Re: OT - gmail alternatives
Adam M. Dutko wrote: How do they deal with legal jurisdiction? Technically the government can still subpoena and they'd have to turn over the documents in the persons account, including backups. Use GPG so all the ISP could do is hand over the encrypted bits. You hold the key. Brad
OT - Switzerland domain name registrars
Can anyone recommend good/reputable domain name registrars in Switzerland to buy .ch domains from and/or transfer .com names to? I'm in the US and have heard good things about switchplus, but I wanted to ask here as I know many OpenBSD people are in Europe. Thanks, Brad
Re: SSD with firmware upgrade under OpenBSD
Kevin Chadwick wrote: On Tue, 30 Nov 2010 16:44:51 +0100 Jan Stary h...@stare.cz wrote: On Nov 30 12:32:16, Kevin Chadwick wrote: On Mon, 29 Nov 2010 21:17:17 -0500 Brad Tilley b...@16systems.com wrote: Do they really fail that often? My current understanding is that a mostly empty SSDS electronics will fail before it forgets what it's written but a mostly full and busy SSD may start forgeting fairly soon, unless it shuffles data which would slow it down considerably. My current understanding is that you treat a SSD as any other disk and never even notice that your wd0/sd0 is not a piece of metal rotating at 7200RPM, unless you read/write huge amounts of data, which you don't. Let's not get into that again. I almost completely agree, but also disagree and yes I'd say it's not worth getting into again. I would have to check the latest developments as I can imagine an algorithm which solved the problem during idle periods or didn't use it's full capacity but currently I don't agree fully with huge amounts of data. The problem was reduced immensely by spreading writes across all free sectors rather than sequentially but I believe? the problem re-appears on a busy nearly full disk. I would also hope/imagine the only affect would be getting bad sectors in that area but I haven't looked into it very far as I currently have no need to and so maybe I should shut up untill I do. However, I for one will not be treating SSDs like HDDs in all applications of disks untill after I learn more. I've been treating my SSD like any other hard disk during the last year. It is still working fine. The specs say it has a MTBF of 1,000,000 hours and I've only used it for about 10,000 hours so far. I've been at 60% capacity since day one. If it fails before meeting the MTBF, I'll send it back for a refund. If it lasts as long as they claim it will (about a hundred years), then I'll be dead before it stops working. :) Brad
Re: SSD with firmware upgrade under OpenBSD
Kevin Chadwick wrote: I almost completely agree, but also disagree and yes I'd say it's not worth getting into again. I would have to check the latest developments as I can imagine an algorithm which solved the problem during idle periods or didn't use it's full capacity but currently I don't agree fully with huge amounts of data. The problem was reduced immensely by spreading writes across all free sectors rather than sequentially but I believe? the problem re-appears on a busy nearly full disk. I would also hope/imagine the only affect would be getting bad sectors in that area but I haven't looked into it very far as I currently have no need to and so maybe I should shut up untill I do. However, I for one will not be treating SSDs like HDDs in all applications of disks untill after I learn more. One thing you might consider... buy a SSD and do some testing. Attach it to an OpenBSD box, put a file system on it, then write a script similar to this to repeatedly fill and empty the file system: while : do dd if=/dev/arandom of=big_un.bin bs=64k sync sleep 1 rm -P big_un.bin done Let that run for a few years and see how long the disk actually lasts. You could put up a website with live results. You'd become famous too... especially if you hit the decade mark and the thing still works :) Also, I just noticed that the high-end Intel SSDs claim 2,000,000 hours MTBF. I wonder why they market that number and then say 3 year warranty. There's only roughly 26,280 hours in a three year period. Brad
Re: SSD with firmware upgrade under OpenBSD
On 11/29/2010 02:56 PM, Ted Unangst wrote: buying a new SSD to replace your burned out one every year is still cheaper than building a 15k sas drive raid set with equivalent performance. I've been using an inexpensive Kingston SSD for more than a year now in a 4.6 box. It works fine and I've never thought about flashing its firmware. Its MTBF is astronomical. Do they really fail that often? Brad
Re: Advice on learning C as first language
James Hozier wrote: Are there any books that are more noob-friendly that want to learn C as their first language and explain basic programming terms along the way? I'm no expert, but I do program C for applications (not operating systems). My advice would be to study data structures, pointers and concepts such as const, struct, etc. and to understand why types are important. When you script with Python/Perl/Ruby much of that is glossed over, but is really important. By itself, C is very basic and small and can be learned quickly. However, if you need a data structure to do useful things, you need to find a library or roll your own. I would suggest learning C++ as a C with more stuff built-in. Its STL has well-tested lists, queues, stacks, maps, vectors, hashes, etc. built-in to it so you are not rolling your own or looking at external libraries. It also has references (but you can still use raw pointers if you like) and the C++ compiler won't let you get away with nearly as much. Just my experience, good luck. Brad
Re: Advice on learning C as first language
Brad Tilley wrote: James Hozier wrote: Are there any books that are more noob-friendly that want to learn C as their first language and explain basic programming terms along the way? Forgot to mention a book... If you decide to take the C++ route, I suggest Accelerated C++. http://www.acceleratedcpp.com/
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
carlopmart wrote: Advantages are very clear for me: provisioning, administration tasks, etc ... But I will to know disadvantages. What is your opinion from the point of view of security? I use virtualization for many things (mainly for the productivity advantages that you list), but it has always bothered me because virtualization is pretending. In Java, for example, the VM pretends about a lot of things that are not true in the physical world. This makes it easy and convenient for programmers. The problem is that they come to believe that the pretend things are real and then make assumptions (when dealing with physical machines) that are incorrect. I would say that so long as you understand that a lot of pretending is going on when doing any sort of virtualization, (and you accept that) and that you know the differences between the pretend machines and the real machines then you know all you need to know in order to decide if it is right for your environment. Brad
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
Nick Holland wrote: what's changed? Layering? Nope. Crappy programming? Nope. Better hardware? not really. Features-before-security? Nope. Good points. The goals of virtualization are, easy management, power savings, quick provisioning and deployment, redundancy, etc. When you talk about security and virtualization at the guest level, the prevailing attitude is, If it gets hacked, we'll just restore it from a known good snapshot... problem solved. I don't hear much talk at all about the host machine and security (the real server that hosts all the pretend servers is just assumed to be OK). There just seems to be a lot of trust in the vendors. Brad Lots new features, though. And they fixed a few bugs AFTER they were brought to the vendor's attention. Reactive at its best. You think they FIXED more bugs than they added with the new features? I think the virtualization products have proven their attitude towards security and correctness. If something changed, it is theirs to prove...and then, you still have the complexity issue. A more complex system is unlikely to be more secure or more reliable than a simple system. Nick.
Re: OT IPv6 Was: nfsv4?
On 10/31/2010 04:01 PM, Diana Eichert wrote: excuses only go for so long. I tell you IPv6 deployment is moving forward. Perhaps we can shame them into facing facts: $ dig +short www.netbsd.org 2001:4f8:3:7:2e0:81ff:fe52:9a6b $ dig +short www.freebsd.org 2001:4f8:fff6::21 $ dig +short www.openbsd.org silence
Re: OT IPv6 Was: nfsv4?
On 10/30/2010 04:18 PM, Marco Peereboom wrote: Lets hope the youtubes and facebooks go v6 so that they get of my v4 lawn. No need to hope: $ dig +short www.v6.facebook.com 2620:0:1cfe:face:b00c::3 Brad
Re: nfsv4?
James A. Peltier wrote: No, the NFS share is re-exported out via Samba as a native CIFS mount to Windows machines. It's a simple copy paste for them CIFS? How do you encrypt that? That's all clear text (except the auth) right? Brad
Re: nfsv4?
On 10/29/2010 09:24 PM, Corey wrote: I've put off learning anything really about IPv6 in hopes that after most organizations ignore it, it withers and dies (at least in its current form). snip I like it. It works well with OpenBSD and you can get free tunnels from Sixxs and others to use (if your ISP isn't native). Virginia Tech has had a native production ipv6 network for many years now. I setup OpenSSH to only listen on inet6 (AddressFamily inet6). This Keeps all the v4 only brute force ssh scanner noise out of the logs. What a waste of logging. Also, by creating records, it's human friendly. Using pf to only talk to other OpenBSD hosts and OpenSSH to only do inet6 are great features. Brad
Re: nfsv4?
James A. Peltier wrote: Now, that said, is there anything that you could recommend instead of NFSv4 for offering secure file services to multiple platforms? Apache with SSL may be a solution. I've used it on small scale projects. You can auth users against LDAP, AD, etc. Should work with any client that has a SSL capable web browser/client of some sort. It's very portable, file system and client agnostic. The one downside (IMO) is that the clients won't see it as a native file system mount, but there are interfaces available and you can always write your own or customize one to fit your needs. Your own little dropbox-ish solution. Brad
Re: Force passwordcheck in login.conf
One last note... it seems that OpenPAM on the other BSDs and LinuxPAM on Linux systems address all of PCI requirement 8. However, they all seem to differ slightly with their PAM implementations and PAM in general seems overly complex (to me at least). I mis-configured PAM on a test system (commented out one line in error) and found that root could log in by typing *anything* and that the normal root password still worked too. Brad
Re: Force passwordcheck in login.conf
On 10/17/2010 12:56 PM, Dewey Hylton wrote: just a quick note on how we addressed 8.5.13 ... yes, it requires python, but we are a python shop so this was not an issue for us. i'm just posting it for the purpose of sharing ideas. http://www.deweyonline.com/files/openbsd/login_-custompasswd Thanks. I'll add that as a possible solution for folks who wish to add Python to the base install. Brad
Re: Auto Logout Idle Users
Jurjen Oskam wrote:
On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
TMOUT is at most a convenience, not a security measure:
$ TMOUT=600
$ readonly TMOUT
$ exec perl -e 'delete $ENV{TMOUT} ; exec /bin/ksh;'
$ echo $TMOUT
0
$
Understood. If an employee did that, there should be measures in place
at the policy level to deal with that behavior (if it is discovered).
70% of the PCI DSS controls are policy and procedure, not technical.
Thanks to all for feedback, I appreciate it.
