said it was correct). The thing is, I've had this connection for a couple of years and have run a number of firewalls with no issue with these ie. Linux Router Project, Freesco and others I have tested. It is running now with a commercial firewall with no problems. Can I force it to accept the gateway IP ? Regards...Martin That setup just doesn't make sense. Have you double and triple checked it? It is hard to believe that it would work with anything. If it has, then there are really big problems with everything else.
ipsecctl writev failed
OpenBSD 3.8 release. I'm getting the same errors as this thread: http://archives.neohapsis.com/archives/openbsd/2005-11/1980.html I'm trying to use as many defaults as possible in this test setup, and sha1 is not being chosen by the defaults. Any ideas? Here is my ipsec.conf (yes, key values are just for testing): flow esp from 192.168.71.129 to 192.168.71.128 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 0x:0x0001 enckey 0x:0x0001 Here is the output from ipsecctl -vv -f /etc/ipsec.conf: @0 flow esp out from 192.168.71.129 to 192.168.71.128 peer 192.168.71.128 type require @1 flow esp in from 192.168.71.128 to 192.168.71.129 peer 192.168.71.128 type use @2 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000 auth hmac-sha2-256 enc aesctr authkey 0x enckey 0x @3 esp from 192.168.71.128 to 192.168.71.129 spi 0x1001 auth hmac-sha2-256 enc aesctr authkey 0x0001 enckey 0x0001 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 2 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 3
OpenBSD on virtual machine community page
My OpenBSD 3.8 virtual machine image has made it on to the VMWare community virtual machine page. Perhaps this means that more people will be trying out OpenBSD. My page does warn people not to expect the OpenBSD project to support this. I hope this will be a benefit to the OpenBSD community by giving people an easy way to try it out. If this causes headaches, let me know and I'll pull the image from my site. http://www.vmware.com/vmtn/vm/community.html -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: browser security
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Smith Sent: Wednesday, December 14, 2005 11:37 AM To: J. C. Roberts Cc: misc@openbsd.org Subject: Re: browser security thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating? i googled around a bit and found some threads about people trying to chroot their browsers, but i couldnt find any successful story. is it practically doable? looking at other troublesome programs; they come chooted by default on openbsd. is there any effort being made by others than vmware to isolate browsers? seems to me like it would be a step in the right direction? Anyone dare try making a systrace policy for firefox?
Re: browser security
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Morgan Sent: Wednesday, December 14, 2005 2:32 PM To: J.C. Roberts Cc: misc@openbsd.org Subject: Re: browser security On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote: When you think about all the crap a graphical browser needs just to run (fonts, mime types, library dependencies, plugins, cache, user preferences, ...), it will probably be a major pain to chroot the beast because you'll be duplicating tons of stuff into your chroot. At that point, you have only gained a copy of your file system rather than any real security. Worse yet many browsers are actually dual purpose and function as the system file manager within the windowing environment (windows/MSIE, KDE/konqueror, gnome/?, and so on...). If you actually manage to successfully chroot all your browsers to prevent accidentally clicking on a bad link, you suddenly don't have a file manager and have lost a lot of usability. I've just had the most awesome idea: chroot the entire operating system! Here you go: http://cisx1.uma.maine.edu/~wbackman/vmware-images/ OpenBSD 3.8 default install image for the free VMWare player. Of course, it only includes the lynx web browser, but it is hard to get more secure than that!
Re: WebTools
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ricardo Lucas Sent: Friday, December 09, 2005 10:17 AM To: misc@openbsd.org Subject: WebTools Hello everybody, that's my doubt, what program can I use to monitoring the traffic of my LAN, and display, in a web based, informations such like the most visited site and the PC tha most access the internet outside my intranet ofcourse, and things like these. I had installed MRTG and symon, but it's do not feet my necessities. Thank's for your attention -- Ricardo Lucas I like ntop for this purpose.
Re: NFS and Rebooting problem
If you want to do it properly, use fdisk -e wd1, disklabel -E wd1, and newfs /dev/rwd1a, in that order. Joachim Which is the short version of the New Disk FAQ: http://www.openbsd.org/faq/faq14.html#NewDisk
Re: Updated CCD Mirroring HOWTO
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Oster Sent: Tuesday, November 29, 2005 12:26 PM To: Robbert Haarman Cc: misc@openbsd.org Subject: Re: Updated CCD Mirroring HOWTO Robbert Haarman writes: Greg, Again, you raise some interesting issues. I wonder how likely the catastrophic failures you describe are, versus how likely it is that things fail in a way where ccd actually helps you. I was hoping someone else would comment on that, but that doesn't seem to have happened so far. So I gather from this discussion that hardware RAID is the way to go, especially with some of the recent work around raid management software?
