Re: Cold Boot Attacks on Encryption Keys

as possible to move the RAM (this would be a plus also for the disks) physically. Physical security _is needed_ anyways. Soekris boxes also have soldered RAM. --knitti

Re: What is our ultimate goal??

to the idea, you have to show her that it is worth the hassle. But you don't even know what you're talking about. If *I* were a developer, I would be offended by the notion that AnotherSolution is *that* *much* *better* (as you imply) _without_ showing any evidence. --knitti

Re: need some help with base httpd

the include statement outside the Directory --knitti

Re: sendmail setup mail server error

anything else in this file. m4 ../m4/cf.m4 mydomain.mc mydomain.cf m4: mydomain.mc at line 11: include(../domain/mydomain.com.m4): No such file or directory Any help would be much appreciated. Thanks. please read about the DOMAIN macro. I don't think I does what you think it does. --knitti

Re: sendmail setup mail server error

On 1/29/08, knitti [EMAIL PROTECTED] wrote: On 1/29/08, Chris [EMAIL PROTECTED] wrote: vi mydomain.mc divert(0)dnl VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl OSTYPE(openbsd)dnl DOMAIN(mydomain.com)dnl FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl MAILER(local

Re: OpenBSD 4.2 firewall freezing, even after patch 004 and 005

(NAVARONE-4.2) #0: Wed Jan 16 23:18:21 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NAVARONE-4.2 http://openbsd.org/faq/faq5.html#Why --knitti

Re: building a kernel for net4801 from dmassage

) since 3.5 which are perfectly fine with GENERIC 2) Under what circumstances (generally) would one encounter a situation where it would strongly desirable to have a custom kernel? RAID? development: break stuff, fix stuff ? --knitti

Re: Suggested PF Setup when using BitTorrent?

, but the providers don't even know what exactly they have to log and they are not exactly keen on implementing it). --knitti

Re: Improving disk reliability

it to amanda, because (at least as I had to find a suitable solution 1.5 years ago) it was the only one which could do multi-volume-backups. It also works flawless with disk-based backups, simple tape drive and larger tape libraries. --knitti

Re: Richard Stallman...

like a duck an f... - wait a minute. Ouch. I have never seen anyone on this list fuck a duck with a tape. Ever. WARNING. Do not look at the duck with the remaining eye. --knitti

Re: Improving disk reliability

On 1/4/08, Nick Guenther [EMAIL PROTECTED] wrote: On 1/3/08, knitti [EMAIL PROTECTED] wrote: this is becoming OT, but I can't recommend storing HDDs as real backup solution either. HDDs _do_ have bitrot, and one should at least, say, once a year, verify that the *whole* disk is readable

Re: avoiding a mac address filter

On 1/7/08, Targus Neoprene [EMAIL PROTECTED] wrote: is there a way to surpass the mac filter and get an ip? most likely yes and yes. man ifconfig --knitti

Re: Improving disk reliability

cases with the real possibility of data loss. --knitti

Re: cvsweb browsing out of sync with latest src?

for every file in the Attic throughout the tree. I didn't try _every_ file, but quite some on very different places in the tree. --knitti

Re: Problem with disk Western Digital

simply get it exchanged with a new one). It is kaputt. --knitti

Re: come, help me with something more productive

intentions are worthless, if key people don't like it. --knitti

swap encryption Re: Putting partition in RAM

Gilbert, Douglas, swap encryption on OpenBSD is done different than what you advise. just use a sysctl for vm.swapencrypt.enable. Much less maintenance headaches. an yes, don't complain about being reminded that this is not a netbsd / linux support list. --knitti

Re: Monty Python 3000 Thread

== wooosh ===(your humour) O(my head) --knitti

Re: : rouge IPs / user

: the server didn't close its socket for some reason or non-reason. For that to find out I'll have to read some code, which may or may not turn up something (interesting for me). --knitti

Re: : : rouge IPs / user

another connection as a side effect). BUT since the whole code doesn't run threaded, I can't come up with something which would actually suggest that. I would appreciate if someone told me whether my interpretation is rather wrong or rather right ;) --knitti

Re: : no 4.2-stable package updates??