Brad
Re: Force passwordcheck in login.conf
Leif Blixt wrote: Brad Tilley brad at 16systems.com writes: I was experimenting with a program to meet PCI DSS 1.2 password length and content/complexity requirements and integrating it with login.conf for users who have shell access to OpenBSD systems. It seems to work as expected, but I wanted to run my configuration by misc. I appended the following two lines to the end of both default and staff in login.conf. Look OK? :passwordcheck=/path/to/program:\ :passwordtries=0: I understand that it would be easy (and redundant) to use minpasswordlen to meet the length requirement, but it's easy to check that in the program itself. Brad We are currently being reviewed for PCI DSS compliance, and the big problems we have right now with the combination of PCI DSS and OpenBSD is the following PCI DSS requirements: 8.5.12 Password history check - you may not use the last 4 passwords. 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts automatically. 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 minutes. I concluded the same for requirement 8. See my rough notes here. I plan to add to that page as I do more testing: http://16systems.com/OpenBSD/pci.html How have you addressed these requirements? I'm starting to think we need a RADIUS solution, which seems a bit redundant working with OpenBSD... Regards, Leif RADIUS may do it if the backend can enforce those things (I don't know enough about this to comment, but OpenLDAP may work). If that cannot do it, read Appendix B of the PCI DSS carefully. They allow compensating controls when the requirements cannot be followed precisely. Brad
Re: Force passwordcheck in login.conf
Leif Blixt wrote: Hi! We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet! I will let you know what the response from our QSA is. /Leif Can you do that? I think local logon would still be an issue, at least the way I read it. Anyone in front of the machine at a console would be subject to the requirements. Brad
Re: Force passwordcheck in login.conf
Leif Blixt wrote: Well, I don't think so. You only need to logon to the console when you have big problems, and we just have set a really long and complicated password for the root user and stored it away for emergency use in a safe. You still have the external shell protection by restricting who can access the server room. All other users must use sudo anyway, so you don't need the root password on a daily basis, and that's enough for PCI DSS. /Leif Requirement 8.5 applies to non-consumer users and administrators I would assume that means root at a local console. Let me know what your QSA determines. It seems some of this is open to interpretation and depends on the opinion of the QSA. Brad -Original Message- From: Brad Tilley [mailto:b...@16systems.com] Sent: den 14 oktober 2010 14:09 To: Leif Blixt; openbsd-misc Subject: Re: Force passwordcheck in login.conf Leif Blixt wrote: Hi! We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet! I will let you know what the response from our QSA is. /Leif Can you do that? I think local logon would still be an issue, at least the way I read it. Anyone in front of the machine at a console would be subject to the requirements. Brad
Re: FW: Force passwordcheck in login.conf
Stuart VanZee wrote: For 8.5.12 see login.conf man page, look for passwordcheck. You will have to write (or find) a program that keeps track of previously used passwords. I just stored a hash of them in a file and have it check to see if the new password hash matches any of the old 4 password hashes. I considered that as a possible solution as well, but it seems that approach would weaken the security of the passwords, especially if you just use an unsalted hash (md5 or sah1) to store them. Brad
Re: Auto Logout Idle Users
Brad Tilley wrote: I created the file /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. Replying to myself. I can't seem to make csh auto logout inactive users. So I did this: rm /bin/csh cp /bin/ksh /bin/csh Any good reason to not do this? Brad
Re: Auto Logout Idle Users
Adam M. Dutko wrote: Any good reason to not do this? They're not the same shell. Yes, I know that part :) I can't think of any security reasons because I'm not familiar with the code but as far as logs and noise factor I imagine it would go up or various things might start breaking that depend on csh. Base seems to only have two shells as ksh and sh have the same md5 checksum. I'm hoping csh is only included for historical reasons or in honor of Bill Joy or something such as that. Brad
Re: Auto Logout Idle Users
Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Why don't you also 'mv /bin/rm /bin/ls' while you are at it? Not a very similar comparison.
Re: Auto Logout Idle Users
On 10/14/2010 05:08 PM, Darrin Chandler wrote: rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Remove it from /etc/shells instead. Replacing csh with ksh is evil, and I don't mean that in a good way. I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad
Re: Auto Logout Idle Users
On 10/14/2010 05:13 PM, Jan Stary wrote: On Oct 14 17:01:30, Brad Tilley wrote: Jan Stary wrote: Why do you want to logout idle users? There is sysutils/idled if you need it. I'm experimenting with getting an OpenBSD base system to meet the PCI DSS requirements. Does PCI DSS require you to log users out? After 15 minutes of inactivity, users must re-enter the password. Something such as that. I'm trying to avoid using any software outside the base system. rm /bin/csh cp /bin/ksh /bin/csh You just forced your csh users to use ksh. Why do you want them to hate you? It's just a shell, they'll get over it. Unbelievable. I'm not actually doing this to users on an existing system. I'm just experimenting. Thinking out loud about the issues before having to deal with it.
Re: Auto Logout Idle Users
On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. Brad
Re: Force passwordcheck in login.conf
Mark Romer wrote: use passwdqc it is in packages. in login.conf under default I have: :minpasswordlen=12:\ :login-tries=4:\ :passwordtries=3:\ :passwordcheck=/usr/local/libexec/passwdqc -3 12 Mark I've heard complaints that it is too stringent (I tend to agree, no offense to Solar). PCI DSS 1.2 only requires numbers and alphabetic chars in the password. So, letmein123 meets the requirement. Brad
Auto Logout Idle Users
I created the file /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to the other default shell in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to /etc/csh.login as well (I'm turning knobs like a good clueless user). I then read the csh man page, but saw no mention of autologout. Perhaps the OpenBSD version of csh does not support this? Is there a way to do this with csh? If not, I'll need to remove access to the shell. Thanks Brad P.S. I only mean the local shells, not OpenSSH. I do this when required to autologout idle ssh users: ClientAliveInterval 900 ClientAliveMax 0
Force passwordcheck in login.conf
I was experimenting with a program to meet PCI DSS 1.2 password length and content/complexity requirements and integrating it with login.conf for users who have shell access to OpenBSD systems. It seems to work as expected, but I wanted to run my configuration by misc. I appended the following two lines to the end of both default and staff in login.conf. Look OK? :passwordcheck=/path/to/program:\ :passwordtries=0: I understand that it would be easy (and redundant) to use minpasswordlen to meet the length requirement, but it's easy to check that in the program itself. Brad
Re: insecure scheduler in OpenBSD 4.7
On 10/11/2010 04:59 PM, Martin Schrvder wrote: 2010/10/11 Dmitry-T dmitr...@yandex.ru: How you use the OpenBSD as web servers and hosting platform? RTFAQ Permanently catch and kill processes? man ulimit What do you see when you man ulimit? Best Martin
Re: Wireless Network GUI
Guillaume DualC) wrote: On Thu, 7 Oct 2010 09:33:44 -0300, Christiano F. Haesbaert haesba...@haesbaert.org wrote: Why not make a curses GUI ? I find it much more useful than gtk/qt (IMHO). In my opinion, the aim of this project is to provide a graphical tool, which can be inserted in some WM like XFCE, etc. Guillaume. FLTK is in ports. It creates small, fast and portable standalone GUIs. I've used it to make a few simple GUI frontends. I like it better than Python/WxWidgets, or Python/QT, GTK, etc. Brad
Re: Netbook for OpenBSD?
On 10/06/2010 09:54 PM, Mikle Krutov wrote: Hello, list! I'm a FreeBSD user (a very little experience with openbsd in the past), but i'm kind of interested in any bsd flavour (i like *nix, but dislike linux for some reasons). So, the question is if there is any positive experience with using OpenBSD on modern netbooks of the following: 1) Samsung N127 2) ASUS Eee PC 900AX 3) MSI U120-094 Or any other models with 10 monitor and 4+ battery lifetime? By positive i mean mainly correctly stable working wireless. If nothing fits, please give me a recommendation which usb wireless card should i use. Thank you for your time, Most places have demos out for customers to test. So, install OpenBSD -current to a USB stick, then go to Office Max or Best Buy or someplace similar and boot the Netbooks from the USB stick to see which has the best supported hardware. Be sure to type on the keyboard too, make sure it fits your hands. man the wireless drivers to see a list of supported USB 802.11 cards. Brad
Re: Router components
David Higgs wrote: big snips I know SSDs don't require TRIM, but most benchmarks are made by knob-twiddlers that are presumably overemphasizing the performance degradation you get without it. Is this even noticeable in practice? I've used an inexpensive SSD (cheapest one I could find at the time) in an Intel Celeron based OpenBSD home firewall for more than a year. It works fine. Here is part of an old dmesg: wd0 at pciide1 channel 0 drive 0: Kingston SSDNow V Series 64GB wd0: 1-sector PIO, LBA, 61057MB, 125045424 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6 No noise, cool, low power. Try it for a year, then post back your experience. Brad
Re: How to use /dev/srandom
Janne Johansson wrote: What I meant was that one can complain of that the NIST programs (diehard and dieharder springs to mind) only do certain tests, but that is just because noone can make a short program that _proves_ a certain stream is random. The only thing available seems to be a series of tests against a defined set of properties a random stream shouldnt have, but that list isnt conclusive, nor finished. Check out ent (it's in ports) it does chi-square, entropy, and a few other tests to grade the data stream. Not perfect, but about the best you'll do for now. Brad
Re: How to use /dev/srandom
Janne Johansson wrote: List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot): #=# # dieharder version 3.29.4beta Copyright 2003 Robert G. Brown # #=# Installed dieharder tests: Test Number Test NameTest Reliability === -d 0Diehard Birthdays Test Good -d 1 Diehard OPERM5 Test Suspect -d 2Diehard 32x32 Binary Rank Test Good -d 3 Diehard 6x8 Binary Rank Test Good -d 4Diehard Bitstream Test Good -d 5 Diehard OPSO Good -d 6 Diehard OQSO Test Good -d 7 Diehard DNA Test Good -d 8Diehard Count the 1s (stream) Test Good -d 9 Diehard Count the 1s Test (byte) Good -d 10 Diehard Parking Lot Test Good -d 11 Diehard Minimum Distance (2d Circle) Test Good -d 12 Diehard 3d Sphere (Minimum Distance) Test Good -d 13 Diehard Squeeze Test Good -d 14Diehard Sums TestDo Not Use -d 15Diehard Runs Test Good -d 16 Diehard Craps Test Good -d 17 Marsaglia and Tsang GCD Test Good -d 100STS Monobit Test Good -d 101 STS Runs Test Good -d 102 STS Serial Test (Generalized) Good -d 200 RGB Bit Distribution Test Good -d 201 RGB Generalized Minimum Distance Test Good -d 202 RGB Permutations Test Good -d 203 RGB Lagged Sum Test Good -d 204RGB Kolmogorov-Smirnov Test Test Good Interesting. Looks like ent with more tests. You should submit a port.