Re: #define failure opportunity
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spruell, Darren-Perot Sent: Tuesday, November 29, 2005 2:57 PM To: 'misc@openbsd.org' Subject: Re: #define failure opportunity From: pete wright [mailto:[EMAIL PROTECTED] Not that I don't think openssh is superior for the fact that it *is* open software, I bet that the company in question needs software support lisc. for legal issues. If the software goes tit's up and costs the company N dollar's it is easier to get that money from a commercial entity whom you have a contract with (or more likely get money via a insurance broker of some sort). At least that's the best I've been able to see through that line of reasoning :^) Holds true until you realize that the box their software came in has a big orange sticker on it notifying you that they aren't liable for any of that stuff you would expect to be able to get money out of them from. Like I said, snake oil. Don't believe for a moment that vendors don't take every possible precaution to indemnify themselves from having to be responsible for problems you experience as a result of using their software. DS Software is like wine and lawyers. If it costs more, it must be better. ;)
Re: Where to get md5 of X* install sets and packages
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Siju George Sent: Monday, November 21, 2005 10:46 PM To: misc Subject: Re: Where to get md5 of X* install sets and packages On 11/18/05, Siju George [EMAIL PROTECTED] wrote: Hi all, http://ftp.jyu.fi/ftp/pub/OpenBSD/3.8/i386/MD5 doesnot give md5 sums of Xbase, Xofnts, X* install sets. Where do I get them from?? Also fro where do I get the md5 sums of packages?? Thankyou so much Just wondering why no one answered this question either on the newbie list or [EMAIL PROTECTED] Is it that no one knows or is it such a dump question and the answer is already some where? Didn't even get an RTFM for it. kind regards Siju If you are looking for MD5 sums to verify the trustworthiness of the packages, I think the best way would be to purchase the official CDs from the OpenBSD store and run the MD5 tool yourself. Not the most useful answer for your immediate problem. If you don't trust the package on the ftp site, you can't trust the MD5 sums on that site either.
Re: skype security?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tobias Ulmer Sent: Friday, November 18, 2005 3:50 AM To: misc@openbsd.org Subject: Re: skype security? On Fri, Nov 18, 2005 at 11:14:22AM +0800, Lars Hansson wrote: Skype was brought to you by the same people who brought you Kazaa. Draw your own conclusions regarding ethics, security and openness from that. --- Lars Hansson Skype was recently bought by ebay wich makes it only worse [1]. Have a look at SIP (and SIPS), there is lots of (open) soft and hardware available. Tobias [1] http://www.skype.com/company/news/ebayfaq.html Good native SIP softphone for OpenBSD? Looking for reviews. I connect to my Asterisk machine using an IAX2 (Asterisk native protocol) client, and let my asterisk machine do the SIP for me.
Re: pre defined macro
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David fire Sent: Wednesday, November 16, 2005 10:29 AM To: misc@openbsd.org Subject: pre defined macro hi i almost finish my network the only think i need to finish is a way to tell to PF what it the default gateway look: pass in on $int_if route-to \ ($ext_if1 defualt gateway ) from $lan_net to any keep state how i can tell that to the pf thanks David I think you are talking about the egress group. I think 3.8 puts any interface that connects to a default route into that group.
Re: Filesystem redundancy
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marco Peereboom Sent: Wednesday, November 16, 2005 11:41 AM To: knitti Cc: Julian Smith; misc@openbsd.org Subject: Re: Filesystem redundancy This is actually pretty common believe it or not. This does not provide filesystem redundancy though. What this provides is a mechanism to have multiple servers to touch the same disks. There clearly is some danger here since you can't have multiple machines touching the same filesystem. So what people tend to do is have some sort of monitoring application check if the other machine is still up; when it dies it simply takes over the filesystem from the failed machine. There is even an opensource product called Fail Safe that provides the monitoring app functionality. Last time I used it, it wasn't very robust but it did have all the required knobs to make such a thing work. /marco On Nov 16, 2005, at 7:35 AM, knitti wrote: There are SCSI enclosures with the ability to connect to two different SCSI buses, so they can be accessed from two different machines. I _think_ the SCSI architecture could allow more than one host adapter on a bus. _But_ I never heard someone did this. I presume it would also depend on the host adapter and the driver. --knitti Maybe OpenBSD can merge with OpenVMS, which should be easy given that four of the letters are already the same. OpenVMS has some amazing clustering capabilities.
Re: isakmp implementation vulnerabilities
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dries Schellekens Sent: Tuesday, November 15, 2005 9:26 AM To: Chad Loder Cc: misc@openbsd.org Subject: Re: isakmp implementation vulnerabilities Chad Loder wrote: I just tested our isakmpd(8) implementation against the PROTOS test suite. No problems were detected. We performed an audit of isakmpd's IKE parsing code back in early 2004 and made several fixes (OpenBSD 3.4 timeframe). I guess you are referring to errata 015 of OpenBSD 3.4 (March 17, 2004). Now that is proactive security ;-) Cheers, Dries I guess it would be interesting to test isakmpd from before that patch and see if it was vulnerable.
Yeah - not vulnerable to lynx vulnerability
http://www.idefense.com/application/poi/display?id=338type=vulnerabilit iesflashstatus=true Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the lynxcgi feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