? That is correct. Now, this will prevent me from upgrading to 4.2. It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. --knitti

Re: : no 4.2-stable package updates??

any updates to -stable for the foreseeable future. Although some updates might happen, -stable should be considered unmaintained. --knitti

Re: : : rouge IPs / user

are contradictory. in theory, they are simply not related, because on different protocol layers. Practically there seems to be a correlation by implementation. --knitti

Re: : : rouge IPs / user

for long open half-closed TCP connections. My point with PF here was that it would reduce the possible numbers of close_wait state you could possibly see in the first place, witch is one of the original goal of the question. Why? --knitti

Re: : : rouge IPs / user

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: knitti wrote: The problem would be to forget calling ap_bclose() after ending a connection, either because all data has been sent or the connection has been aborted. What I can read with some confidence, is that keeping a socket open

Re: : : rouge IPs / user

.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html --knitti

Re: : rouge IPs / user

. BUT perhaps I didn't get it at all and this makles no sense ;) --knitti

Re: BIND and the measure of system entropy (randomness?)

stuff like generating random IDs. on OpenBSD it doesn't. There was a mail from Theo regarding exactly this error message, stating that on OpenBSD BIND doesn't use (or need) this. You could search the archives... --knitti

Re: : rouge IPs / user

stack waits for the application (httpd) to close the connection after receiving the client's FIN. oh sorry, then I was wrong. So when client's FIN is already in, then (depending on how long it takes), is it normal behaviour of httpd or could it be considered a bug? --knitti

Re: : rouge IPs / user

think it applies to OpenBSDs httpd. I won't sent any further mail to this thread you tell me to shut up. --knitti

Re: : rouge IPs / user

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: knitti wrote: HTTP keep alives have nothing to do with it. If the socket is in CLOSE_WAIT, the TCP connection can't be reused, the server has sent its FIN and the client its FIN/ACK, but the server doesn't have yet sent its final ACK

Re: Configuring sendmail openbsd 4.2

last. - Why would you accept mail to unresolvable domains? - consider adding a define(`confPRIVACY_FLAGS', . ) --knitti

Re: Configuring sendmail openbsd 4.2

day something goes wrong, and *you* will have to troubleshoot it. And in this very (possible trivial) moment it pays having read the docs at least *once* before, just to roughly know where you can find which information. --knitti

Re: how best to handle DNS on firewalled home network?

: just use named in caching mode (should work out of the box) and forget your isp's name servers. it costs next to nothing performance-wise and works relly well. a soekris 4501 firewall (100MHz/ 64 MB RAM) does handle a DSL-type connection (4 MBit) including dhcpd, named and ntpd very well. --knitti

Re: Slow Performance on Encrypted svnd

Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but when copying partitions with dd I use this. --knitti

Re: Slow Performance on Encrypted svnd

On 11/14/07, Clint Pachl [EMAIL PROTECTED] wrote: knitti wrote: Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but when copying partitions with dd I use this. I tried that, but like I said fdisk complained when the svnd device is associated with the raw direct access

Re: HP Procurve or Soekris w. OpenBSD ?

. Seeing the specs of the 4801 and knowing the 4501, I wouldn't use them for more than about 40-50 Mbit/sec. There are people on this list, who have more experience with the 4801. BUT you have to test for yourself if it fits your needs, and your performance depends a lot on your setting. --knitti

Re: identifying sparse files and get ride of them trick available?

side. this should also create a new sparse file. of course, you lose the rsyncabilty and you have to identify your sparse file in advance. But 16GB of nothing should compress very well ;) --knitti

Re: Security Comparisons

maintainability to the list. I end up having less to do for OpenBSD Servers to keep them happy running than for some Debian boxes, and Debian _is_ damn well maintainable. --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

to also say that? no, I *think* I made some wrong assumptions about your network (obviously didn't read your first mail carefully enough) and I can't figure out now why I suggested that. Sorry about that. --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

at the manpages pf.conf(5) ftp-proxy(8) --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

servers look at your pf.conf, you have commented out the line. you should change it to about this: rdr pass on $int_if proto tcp from any to !$ftp_server port ftp - 127.0.0.1 port 8022 of course i didn#t test this, but you get the idea --knitti

Re: Building a custom kernel error

On 11/8/07, 23e7 [EMAIL PROTECTED] wrote: I missing some option? did you read the FAQ? do you know what you are doing? why do you need a custom kernel? --knitti

Re: Building a custom kernel error

On 11/8/07, 23e7 [EMAIL PROTECTED] wrote: yes, I know. On 11/8/07, knitti [EMAIL PROTECTED] wrote: On 11/8/07, 23 $B9f (B [EMAIL PROTECTED] wrote: I missing some option? did you read the FAQ? do you know what you are doing? why do you need a custom kernel? the error message

Re: detecting bad disks

and look whether you can read everything fine. --knitti

Re: Custom Kernel for 4.2 upgrade

-current ;-) - you have to expect to deal with the unforeseen. --knitti

Re: RAIDFrame inconsistancy and server will not boot!