Re: Linux or OpenBSD
Martin Schrvder wrote: 2010/9/27 Brad Tilley b...@16systems.com: How many privilege escalation attacks (normal user getting a root shell) has OpenBSD had during the last five years? There have been several of The absence of reports doesn't prove that the flaws don't exist (and no, I'm not sitting on a 0day for OpenBSD :). Best Martin I agree. I only meant that history shows Linux has these and OpenBSD has not (or very few in comparison). That does not mean OpenBSD is perfect and will never have a user to root escalation attack. Humans make mistakes in everything, to include the writing of software. Brad
Re: Linux or OpenBSD
On 09/26/2010 04:54 PM, Kevin Chadwick wrote: It's occured to me that I think what Theo suggested was actually about using more than one architecture, which may be a better method over Linux. How many privilege escalation attacks (normal user getting a root shell) has OpenBSD had during the last five years? There have been several of these in the Linux kernel (one just this month). We tested the latest one and it worked against a fully-patched RHEL box that had the SELinux restrictive policy in place. I don't mean this as bashing Linux, just pointing out facts. I think history shows that OpenBSD has a better track record here (if that means anything to anyone). Brad
Re: Linux or OpenBSD
Rikky Taylor wrote: I was after some general advice. I need to setup a routing firewall with 3 interfaces, moderate traffic and a fair amount of NAT'ing in the rules. Given identical modern server hardware would I expect a performance difference between an OpenBSD/PF setup and a Linux/IPTables one? Rikky Either will work fine so long as you purchase good NICs and avoid cutting-edge (untested) hardware. The only things Linux does noticeably better is: * Dealing with SMP * Dealing with lot's and lot's of RAM * Dealing with huge file-systems None of those things are needed for simple firewalls. Brad
Re: pf and !
Peter Fraser wrote:
man pf.conf never describes what ! does. The ! is used in some examples
and
a lot of the time is obvious what will happens. The pf faq has somewhat more
of
an explanation of ! with multiple address, but its explanation only refers
to the
use of ! in tables. There is never any statement of what !addr.
I've always thought it was the logical not.
I expect that description given in the pf faq covers the behavior of ! in
any
places that ip addresses are given.
I tripped over this when I want to block 2 ip address from accessing a
service
I (and I realize I was wrong ) always considered that
pass quick from { addr 1, addr2 }
Could be written as
pass quick from addr1
pass quick from addr2
put if ! are used this obvious should not be true
pass quick from { !addr1, !addr2 }
cannot be the same as ( at least I hope since I haven't built the system to
test it)
pass quick from !addr1
pass quick from !addr2
furthermore the descriptions that do exist do not cover the boundary cases
such as 192.168.0.1-192.168.0.30 !192.168.0.20-192.168.0.40
Re: Processeur Atom
E.T wrote: Hi In this text, I have a athlon1 available. But it takes a lot of room, very hot, a lot of noise, and consumes much electricity. I try to disconnect the fan to see, but the CPU temperature was up to 105 B0 C in 5 minutes. Otherwise, OpenBSD operating nickel above, I installed all the packets, X-Windows nickel. No problemo. They gave me 15 minutes a Atom 510mo. I did an install with all the packets, X-windows crash, crash T_T. Atom 230, 330 is the first generation of the processor. 410, 510 is the second generation. What is not stated on the website of openbsd. My main question and therefore, is that OpenBSD supports a 100%, the atom D510?. The X server is configured with more time. But there will be no more bugs or conflicts later, more severe and troublesome. Nobody has tested this platform. Thank you for the assistance My newest atom is this: OpenBSD 4.6-current (RAMDISK_CD) #149: Mon Sep 14 04:31:59 MDT 2009 t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR real mem = 1064595456 (1015MB) avail mem = 1024802816 (977MB) I have not used anything newer than that in the atom family. But what I have used works fine. Brad
Re: Processeur Atom
E.T wrote: very, very small processor. N270 best performance? . Firewall or desktop ? OpenBSD 4.6-current (RAMDISK_CD) #149: Mon Sep 14 04:31:59 MDT 2009 t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: Maybe, but it beats the pants off the old Asus eeePC I had. It's a netbook. I use it for portable productivity, coding, testing and web surfing... not as an Internet gateway/FW.
Re: Processeur Atom ?
FRLinux wrote: On Thu, Jun 10, 2010 at 7:32 PM, Joachim Schipper joac...@joachimschipper.nl wrote: I would like to make a firewall / router running OpenBSD. Okay, but what is your question? I guess he is asking if all Atom processors are compatible with OpenBSD, which i guess is pretty much a given :) I use it on several atom based netbooks. Works fine. Has for a long time. My question (sorry for hijacking this thread) is : is there any people on this list who switched from soekris (geode) to atom, and are they happy with speed and everything? Reason I mention that is i'd love to move my setup to atom/ssd eventually but haven't seen much on the list about it. Cheers, Steph
Re: It is 2010. Still no 3GB support by default?
Dexter Tomisson wrote: I'd really, really like to know what's the matter with a larger memory support? Why is 'bigmem' still not default? What faults/bugs does it still has? What do you need to make it ok? Do you need a hardware donation to make that better, do you need few bucks, do you need a good coder to improve that, or again some license problems perhaps?, what's the problem, share with us please, I'd really like to help with everything i can. I hope, maybe someday, our beloved Puffy will catch up to the 21st century. Your multicore, mega-memory box with its 12 jabillionbyte hard disk would probably be happier some place else. Regards. deX
Re: Installer bug? - Upgrade 4.6 to 4.7 failed to upgrade base47, on i386 and amd64
Theo de Raadt wrote: If [you] don't know what you are doing, install a new snapshot. We do this frequently. Works very well. bsd.rd makes it easy to move to a new snapshot. We buy -release CDs too, but seldom open them. Brad
Re: GNU/Linux user wanting to make the switch to OpenBSD for ADSL2+ Router.
Jon Scruggs wrote: How reliable is the Wireless N with that chipset here? To my knowledge, there is no 802.11N support in OpenBSD. Read the last paragraph: http://www.openbsd.org/cgi-bin/man.cgi?query=athnsektion=4apropos=0manpath=OpenBSD+Currentarch=i386 Brad
Re: Help contacting Richard Stallman
Julian Acosta wrote: Really we need to contact with Richard Stallman, just for give us his opinion and answer us some questions about free software, How can I contact him? What's his real email? Just talk a lot about open source and the Linux operating system. He'll show up.
Re: Consideration before installling on SSD hard drive
On 5/22/2010 12:21 PM, Marco Peereboom wrote: Yeah; ignore dos and donts the ssd, if of any quality, will do fine. That has been my experience with SSDs on OpenBSD and Linux. I've been using an inexpensive Kingston SSD for about six months now, it works great. Here is an older dmesg from it: http://16systems.com/OpenBSD/celeron_ssd.txt On May 22, 2010, at 10:03 AM, jean-francois jfsimon1...@gmail.com wrote: Good afternoon gents, I am building up a server with basically a solid state drive for the OS and a 1 TB hard drive for the datas. In order to maximize the life time of the SSD, I will avoir mounting slides that sustain continuous or sparsed write access. Could you briefly let me know the do's and don't ? Thanks. Jean-FranC'ois
Re: State of multiprocessing and multithreading in OpenBSD
Tony Abernethy wrote: Peter N. M. Hansteen wrote: pe...@bsdly.net (Peter N. M. Hansteen) writes: I would think that would be a fair question to ask the person who told you PF is garbage because it is multithreaded: eh, because it is *not* multithreaded: Now watch when application programmers use multithreaded stuff because they think it will somehow solve all their problems. I only find threads useful in GUI programming when there's a need to make the GUI seem responsive while other stuff is going on. That's about all the use I have ever gotten from threads although I'm sure some apps (video encoding, etc.) make heavy use of them since now everyone has 6-way cores, etc. Brad If you ***CAN*** ***EVER*** make such a typo, do you really think that they even stand a chance? Couple this with wrong-way branches on equal comparisons (edges), and you do not even need to get into error-recovery stuff to find a mess.
Re: openbsd not blob free?
Kent Watsen wrote: There is a discussion on the osol-discuss mailing list this morning where it's pointed out that OpenBSD source tree has a blob in it: http://osdir.com/ml/opensolaris-discuss/2010-05/msg00095.html The location of the blob in the tree is here: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/microcode/afb/microcode.h?rev=1.1;content-type=text%2Fplain A posting from Alan Coopersmith from last December: http://lists.freedesktop.org/archives/x-packagers/2009-December/91.html The only official OpenBSD position statement I could find is on the 3.9 lyrics page: http://www.openbsd.org/lyrics.html#39 Where it says OpenBSD remains blob-free - not true? I believe these are device specific (firmware, etc). Here's another: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/microcode/atmel/atmel_intersil_fw.h?rev=1.2;content-type=text%2Fplain
Re: confused about updating -current
On Wed, 28 Apr 2010 08:37 -0500, Ahlsen-Girard, Edward F CTR USAF AFSOC AFSOC/A6OK edward.ahlsen-girard@hurlburt.af.mil wrote: On 2010-04-27 23:01:30 Alastair Johnson wrote: if i install a system from install47.iso taken from the snapshots folder on a mirror i end up with a -current system eg: OpenBSD 4.7-current (GENERIC) #636: the docs state that you cant go from -current to -stable so my question is - what happens if i do update it? surely thats exactly what will happen once 4.7 is released. ie, if i do this: cd /usr ; cvs -qd anon...@anoncvs.server-somewhere:/cvs get -rOPENBSD_4_7 -P src and then follow the instructions for rebuilding the kernel and binaries. http://www.openbsd.org/stable.html will i just end up with a mess or a sligtly more uptodate -current what happens to my 4.7-current system after 4.7 is released. can i still update it with bug fixes and security patches etc? surely it will become a -stable system? many thanks alastair johnson If you want a stable system right away, do a completely fresh install of 4.6, and follow the instructions for tracking stable. If you don't mind waiting a few days, do a completely fresh install of the 4.7 release (which, as Theo pointed out, is NOT -current) and track stable from there. If for whatever reason you cannot tolerate a fresh install, you *might* be able to safely wait (wait means, run the system exactly as it is today, don't try to update anything at all) until the 4.8 release comes out (around November) and upgrade to that. But I'm in no position to say that that is safe. Nor am I, but I do that often with base installs and have not had any major issues. There would be security concerns (especially with ports if you're using a full blown desktop). You can follow -current if you have the time and ability to keep-up or just occasionally install snapshots and update them periodically. Brad The short answer is start again and install a release this time. -- Ed Ahlsen-Girard, Contractor (EITC) AFSOC/A6OK email: edward.ahlsen-girard@hurlburt.af.mil 850-884-2414 DSN: 579-2414
Re: confused about updating -current
On Wed, 28 Apr 2010 08:08 -0600, Ted Roby ted.r...@gmail.com wrote: On Wed, Apr 28, 2010 at 7:53 AM, Brad Tilley b...@16systems.com wrote: Nor am I, but I do that often with base installs and have not had any major issues. There would be security concerns (especially with ports if you're using a full blown desktop). You can follow -current if you have the time and ability to keep-up or just occasionally install snapshots and update them periodically. OpenBSD-current is unique in respects to all other -current or DEVEL or UNSTABLE projects. As Theo said, this is a forward-moving project, and Secure by Default. It is not a model where sucurity and bugfixes get handled later. Unique to OpenBSD is the fact that you can listen in on just a few mailing lists (ports-changes, src-changes, etc) and you will end up with explanations one what is being updated, and maybe even why it was changed. The most interesting part is when a Developer makes a change indicating many larger changes to come down the road. See, these guys do their homework and prepare the way. In my opinion the best way to operate OpenBSD is to run -current, and keep a fresh eye on changes. To me, stable is nothing more than a snapshot in time for those who don't have time to investigate the past and future of the project. You can take any given CD set and it'll just work with plenty of accurate documentation. The newer the release the more likely your newer hardware will be supported... So, why do you want stable? I did not say anything about -stable. Occasionally installing snapshots has nothing to do with -stable. Not sure why you bring it up? Brad
Re: confused about updating -current
On Wed, 28 Apr 2010 17:05 -0500, Chris Bennett ch...@bennettconstruction.biz wrote: A while back on some thread, someone said that they ran -current versions for a long while, updating ports tree for that snapshot and could run with that particular -current as long as they liked by adding packages as needed by building with that ports snapshot, rather than using a later ports tree or packages. This seems like it could be a good way to jump forward but not need to constantly update even if a new package is needed, since ports tree holds proper builds for that snapshot at that time. Do I understand this correctly that this will work just fine? That is how I sometimes use -snapshots. I'll download today's i386 snapshot and the snapshot ports.tar.gz. I'll then install and run such a system for a year or so, sometimes less. I've not had issues with this approach. In these instances, I do not update the base install or the ports tree. I just use what I downloaded at that date and time. Brad
Re: scp speed ffs/fat
On Thu, 29 Apr 2010 07:09 +0800, shweg...@gmail.com wrote: Transfering a file using scp into my home directory gives me this speed (home netword): 658.8KB/s while copying it directly into a usb stick (fat32) gives me this: 1.5MB/s is it normal? scp is encrypted and traveling across your network. Those things will impact transfer speeds. This is the fstab entry of home: /dev/sd0h /home ffs rw,nodev,nosuid,softdep 1 2 tks Still on 4.6, I'm a lazy -release user...
Re: reporting a bug in ports/net/flow-tools?
On Tue, 27 Apr 2010 17:41 +0300, Stas Miasnikou m...@gurtam.com wrote: Michael W. Lucas: Sendbug doesn't seem to have a ports option, and my bug report doesn't have a single recommend solution in any case, so I'm asking here. The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools each start with the line: #!/bin/env python This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python is installed (at least on my system) as /usr/local/bin/python2.5. There is no generic python command. These programs will run under any of the 3 python ports. The python packages tell you to make symbolic links when you install them. Not sure about ports though. ports are the same, and after the install pkg_info will tell you again see the Install Notice: $ pkg_info python Information for inst:python-2.5.4p2 Comment: interpreted object-oriented programming language Required by: libxslt-1.1.26 py-libxml-2.7.6 Description: Python is an interpreted, interactive, object-oriented programming language that combines remarkable power with very clear syntax. For an introduction to programming in Python you are referred to the Python Tutorial. The Python Library Reference documents built-in and standard types, constants, functions and modules. Finally, the Python Reference Manual describes the syntax and semantics of the core language in (perhaps too) much detail. Python's basic power can be extended with your own modules written in C or C++. On most systems such modules may be dynamically loaded. Python is also adaptable as an extension language for existing applications. See the internal documentation for hints. Maintainer: Damien Miller d...@openbsd.org WWW: http://www.python.org/ Install notice: If you want to use this package as your default system python, as root create symbolic links like so (overwriting any previous default): ln -sf /usr/local/bin/python2.5 /usr/local/bin/python ln -sf /usr/local/bin/python2.5-config /usr/local/bin/python-config ln -sf /usr/local/bin/pydoc2.5 /usr/local/bin/pydoc
Re: confused about updating -current
On Wed, 28 Apr 2010 00:01 +0100, Alastair Johnson att...@googlemail.com wrote: if i install a system from install47.iso taken from the snapshots folder on a mirror i end up with a -current system eg: OpenBSD 4.7-current (GENERIC) #636: the docs state that you cant go from -current to -stable so my question is - what happens if i do update it? You'll be following -current. surely thats exactly what will happen once 4.7 is released. Right now, your -current system is likely newer than 4.7-release. See the commits as to when 4.7-release was. ie, if i do this: cd /usr ; cvs -qd anon...@anoncvs.server-somewhere:/cvs get -rOPENBSD_4_7 -P src and then follow the instructions for rebuilding the kernel and binaries. http://www.openbsd.org/stable.html will i just end up with a mess or a sligtly more uptodate -current No mess, but your -current system will be more current. what happens to my 4.7-current system after 4.7 is released. can i still update it with bug fixes and security patches etc? surely it will become a -stable system? many thanks alastair johnson
Re: Is this a case of paranoia?
On Sun, 25 Apr 2010 17:48 +0200, Danny dannydeb...@gmail.com wrote: Shane, What I have found with our company's installation of Webmarshall is that you can , for example, go to linux.box.sk and surf around for about 5 mins, then all of a sudden it gets blocked. 95% of what these devices trigger on are false-positives. Anyone who has ever dealt with them for any length of time should know that. The trick is tuning them and white-listing stuff to make them more useful. Bottom line... there is nothing malicious about openbsd.org websites. Your network security device has yet another false-positive. Most people I know don't put these things in block mode precisely for these reasons. Brad I don't think that Webmarshall is THAT clever to figure out that you are on a site that contains unauthorized content. I think that there is an overpaid, underworked, MCSE on the Webmarshall server looking for something he can use as proof that they still need his expertise ... Danny I hope it is just your employer blocking OpenBSD and Marshal has not added it to their list!
Re: Multibooting (was : OpenBSD culture)
On Mon, 19 Apr 2010 11:07 +0100, Peter Kay (Syllopsium) syllops...@syllopsium.com wrote: OpenBSD does not require a primary partition, nor does NetBSD. Solaris does for the moment, although code to fix that has been committed. I have a Windows 7 x64, OpenBSD, Solaris, NetBSD multiboot. It's not that difficult to arrange. I did most of the partitioning in Windows, setting up a primary partition for Solaris, then logical partitions for OpenBSD and NetBSD. Either the NetBSD or OpenBSD media can then be used to edit the partition types to the recognised ones. Install as normal, then use EasyBCD to edit the Vista/Windows 7 boot menu - modify as appropriate if you're using grub etc or XP.. Another Option. Assuming a i386 or amd64 PC: 1. Put another hard drive into the computer. 2. Go into the BIOS and make the new hard drive have higher priority. 3. Boot the computer and install OpenBSD onto the new hard drive (Run dmesg to be sure you're doing the right thing) 4. When you want to go back into the other OS, change the drive priority in the BIOS and reboot. Not pretty, but it works and keeps drives separate and no fooling with grub, partitions, Windows boot loader, etc. Brad
Re: OpenBSD culture?
On Sat, 17 Apr 2010 05:20 -0300, VICTOR TARABOLA CORTIANO vt...@c3sl.ufpr.br wrote: Saying that ISC is more free than GPL makes no sense Saying Do not remove our text does not restrict your freedom. That's all the ISC asks of you. Leave the copyright notice and the permission to use alone. Brad
Re: OpenBSD culture?
On Wed, 14 Apr 2010 07:17 -0400, Steve Shockley steve.shock...@shockley.net wrote: On 4/14/2010 5:11 AM, Zachary Uram wrote: smacks of superiority and even condescension at times. Is this a fair I don't think they're superior and condescending... I think they're superior and busy. Busy? There are more people who work on some small sections of the Linux kernel than who work on all of OpenBSD. Read the commits. You'll see that a few people are doing a lot of high-quality work. This is probably as much of a resource issue as it is a culture issue. Brad
Re: Trying to boot OpenBSD on Juniper Networks J2320.
On Tue, 13 Apr 2010 19:29 -0400, bofh goodb...@gmail.com wrote: Now I'm curious - in what way would a decent juniper hardware be better than some off the shelf stuff? MTBF is greater. If you don't care about that, there's probably not much difference... unless you need routers in space. Not sure a home-built newegg box would pass the tests, but you never know: http://www.networkworld.com/community/node/48399
Re: Soekris net5501 locks up with Ralink 2860 miniPCI
On Wed, 07 Apr 2010 07:18 -0600, Daniel Melameth dan...@melameth.com wrote: On Wed, Apr 7, 2010 at 7:04 AM, Stuart Henderson s...@spacehopper.org wrote: The newest ones that I've had personal experience of being problem- free in AP mode are the old PRISM cards (when running suitable firmware on them) and one specific model of ath(4) (the one IBM used to use in some Thinkpads)... The only AP that every worked reliably for me was the venerable 11b wi(4). I've had reasonable success with RT2860 ral(4) and acx(4) but there have been some problems. RF performance of the 2.4GHz RT2860 has been really good for me, but there are still problems, I have to ifconfig down+up from cron to avoid the worst of the hangs on some AP dealing with a wider range of clients (probably the same as you see e.g. client associates but doesn't get working network access).. acx(4) are near impossible to obtain without ripping them from a commercial AP (and there they aren't widely used any more) and RF performance isn't so good but they were working a bit more reliably for me. So with heavy heart I had to resort to commercial boxes in some places... I concur with this completely. I have used over a half dozen different pieces of hardware in an attempt to find a stable AP solution on OpenBSD--and have worked with a couple developers to track down and fix various bugs--but I was never able to achieve this. If you want a stable AP, that'll work with varied clients, you will likely not find it in OpenBSD at this time. Me too. Went to the Penguin! Felt bad about it, but now have a stable AP.