problems arise not from hardware or system failure, but from admin failure. Do backups. --knitti

Re: OpenBSD 4.2 RAIDFrame mirror

IBM deathstar series than from all other vendors combined, and they are usually hotter than from other vendors ) --knitti

Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel

JetDirect over WAN connections. look with tcpdump, whether the packets of the printserver look like you expect. perhaps it only has a ttl of 1 or 2 ;-) --knitti

Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

. --knitti

SOLVED Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

On 10/14/07, Greg Oster [EMAIL PROTECTED] wrote: knitti writes: raidlookup on device: /dev/wd3d failed ! ^ I suspect you have an extra space after wd3d in the config file... And, unfortunately, that annoying little non-feature is enough to stop RAIDframe

RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

activated dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b --knitti

Re: Server just freeze with no reason

in RAM usage or massive forks? I saw once a system run out of mem, with no swap space exhibiting the same beviour. I could imagine (disclaimer: _didn't_ see that one) a system behave similiar after not being aber to fork anymore. --knitti

Re: all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

(about 19MB/s without ping -f) i386/MP: 52-56 MB/s i386/UP: 8- 9 MB/s --knitti

Re: making a release with 4.1 Sept 24 snapshot

in time of -currrent. 4.2 and current diverged in august. What you have to do is in the FAQ. --knitti

all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

On 10/11/07, knitti [EMAIL PROTECTED] wrote: Hi, after some sleep and coffee I am embarrassed to realize I made two mistakes: - I didn't provide a GENERIC(.MP) dmesg - I booted off the non-acpi-enabled kernel Sorry for that. Below you can see two GENERIC.MP dmesgs (i386/amd64) which clearly

Re: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greetings, knitti

4.2 on H8SSL-I2: acpi at mainbus0 not configured

hub, rev 1.00/1.00, addr 1 dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greeting, knitti

Re: firewall is very slow, something's wrong

, knitti

Re: ms exchange replacement

at the underlaying smtp and imap servers and actually fix things, much more transparent than exchange (of which i also have some instances to look after) greetings, knitti

Re: Tool for HD analyzing

on x86/AMD64 and are OK with a DOS bootdisk, search for MHDD. This is a really nice tool. Or just burn yourself an ultimate boot cd (ultimatebootcd.com), which also includes MHDD and a ton of other diagnosis and repair tools. greetings, knitti

9GB Wide SCSI HDDs useful?

the OpenBSD developer community can use them, I would ship them anywhere in the EU, preferrably in Germany. greetings, knitti

Re: java on openbsd

it is for your purposes). --knitti

Re: OpenBSD AJAX

sense for code maintenance and d) really good stuff spaghetti style --knitti

Re: OpenBSD AJAX

On 10/25/06, knitti [EMAIL PROTECTED] wrote: [OT comment] sorry for this, it was off topic and slightly offensive --knitti

Re: pppoe slow on openbsd

that are not deticated to networking as OpenBsd) CAN? OR NOT? your question is pointless, as openbsd does this already --knitti

Re: Version 4.0 release

can't see why you can whine that much about a status quo, yet not making any effort to use the better part of your hardware. otoh if your company can spend that much on hardware idling for years without it being a problem, why don't just fund one or two of the developers to do the task? --knitti

Re: Version 4.0 release

OpenBSD is just too slow and doesn't support enough hardware. sez who? a troll --knitti

Re: Hacking a mail server

traffic. finding whether a box was compromised ist not trivial, especially if you don't find any evidence. if you can afford to do it, better reinstall from scratch and look where you can tighten up the security. --knitti

Re: Hacking a mail server

On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: can someone external to the network get a copy of all the mail that are getting to a mail server??? ?? short answer: no long answer: yes please clarify your question. also, why sould this be related to openbsd? --knitti

Re: Hacking a mail server

[I reordered the text, so your answer is below my question, I think this is more readable] On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: knitti escribis: On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: can someone external to the network get a copy of all the mail

Re: spamd and TLS on port 25

MUAs or MTAs. --knitti

Re: Tuning OpenBSD network throughput

packets or with jumbo frames (huge difference) and, in any case, search the archives about tuning openbsd. --knitti

Re: OpenBSD and high availability

directly between the boxes. while I would do it with rsync (I know, depends on what you want to do), I don't see any reason why ccd'ing two large nfs-exposed files shouldn't work. But I think this would be more ugly and complicated than rsyncing every x minutes... --knitti

Re: sendmail

is supposed to be on the server, and then how to look at it. read and understand in this order: man afterboot /usr/share/sendmail/README documentation on sendmail.org this _will_ serve you far better than any step-through-howto --knitti

Re: sokeris output

have a couple of net4501 running with some slightly older OpenBSDs (3.4, 3.5, 3.7) which Just Work (TM). Is the net4801 that different? --knitti

Re: problem with sendmail on obsd. .com.au turned into com.au.com.au

in an entry to /etc/hosts pointing int-firewall.sbisolutions.com.au.com.au to 127.0.0.1 This didn't work as I guess sendmail doesn't use /etc/hosts. I _think_ this depends on your resolv.conf --knitti

Re: How to make fsck run faster?