Re: feature request: fallback boot image
On Fri, 02 Apr 2010 17:08 +0200, Paul de Weerd we...@weirdnet.nl wrote: Your timeout idea is interesting. The bootloader loads the kernel image and then starts executing it. After this, the bootloader is no longer active, who will do this timing out ? The kernel (or the garbage that was loaded in its place) is the only code running at this point. Probably naive of me to think that the bootloader could get some sort of return code (0 = OK). Maybe it's too late for it to do anything at that point. I don't know the process well enough to talk intelligently about it, just curious. snip You seem to have a valid issue, but a proper solution does not appear to be obvious to me. I take it you don't have two machines under your control in these remote locations so you could exchange serial console between the two ? (a USB to serial adapter on one machine connected to the serial port of the other and vice versa) I've done this a lot. Usually it works very well. Old, low-power hardware can be used that no longer has mush purpose. Brad
Re: Anomali on /var available space
On Sat, 27 Mar 2010 13:09 +0100, Peter N. M. Hansteen pe...@bsdly.net wrote: Kabayan kab4...@yahoo.com writes: Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? My guess would be that your pf.conf logs traffic with log (all) on at least one rule that matches a lot of traffic, and possibly your newsyslog.conf does not implement a very aggressive log rotation schedule. Logging all packets is not all that useful unless you're deep in debugging something. I occasionally log packets that pf blocks (just to see who is poking around). Normally, that's about 100K per hour and only 4 old logs are kept so a small /var is OK most of the time. Then one day, some new network gear was installed that messed-up the layer 2 bridging and introduced a loop and STP stopped working. From that came a huge broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never seen that many packets in that short amount of time. I still log pf blocks and 99% of the time, it's OK. Brad
Re: gnu grep -o flag
No. i...@iso2:~/Desktop$ grep import IDS_targets.py import MySQLdb import socket import getpass import datetime i...@iso2:~/Desktop$ grep import -o IDS_targets.py import import import import On Wed, 24 Mar 2010 13:33 -0500, Marco Peereboom sl...@peereboom.us wrote: huh? didn't you just grep for that? On Wed, Mar 24, 2010 at 07:00:06PM +0200, Gregory Edigarov wrote: Hello Everybody, Just wonder how could one implement what gnu grep -o flag does using our toolchain? from ggrep(1): -o, --only-matching Show only the part of a matching line that matches PATTERN. -- With best regards, Gregory Edigarov
Re: 4.6 patch support
On Mon, 22 Mar 2010 14:45 +0100, Marc Espie es...@nerim.net wrote: On Mon, Mar 22, 2010 at 08:11:53AM -0400, Woodchuck wrote: Ports/packages are sort of hit-or-miss. This is a very Spartan situation, and comes from a shortage of resources. Partly. Being able to drop old shit fairly quickly is also very important in terms of quality, since we don't have to read through a maze of old code ifdefs. If you prefer, sure it's a shortage of resources. We want to maximize quality with limited resources, and so we err on the side of aggressive removal of dying features. It would take a *massive* influx of resources to change that situation. This is a great point in general about OpenBSD. Look at the commits of the Linux kernel or FreeBSD versus the commits of OpenBSD... the difference is huge. Not only in terms of number of commits, but also number of developers making the commits. OpenBSD does a lot with what little they have when compared to other projects... just my opinion. Brad Even with more resources, we will still prefer quality over long-term support. With lots and lots of resources, we could possibly reengineer long-term support without sacrificing quality. Think about it. What do you prefer ? half-baked support and badly broken features, or good support over a limited period of time, and the best features we can create ?
Re: recent hardware with older OpenBSD versions
On Sun, 21 Mar 2010 11:36 +0100, T. Valent tmp...@4ss.de wrote: In the end it seems like I have to give up the idea of keeping all installations on the same level, it seems like I have create a complete new platform (new motherboard type and new OpenBSD version) for all new customers, just because I cannot find any compatible motherboard anymore. Some manufacturers, such as ASUS, produce boards that are guaranteed to be available for X months with the same chipsets. They call it ASUS Corporate Stable. Check out their website.
Re: script to update dyndns IP
On Fri, 19 Mar 2010 00:20 -0700, Aaron Stellman z...@x96.org wrote:
On Thu, Mar 18, 2010 at 09:52:28PM -0400, Brad Tilley wrote:
There are ports that do this with more features, but I thought others
might like to do it in base with no added software. I've been using this
script since 4.2 and it works OK:
since when is net/curl in base?
It's not. My mistake. Thanks to some suggestions off-list on using lynx
rather than curl, this seems to work OK:
#!/bin/ksh
# Cron this script to run every X minutes. Written for OpenBSD base.
# set FORCE_SSL_PROMPT:yes in /etc/lynx.cfg
user=test
pass=test
host=test.dyndns.org
# Get Current IP
lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
'/^$/d' ip_new.txt
# Compare new with old.
diff ip_new.txt ip_old.txt
# If different, send update.
if [ $? -ne 0 ]
then
ip=$(cat ip_new.txt)
# Following two lines are optional. Log date of change and IP history.
date ip_date.txt
cat ip_old.txt ip_history.txt
lynx -dump -auth=${user}:${pass}
https://members.dyndns.org/nic/update?hostname=${host}myip=${ip};
fi
# Whether a change has occurred or not, overwrite old with new
cp -f ip_new.txt ip_old.txt
script to update dyndns IP
There are ports that do this with more features, but I thought others
might like to do it in base with no added software. I've been using this
script since 4.2 and it works OK:
#!/bin/ksh
# Cron this script to run every X minutes. Written for OpenBSD.
# Get Current IP
lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
'/^$/d' ip_new.txt
# compare new with old
diff ip_new.txt ip_old.txt
# if different, send update
if [ $? -ne 0 ]
then
#echo The IP has changed
ip=$(cat ip_new.txt)
# Following two lines are optional. Log date of change and IP history.
date ip_date.txt
cat ip_old.txt ip_history.txt
curl --insecure
https://user:p...@members.dyndns.org/nic/update?hostname=host.xxxmyip=$ipwildcard=NOCHGmx=NOCHGbackmx=NOCHG;
fi
# Whether a change has occurred or not, overwrite old with new
cp ip_new.txt ip_old.txt
Re: script to update dyndns IP
On Thu, 18 Mar 2010 21:52 -0400, Brad Tilley b...@16systems.com
wrote:
There are ports that do this with more features, but I thought others
might like to do it in base with no added software. I've been using this
script since 4.2 and it works OK:
#!/bin/ksh
# Cron this script to run every X minutes. Written for OpenBSD.
# Get Current IP
lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
'/^$/d' ip_new.txt
# compare new with old
diff ip_new.txt ip_old.txt
# if different, send update
if [ $? -ne 0 ]
then
#echo The IP has changed
ip=$(cat ip_new.txt)
# Following two lines are optional. Log date of change and IP history.
date ip_date.txt
cat ip_old.txt ip_history.txt
curl --insecure
https://user:p...@members.dyndns.org/nic/update?hostname=host.xxxmyip=$ipwildcard=NOCHGmx=NOCHGbackmx=NOCHG;
fi
# Whether a change has occurred or not, overwrite old with new
cp ip_new.txt ip_old.txt
I was under the impression that curl was in base. My mistake. It must
have pulled in as a dependency somewhere as I don't recall explicitly
installing it. I understand that lynx can be used to replace curl.
Brad
Re: kde4 dead?
On Mon, 15 Mar 2010 15:27 +0100, Antoine Jacoutot ajacou...@bsdfrog.org wrote: On Mon, 15 Mar 2010, Tobias Ulmer wrote: On Mon, Mar 15, 2010 at 04:33:03AM -0500, Donald Cooley wrote: openports shows that the openbsd version of kde4 is nearly two years old. are there any future plans to update kde4? Regards, Donald Cooley http://lists.kde.org/?l=kde-develw=2r=1s=openbsdq=b KDE doesn't give a fuck about OpenBSD, so why should we? Actually, KDE only cares about Linux. The isfinite() issue? That's C99 and POSIX stuff, right? Or are you guys talking about something else? OpenBSD does have a log2() (unlike FreeBSD 7.x) even though you can get there by doing log()/log(2). Brad -- Antoine
Re: kde4 dead?
On Mon, 15 Mar 2010 10:56 -0400, Brad Tilley b...@16systems.com wrote: On Mon, 15 Mar 2010 15:27 +0100, Antoine Jacoutot ajacou...@bsdfrog.org wrote: On Mon, 15 Mar 2010, Tobias Ulmer wrote: On Mon, Mar 15, 2010 at 04:33:03AM -0500, Donald Cooley wrote: openports shows that the openbsd version of kde4 is nearly two years old. are there any future plans to update kde4? Regards, Donald Cooley http://lists.kde.org/?l=kde-develw=2r=1s=openbsdq=b KDE doesn't give a fuck about OpenBSD, so why should we? Actually, KDE only cares about Linux. The isfinite() issue? That's C99 and POSIX stuff, right? Or are you guys talking about something else? OpenBSD does have a log2() (unlike FreeBSD 7.x) even though you can get there by doing log()/log(2). Brad Never mind. I did not realize that list was a result of a search for OpenBSD. Duh.
Re: A small research paper - Thoughts about Cisco.
On Thu, 11 Mar 2010 15:43 +, TS Lura tsl...@gmail.com wrote: I'm sorry. My intent was not to be inflammatory. My experience with Cisco as a company is limited, so I'm therefor trying to find out more. In that process I maybe asking a controversial question. Which for some is quite obvious. Thanks for the replies so far. .tsl Do they donate to OpenSSH? They use it a lot, but they are not listed here: http://openbsd.org/donations.html Maybe they donate privately. Brad
Intel Gigabit ET NIC Quad Port
We're considering this card for an OpenBSD Snort box. I think em supports it well. It uses the 82576EB controller. Has anyone used the card much? If so, are you satisfied with it? http://ark.intel.com/Product.aspx?id=36796 Thanks, Brad
Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)
On Mon, 08 Mar 2010 10:18 -0700, Ted Roby ted.r...@gmail.com wrote: I can think of one good reason I need a vm machine: So I can put OpenBSD on the Xserves, and run OSX in the vm for mac-only apps the client requires. Another good reason: Reverting compromised Windows machines back to a point in time when they were probably clean (or at least not obviously infected). The malware served-up in some of the ads on the Intertubes is horrible. Even ads on main stream websites can cause severe infestations. Brad
Re: -current or -stable [was: Not another Browser Question]
On Thu, 04 Mar 2010 11:44 -0500, nixlists nixmli...@gmail.com wrote: On Thu, Mar 4, 2010 at 11:35 AM, Chris Bennett ch...@bennettconstruction.biz wrote: You are talking about two separate issues. Stability is not related to security directly. The two are intricately combined but not the same. But both are related to downtime and data loss. I understand stability bugs are likely to pop-up more often with current, and this has been my experience. Weird freezes without panic that I did not have with release/stabe I've had good experience with -current with no major stability problems. Of course, this is usage scenario 1) where I install a snapshot and use it for a few years before updating again before updating to -current again. Brad
Re: -current or -stable [was: Not another Browser Question]
On Thu, 04 Mar 2010 15:12 -0500, nixlists nixmli...@gmail.com wrote: It seems the opinion on running current in production ranges from being overly optimistic to being very cautious. If running -current in production is only recommended for people who are intimately familiar with the internals, doesn't that exclude many if not most users? You don't have to be an expert to run -current. If you can read and follow instructions, you can do it. The process is well-documented. It's like following a grand recipe while preparing a gourmet dish... most people (who can cook) can do it if they really want. Brad
Re: -current or -stable [was: Not another Browser Question]
On Wed, 03 Mar 2010 09:02 -0500, Scott McEachern sc...@erratic.ca wrote: Manuel Giraud wrote: I wasn't clear enough: by new package, I meant a package not installed on my system yet and not the bleeding edge version of one package. Ah ok, sorry, I misunderstood. Maybe I'll stick to -current too. But I'd like to give try staying -stable for a while and I could still play with the new toys every 6 month anyway. I wonder why does the FAQ recommend -stable over -current? From the FAQ: Put bluntly, the best version of OpenBSD is /-current/. Please read the FAQ. It is explained why there are situations where -stable is more _suitable_ for some people, -current for others. If -stable does not work for you, there are at least two ways (in my mind) to use -current. 1. Download today's snapshot, which is -current, along with the ports.tar.gz that comes with it and then install and use that for months without actively following -current. Basically, you don't try to keep up and are only -current for a short while. I do that sometimes and have never had an issue. At times you may end up with a funky system that is not -stable or -current but it works just fine and has appropriate documentation. 2. Download today's snapshot, which is -current, and then actively keep up with the source tree. Most people probably use -current in this fashion and this is probably the way the developers intend for it to be used. As a user, I can only speak for myself, but having used -current in both ways, I can say that either approach works. Brad
Re: fsck UNEXPECTED INCONSISTENCY
On Tue, 02 Mar 2010 07:50 -0800, J.C. Roberts list-...@designtools.org wrote: And I thought I was expected to be inconsistent. ;) Anyhow, I was upgrading from the Feb 2, to the most recent snapshot, and fsck is coming up with a problem on one of my partitions. I can probably get it working (fix is such a strong word) with `fsck -fy` but my real concern is if the drive is failing? atactl tells me everything is just fine? I have a nearly identical system, with the same type of disk, which reports similar atactl attributes... but then again, I don't really trust SATA/PATA drives very much or their supposedly smart monitoring. The data on the system is not only backed up, but it's also easily replaced since the machine is only used for src and ports builds. I think I might lose a total of a few newly downloaded distfiles since the last backup. What I really want to do here is understand *why* some portion of the disk has become unreadable? cd /bad_partition dd if=/dev/zero of=big_file.zero bs=512 conv=sync,noerror Let it run until it finishes. That won't explain why the sectors are bad, but it may give a good indication of the problem area and answer the failing drive question. If dd reports IO issues, you may want to replace the drive. Brad All of the below were done in single user mode over serial. (sorry about the width) # atactl wd0 smartenable # atactl wd0 readattr Attributes table revision: 16 ID Attribute name Threshold Value Raw 3 Spin Up Time 63 1800x46f2 4 Start/Stop Count 0 2530x00d2 5 Reallocated Sector Count 63 2530x0007 6 Read Channel Margin 100 2530x 7 Seek Error Rate0 2530x 8 Seek Time Performance187 2530x9edb 9 Power-On Hours Count 0 2350xee5c 10 Spin Retry Count 157 2530x 11 Calibration Retry Count 223 2530x 12 Device Power Cycle Count 0 2530x00f0 192 Power-Off Retract Count0 2530x 193 Load Cycle Count 0 2530x 194 Temperature0 2530x000f 195 Hardware ECC Recovered 0 2530x170d 196 Reallocation Event Count 0 2530x 197 Current Pending Sector Count 0 2530x0001 198 Off-Line Scan Uncorrectable Sect 0 2530x 199 Ultra DMA CRC Error Count 0 1990x 200 Write Error Rate 0 2530x 201 Soft Read Error Rate 0 2530x 202 Data Address Mark Errors 0 2530x 203 Run Out Cancel 180 2530x0001 204 Soft ECC Correction0 2530x 205 Thermal Asperity Check 0 2530x 207 Spin High Current 0 2530x 208 Spin Buzz 0 2530x 209 Offline Seek Performance 0 2530x 99 Unknown0 2530x 100 Unknown0 2530x 101 Unknown0 2530x # # atactl wd0 smartstatus No SMART threshold exceeded # # atactl wd0 identify Model:6Y250L6, Rev: YAR41BW0, Serial #: Device type: ATA, fixed Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 490234752 Device capabilities: ATA standby timer values IORDY operation IORDY disabling Device supports the following standards: ATA-1 ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 Device supports the following command sets: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set SMART feature set Flush Cache Ext command Flush Cache command Device Configuration Overlay feature set 48bit address feature set Automatic Acoustic Management feature set Set Max security extension commands Advanced Power Management feature set DOWNLOAD MICROCODE command SMART self-test SMART error logging Device has enabled the following command
Re: Advice requested on modem WiFi for old notebook
On Mon, 01 Mar 2010 20:41 -0500, Dave Anderson d...@daveanderson.com wrote: I've inherited an old notebook (Sony Vaio PCG-FX120) and installed 4.6-release on it; while I haven't yet done extensive testing, most things (except the LoseModem, of course) seem to work (full dmesg below, and sent to dm...@openbsd.org). Now I want to add WiFi and a working modem to it and, based on looking through the dmesg and the man pages for 802.11 device drivers, there are a couple of issues I'd like to understand better before buying anything. I'd appreciate either direct answers or pointers to places which discuss this that I haven't found. (I've done some searching of the mailing list archives, but my search-fu is not strong.) Any general comments on using pcmcia vs cardbus vs USB for WiFi or a modem are also welcome. After I've narrowed the list of possible devices I plan to do more specific searching of the mailing-list archives. USB 802.11 devices work well and are inexpensive. The man pages provide specific brands with model numbers. apropos wireless and then man the drivers to find one you like. I've had good experience with rum and run based devices. Brad The system has two pcmcia/cardbus slots and 2 USB ports. What seem to me to be the relevant dmseg lines and the questions they raise are: pcmcia pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384 pcic0 controller 0: Intel 82365SL rev 1 has sockets A and B pcmcia0 at pcic0 controller 0 socket 0 pcmcia1 at pcic0 controller 0 socket 1 pcic0: irq 3, polling enabled This appears to be fully functional. cardbus cbb0 at pci1 dev 2 function 0 Ricoh 5C476 CardBus rev 0x80: couldn't map interrupt cbb1 at pci1 dev 2 function 1 Ricoh 5C476 CardBus rev 0x80: couldn't map interrupt Since I didn't see any not configured messages for cbb*, my guess is that this is at least partly functional; is that correct? What limitations does the couldn't map interrupt message imply for WiFi or modem use? (There don't seem to be any BIOS options which affect this.) USB uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x03: irq 9 uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x03: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 Most of the man pages for USB 802.11 drivers mention USB 2.0; at least one specifically states that USB 1.0 is not supported. Other than actually trying each one, how can I tell which of them will work with USB 1.0? Thanks for any help. Dave OpenBSD 4.6 (GENERIC) #58: Thu Jul 9 21:24:42 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 696 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 333475840 (318MB) avail mem = 313233408 (298MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/13/01, BIOS32 rev. 0 @ 0xfd878, SMBIOS rev. 2.31 @ 0xd8010 (38 entries) bios0: vendor Phoenix Technologies LTD version R0211U0 date 03/13/01 bios0: Sony Corporation PCG-FX120(UC) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd860/0x7a0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xc000 0xd8000/0x4000! 0xdc000/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82815 Host rev 0x11 vga1 at pci0 dev 2 function 0 Intel 82815 Video rev 0x11 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xf800, size 0x400 ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x03 pci1 at ppb0 bus 1 mem address conflict 0x13f0/0x1000 mem address conflict 0x13f01000/0x1000 TI TSB43AA22 FireWire rev 0x02 at pci1 dev 0 function 0 not configured cbb0 at pci1 dev 2 function 0 Ricoh 5C476 CardBus rev 0x80: couldn't map interrupt cbb1 at pci1 dev 2 function 1 Ricoh 5C476 CardBus rev 0x80: couldn't map interrupt fxp0 at pci1 dev 8 function 0 Intel 82562 rev 0x03, i82562: irq 9, address 08:00:46:14:eb:5a inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801BAM LPC rev 0x03: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801BAM IDE rev 0x03: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: HITACHI_DK23BA-10 wd0: 16-sector PIO, LBA, 9590MB, 19640880 sectors wd0(pciide0:0:0): using
OT: Cloud Computing Security
Is it too early for Friday humor? If not, here are some clowns worth watching: http://www.youtube.com/watch?v=VjfaCoA2sQk
Re: OpenBSD insecure OS?