, and the more memory is consumed by the fsck --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

On 7/6/06, knitti [EMAIL PROTECTED] wrote: I'd suspect some different issues than just blaming the implementation of the daemon sorry, this is of course not about the daemon, but the rest still applies --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

ISPs sell you some gigantic *theoretical maximum* adsl, which doesn't work of because of poor line quality etc. also, I think an up/down ratio of about 1:22 does sound like you'll only max out your downstream on some special applications, e.g. udp-streams (video) --knitti

Re: hints for scanning msdosfs patters?

case, the more fragmented the FAT was, the less is the chance of reviving something meaningful. --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

no point in looking into the performance of ppp_d_ --knitti

Re: Crashes and HDD params

to 0xffc (pio 4) does fix it. this doesn't neccessarily mean the controller or disk is buggy, it could just be a bad cable, which works, if not used at top speed (or, more correctly, frequency). I have seen this multiple times with almost any os (that supports udma) --knitti

Re: mounting two times

into a shell, a chroot would help al lot ;) --knitti

Re: mounting two times

On 6/19/06, Lars Hansson [EMAIL PROTECTED] wrote: On Monday 19 June 2006 19:09, knitti wrote: protocol attacks on the application which talks to mysql? Uhm, and using a domain socket is different how? ouch, snafu. sorry, I misunderstood. I don't think there's any practical security

Re: Hifn policy on documentation

documented, so you can test any output except that of the RNG against a 'known good' implementation --knitti

Re: wikipedia article

, reiser4) (...rest of rant deleted, it's already off topic...) oh, and don't tell me i shall participate. --knitti

Re: ntp on soekris

On 6/8/06, Peter [EMAIL PROTECTED] wrote: --- knitti [EMAIL PROTECTED] wrote: the soekris are not very good at time keeping, in my experience. whether this is a problem is something you have to decide, do you need more precision? if yes, change the hardware, else don't worry What is your

Re: ssh attacks

. for users of micosoft vpn or similiar, we have them authenticate first against authpf, so the port is not available to anon users. and using authpf can be as simple a one click on a link using putty (or similiar) with the right ssh key. --knitti

Re: openbsd on virtual machine

On 6/5/06, knitti [EMAIL PROTECTED] wrote: - 2nd partition ffs sorry, thats slightly wrong, this partition held openbsd, which had a single disk slice with a ffs. But I didn't see any limitation that there could be more than one. knitti

Re: openbsd on virtual machine

the gui, but the configuration is a text file, so it should be possible to achieve this (as in vmware created volumes are compatible with vmware player) hth, knitti

Re: openbsd on virtual machine

, but you just have to make sure, the bootloader hits the right pbr. no magic. --knitti

Re: [OpenCVS] what does soon mean?

CVS and easily switch later to OpenCVS. --knitti

Re: pf.conf to log specific but block all

for maybe an hour or two, if you're not familiar with it. if this is in place, you don't have to worry, and you also don't have to log connections to your ssh port. --knitti

Re: boot.conf

not have the opportunity to boot in single user when it may be necessary. Are there ways to circumvent the latter? what problem are you trying to solve? --knitti

Re: spamd-setup doesn't return

and it wouldn't help. --knitti

Re: Pf questions for larger implementation

should handle it easily. the only thing I can imagine is running into the default state limit. see man pf.conf the part about set limit. --knitti

Re: spamd-setup doesn't return

On 2/21/06, Bob Beck [EMAIL PROTECTED] wrote: Is spamd running on this system? sorry for not trying this earlier: I just killed restarted spamd, and spamd-setup now behaves as expected. (It just didn't occur to me...) --knitti

Re: SCSI tape drive hanging

On 2/21/06, Marcus Barczak [EMAIL PROTECTED] wrote: --- dmesg --- OpenBSD 3.8 (NERF) #0: Fri Jan 20 13:35:16 EST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NERF uh oh. http://openbsd.org/faq/faq5.html#Why --knitti

spamd-setup doesn't return

.:\ :method=file:\ :file=/etc/spamdblack.txt: thanks for reading, knitti

  1   2   >