On Wed, 24 Feb 2010 19:36 +, carlos albino garcia grijalba genesi...@hotmail.com wrote: Folks i dont mean obsd is insecure i love obsd, ive been using it for 5 years i just want the community to read the history sorry. OpenBSD doesn't have the rubber stamps. That's what confuses people. However, it has been certified for use by circus clowns (under certain conditions and restrictions): http://marc.info/?l=openbsd-miscm=126596870506480w=2 Date: Wed, 24 Feb 2010 12:20:03 -0700 From: dwchand...@stilyagin.com To: genesi...@hotmail.com CC: misc@openbsd.org Subject: Re: OpenBSD insecure OS? On Wed, Feb 24, 2010 at 07:02:15PM +, carlos albino garcia grijalba wrote: I foud this: http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ so ? http://marc.info/?t=12641295802r=1w=2 So. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: OpenBSD Volunteer needed today in Los Angeles - Solved!
On Sun, 21 Feb 2010 15:35 -0800, Michael Dexter dex...@bsdfund.org wrote: Thank you Seth and Brooke for materializing and putting on a great OpenBSD booth at SCaLE in Los Angeles. Overheard question of the day: Could you please get EAL level 4 certification so I can use you in the US Air Force? (Milaero country...) Glad the booth was manned... however, with time, money and the right scenario, anyone can get a rubber stamp: http://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html Michael
Re: OT: opinions on IDS / IPS solutions
On Wed, 17 Feb 2010 22:59 -0500, Jason Beaudoin jasonbeaud...@gmail.com wrote: Hi There, As I often have greater respect for a much larger portion of this list than the rest of the internet, I am curious what is thought about current IDS/IPS hardware from vendors like Trustwave, Checkpoint, Alert Logic, mod_security, even snort.. etc, and in particular, the sensibility and effectiveness of using them in high-security environments. I use Snort in IDS mode on OpenBSD and am very satisfied with it. It's hard to justify spending 10's or 100's of thousands of dollars for commercial solutions that have the same issues as Snort (false positives, requires tuning and constant monitoring). I have used large IBM/ISS Proventia systems in the past. Some of the commercial offerings will not even give you a terminal so you can use tcpdump... can you believe that? You have the perfect spot on the network and the perfect hardware, but you can only use it in a very limited fashion. Very frustrating. General purpose OpenBSD boxes with big beefy network interfaces cost a lot less and does more. I use FreeBSD to run BASE as the analysis frontend. The OpenBSD Snort sensors ship their alerts to it. I would use OpenBSD for the frontend as well, but BASE is not currently in ports and I have not had time to work on porting it and prefer not to go outside of ports. Also, I would stay away from IPS mode. There are enough network problems as is without something randomly deciding to drop packets. There's no better way to make a network engineer mad than to send them on a wild goose chase trying to figure out why packets are not getting delivered only to find out that the IPS is dropping them because certain SSL traffic looks like a buffer overflow or something. That has been my experience. Brad From a compliance perspective, I don't have much choice. From the costs, infrastructure, and administrative perspectives, I am currently evaluating whether or not I should be leaning towards and IDS or IPS solution, and of course which system/vendor. My understanding is that something like snort requires a fair bit of maintenance and IT-attention, the trade-off being cost, so I am leaning away from this. Between detection and prevention, preventing break-ins seems a bit sillier than trying to actively monitor what's going on and to then look for threats, so this pushes me more towards IDS over IPS. Thoughts, suggestions, flames, are all welcome. Thanks. ~Jason
Re: Security feed
On Wed, 17 Feb 2010 20:05 +0100, Jean-Francois jfsimon1...@gmail.com wrote: Hello All, I am a little bit out of subject but please allow me to ask you about feeds of security issues. Thank you I read this page and the links off of it: http://www.openbsd.org/errata.html
Re: routing and pf at 10Gbps
On Fri, 12 Feb 2010 14:59 +0100, Bret Lambert bret.lamb...@gmail.com wrote: On Fri, Feb 12, 2010 at 2:52 PM, Diana Eichert deich...@wrench.com wrote: On Thu, 11 Feb 2010, Claudio Jeker wrote: Henning, I told you, we should not talk about unfinsihed projects. We planned to announce this in exactly 7 weeks. Anyway, to late, the cat is out of the bag. So Henning and Oga are working at offloading pf into the graphic card cores by using the DRI interface. The shader will evaluate the ruleset and packets in parallel and use the graphic memory for the state table. Additionally if the speed of one card is not enough you can use SLI or crossfire to use multiple cards in parallel. -- :wq Claudio okay, now you have piqued my interest I will sit back and wait for mor info I, too, hope to get news of this shortly after March is over. The rumor is that they are using CUDA on Nvidia graphics cards with advanced object oriented C++ and it is so fast that several developers are considering switching from C to C++ even for the kernel, after migrating to ZFS and replacing Perl in base with Java. Good times for OpenBSD indeed. Glad to see they are finally making some much needed improvements. OK... enough Friday humor. thanks diana
Re: Read_Write buffers for dd WAS: little cp diff
On Mon, 08 Feb 2010 09:06 -0500, Sean Kennedy woodentu...@hotmail.com wrote: Moving this to m...@... Would part of this discussion usefully related to such issues like using 'dd' for diskwipes/copies/reformatting and slow data movement speeds? There are times when I am wiping (for reuse) hard disks using 'dd' and I set the BlockSize to 512 (like 1M or so sometimes) In my experience, a bs of 64k is about as big and fast as you'll get. Setting bs larger than that may make dd a tad faster, but not much. Also, when IO errors occur with a larger bs you'll drop more data than you would have using a 512 byte block. Some modified dd's, such as ddrescue, set larger blocksizes initially in an effort to increase speed, but revert to 512 bytes upon IO errors. Brad and the transfer speeds are quite a lot slower than for using 'dd' on some other Operating systems. (Linux or Windows) Mind you, for a lot of this, I am using oBSD RamDISK, so I am not anticipating a full-fledged OS support for the ATA or SCSI or USB2 platforms. But for those systems where I am using -stable or -current, the speeds are still comparably slow. I concur with Theo's point on portability and making a sysctl for kernel is hazardous, but what am I seeing in the above for 'dd' that would be causing the poor performance? (* BTW, I am using if=/dev/zero for the baseline, other if=/...'es may have lower performance as an input for compare*) Just my 2 cents. -sean Subject: Re: little cp diff 2010/2/8 Theo de Raadt dera...@cvs.openbsd.org: For those of you who asked why cp needs to be portable, come on. You've got it all wrong. If cp isn't written in a portable fashion, then what is the point of doing anything else in a portable fashion. This is good and reasonable answer. So I think we should stop discussion. antonvm
Re: Is OpenBSD + PF accredited or certified in any way ?
On Tue, 02 Feb 2010 18:09 +, Bayard Bell buffer.g.overf...@googlemail.com wrote: Formal evaluation just means that the features judged relevant to the evaluation can be minimally verified. On the flip side, there's David Litchfield's observation in the introduction to The Oracle Hacker's Handbook: The Oracle RDBMS was evaluated under Common Criteria to EAL4... However, the first few versions of Oracle that gained EAL4 had a buffer overflow in the authentication mechanism. He goes on to that standards are necessary to some extent but not fully indicative. You'll find summary arguments and starting links off the Common Criteria's Wikipedia entry. Given such limitations, perhaps you might propose a more open evaluation and make code access for audit, including by escrow access for an established third-party authority, as a major criteria? Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and others. Like some other ISO standards, you may have to purchase a copy. I would say that CC makes some people feel good, but does little in the way of real Security. Microsoft Windows XP is EAL4 certified when configured certain ways. I think the certification process can be very narrowly focused on a few parts of the system so the vendor can say, Look at this component of our OS, but not those or Certify our OS when configured a certain way. It's a costly process too and takes awhile to complete. I'm not sure any open source OS is certified. For proft, vendor backed Linux distributions (RHEL) may be as they have the time and money to waste on it and TrustedBSD makes reference to CC, but I don't think it's certified. Brad Am 1 Feb 2010 um 23:06 schrieb Keith: I've used OpenBSD PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith __ Information from ESET NOD32 Antivirus, version of virus signature database 4825 (20100201) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: PowerEdge 850 for a small office firewall
On Wed, 27 Jan 2010 07:54 -0500, Chris Dukes pak...@pr.neotoma.org wrote: On Tue, Jan 26, 2010 at 04:38:08PM -0800, mehma sarja wrote: I am running an embedded 533 MHz with 256 MB memory and it is woefully inadequate for an office setting. Even for a home setting which wants stuff like snort running as well. I would WAG atleast a 2 GB memory and the Atoms max out at that...? If the firewall will be doing other stuff like snort, vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short and I'd like to see a beefier CPU as well. So, the question really is what all are you going to be doing with it? Is it still woefully inadequate if snort, vpn, and DNS are moved off the firewall? On a busy interface, Snort can use a good deal of CPU consistently: load averages: 0.50, 0.31, 0.24 08:09:25 33 processes: 31 idle, 2 on processor CPU0 states: 4.4% user, 0.0% nice, 0.2% system, 8.8% interrupt, 86.6% idle CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU2 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU3 states: 11.8% user, 0.0% nice, 0.0% system, 0.0% interrupt, 88.2% idle Memory: Real: 180M/542M act/tot Free: 2819M Swap: 0K/518M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 16499 _snort310 171M 158M onproc/1 -24.9H 16.89% snort 5502 root 20 1116K 2080K sleep/1 select0:51 0.00% sendmail 16446 _pflogd40 636K 444K sleep/0 bpf 0:06 0.00% pflogd I ask because running DNS on the firewall has given me the heebie jeebies for years. And I have dim memories of a few security exploits for snort. -- Chris Dukes
Re: fsck segfault on a big partition, 4.6
On Wed, 27 Jan 2010 20:43 +, Rob Sheldon r...@associatedtechs.com wrote: [snip] softraid0 at root root on sd1a swap on sd1b dump on sd1b ...that's odd, it's showing swap (and dump) on sd1b, but there's no such thing: $ sudo df /dev/sd1b df: /dev/sd1b: Device not configured ...maybe it really doesn't like running without swap? It's there. disklabel -vh sd1 and you'll see b is swap. Try swapctl as well... also dmesg | grep swap: root on sd1a swap on sd1b dump on sd1b Oh wait, it's showing only 3G of memory installed. I just physically checked the machine, and it has 4 full banks of 2G each. amd64 should be able to address that, right? I think you would need a bigmem enabled kernel. That could certainly explain why fsck is unhappy. Thanks, - R. -- [__ Robert Sheldon [__ Founder, No Problem [__ Information technology support and services [__ Software and web design and development [__ (530) 575-0278 [__ You must be the change you wish to see in the world. -- Mahatma Gandhi
Re: fsck segfault on a big partition, 4.6
Whoops... re-reading, I see that I missed your disklabel output... sorry. On Wed, 27 Jan 2010 17:25 -0500, Brad Tilley b...@16systems.com wrote: On Wed, 27 Jan 2010 20:43 +, Rob Sheldon r...@associatedtechs.com wrote: [snip] softraid0 at root root on sd1a swap on sd1b dump on sd1b ...that's odd, it's showing swap (and dump) on sd1b, but there's no such thing: $ sudo df /dev/sd1b df: /dev/sd1b: Device not configured ...maybe it really doesn't like running without swap? It's there. disklabel -vh sd1 and you'll see b is swap. Try swapctl as well... also dmesg | grep swap: root on sd1a swap on sd1b dump on sd1b Oh wait, it's showing only 3G of memory installed. I just physically checked the machine, and it has 4 full banks of 2G each. amd64 should be able to address that, right? I think you would need a bigmem enabled kernel. That could certainly explain why fsck is unhappy. Thanks, - R. -- [__ Robert Sheldon [__ Founder, No Problem [__ Information technology support and services [__ Software and web design and development [__ (530) 575-0278 [__ You must be the change you wish to see in the world. -- Mahatma Gandhi
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Mon, 25 Jan 2010 12:32 -0800, Ben Calvert b...@flyingwalrus.net wrote: Tracing this discussion back to it's origins earlier this month, I see the problem as arising from a statement made by a Mathematician (DJB) about the infallibility of his software when used with certain filesystems. It is understandable for someone from a theoretical field (math) to assume that there exists such a thing as certainty in real life... but unacceptable in a software engineer. Not sure it is correct to say that DJB is only theoretical. He wrote the SHA1 code that won the Engineyard SHA1 contest. His code is 12 times faster than OpenSSL's SHA1. DJB has also written a lot of Unix utilities, some of which are controversial, nevertheless, he can write code. http://www.win.tue.nl//sha-1-challenge.html Brad
Re: The insecurity of OpenBSD
On Fri, 22 Jan 2010 07:22 -0600, Marco Peereboom sl...@peereboom.us wrote: It doesn't and I'll argue all day that it won't help you a bit. Here is an example: 1. running system with OMGACL 2. pkg_add -ui 3. couple of days later at 3am bz got come to the datacenter because the app bombed 4. oh, the acl terminated it; adjust 5. repeat 3 - 4 until it works 6. repeat 2 - 5 in perpetuity - or - 1. Disable ACL. [snip] I saw a group of sys admins go through those very steps several years ago while attempting to deploy SELinux. After 3 months of trying to make it work, they disabled it. It could have been done, but they would have had to triple the support staff to make it work.
Re: Books on reverse engineering?
On Wed, 20 Jan 2010 17:52 -0800, James Hozier guitars...@yahoo.com wrote: With every single laptop I've bought/been given over the years, I was able to run OpenBSD on them almost flawlessly save a few quick/simple hacks to make anything that didn't work, work. The one main issue I've had with ALL of them was the wireless card...maybe I was just unlucky to have gotten ones with crappy chipsets Purchase a few 802.11 USB sticks. You can find devices that have very well-documented chipsets on newegg for less than 15 dollars (USD). These devices are 100% supported in OpenBSD. The man pages list these devices and are very accurate. For example, man run and see the HARDWARE section. You might also consider installing OpenBSD -current to a USB stick and try booting the laptop from that before purchasing. That way, you'd know exactly what hardware you were getting. Brad [snip]
Re: the root is on
On Sat, 16 Jan 2010 14:37 +0100, Manuel Giraud manuel.gir...@univ-nantes.fr wrote: Otto Moerbeek o...@drijf.net writes: Here's a probably stupid question: since the kernel can detect the root on sd0a why is there still a need for fstab entry for it? Because you might want to specify mount options, or an alternate root. In fact, I was wondering because I have installed OpenBSD on an usb flash drive. I use softraid and have a script to decrypt the RAID partition and setup a custom fstab with the correct 'sd?' for decrypted devices, it works alrigh. But if root is not sd0a, I have to 'boot bsd.rd' and 'ed /etc/fstab' before. Does anybody doing this and have a better solution? Not sure I understand, but I have similar softraid crypto setups and there's no need to boot bsd.rd to edit /etc/fstab. When booting bsd or bsd.mp and you are dumped to sh to run bioctl, use ed to correct /etc/fstab there. Also, in my experience, this is not an issue unless you are adding and removing sd devices. For example, the physical volume may be wd0 and the softraid volume may be sd0 at the moment, but when you insert a USB stick and reboot, then that USB stick will become sd0 and the softraid volume will become sd1. In that case /etc/fstab must be edited. I think Marco is working on a general fix for this. Brad -- Manuel Giraud
Re: thinkpad x200 wireless 5100 old issue
If this machine isn't production, then no harm could come from trying a snapshot. It would give the developers a much better idea as to where you system's at. Use a USB thumb drive if you're that worried about trashing your data. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse ok, you've convinced me, I'll give it a try on a usb thumb for a start. tks It's the easiest bootable OS on a USB stick install you'll ever do. Just install like you normally would except rather than using the internal hard drive, select the USB drive. Brad
scsi output similar to atactl identify
Is there a way to get scsi output data similar to 'atactl device identify' output? # atactl /dev/rwd0c identify Model: Kingston SSDNow V Series 64GB, Rev: B090522a, Serial #: 06J990030232 Device type: ATA, fixed Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 125045424 Device capabilities: ATA standby timer values IORDY operation IORDY disabling Device supports the following standards: ATA-4 ATA-5 ATA-6 ATA-7 Master password revision code 0xfffe Device supports the following command sets: READ BUFFER command WRITE BUFFER command Write cache Power Management feature set Security Mode feature set SMART feature set Flush Cache command Device has enabled the following command sets/features: READ BUFFER command WRITE BUFFER command Write cache Power Management feature set SMART feature set Flush Cache command Reading the scsi manpage, the inquiry command: scsi -f /dev/rsd2c -c 12 0 0 0 64 0 -i 0x64 s8 z8 z16 z4 outputs the name of the controller DELL PERC 5/i 1.03 but no info about the drives connected to it. Brad
Re: scsi output similar to atactl identify
On Tue, 05 Jan 2010 01:46 +1100, Jonathan Gray j...@goblin.cx wrote: For raid controllers like your mfi, you can use bioctl(8) to list some information about the individual drives. Not quite as informative as atactl... adding a -q breaks it: # bioctl -ihv sd0 Volume Status Size Device mfi0 0 Online 67.8G sd0 RAID1 0 Online 68.4G 1:0.0 noencl FUJITSU MAY2073RC D108 'unknown serial' 1 Online 68.4G 1:1.0 noencl FUJITSU MAY2073RC D108 'unknown serial' # bioctl -ihvq sd0 bioctl: DIOCINQ: Invalid argument From the bioctl man page: -q Show vendor, product, revision, and serial number for the given disk.
Re: 802.11n cards for AP?
On Fri, 01 Jan 2010 19:16 -0500, Steven M. Caesare scaes...@caesare.com wrote: So... back in the 3.6ish days, I had a Prism-based 802.11b card that I used in my OpenBSD FW for a wireless access point. Worked like a charm until I relocated my FW, and could no longer get good RF coverage. Went with a consumer-based 802.11g AP configured as a bridge. That unit just died. I've found some cable/antenna assemblies that might allow me to remote an antenna to a good spot in the house for coverage, and I'm thus re-considering going with a FW based AP setup once again. According to the OpenBSD site, the following 802.11n devices are supported: athn iwn ral run As of 4.6-release, 802.11n is not yet implemented. The devices you list work, but not in n. From the run man page: CAVEATS The run driver does not support any of the 802.11n capabilities offered by the RT2800 and RT3000 chipsets. Additional work is required in ieee80211(9) before those features can be supported.
Re: testing a drive with dd -- odd results
On Thu, 31 Dec 2009 09:03 -0500, Scott McEachern sc...@erratic.ca wrote: I've been using dd to test some of my hard drives and just ran into the oddest of coincidences. I used this command (or variation without the time command) # time dd if=/dev/rwd0c of=/dev/null on three machines with three HDD's of sizes 40GB SATA, 40GB IDE and 30GB IDE, one of those 40GB (SATA) drives was in my workstation. The result is basically the same: x number of bytes transferred, etc. with no problems. They are all a few years old. I bought a brand-new Seagate Barracuda SATA/1.5TB/7200/32MB, installed it into my workstation and ran the same test to get this: # dd if=/dev/rwd0c of=/dev/null dd: /dev/rwd0c: Input/output error 268435455+0 records in 268435455+0 records out 137438952960 bytes transferred in 23763.827 secs (5783536 bytes/sec) What got me doing that in the first place was my workstation locking up hard 3 times in the past few weeks. I have no idea why, nothing in the system logs, etc, and the only change was the HDD. I figured the drive was defective, ran the above test, and returned it for a replacement. While there, I also picked up a WD 500GB SATA drive and installed that in my workstation (to be pre-built and installed in another PC), which gave this result: # time dd if=/dev/rwd0c of=/dev/null 976773168+0 records in 976773168+0 records out 500107862016 bytes transferred in 93283.067 secs (5361186 bytes/sec) 1554m43.06s real (etc) No I/O error, so it should be good. That's 2 drives ok (40 and 500 GB) and 1 drive bad in the same PC, now for the 2nd new 1.5TB drive: dd: /dev/rwd0c: Input/output error 268435455+0 records in 268435455+0 records out 137438952960 bytes transferred in 23740.766 secs (5789154 bytes/sec) 395m40.76s real (etc) Oh, another crappy drive, I guess I have bad luck. Probably from a bad batch or something. But wait... Look at the amounts transferred. Exactly the same for both of the 1.5TB drives, and I assure you it's not accidentally the same drive, just the exact same make / model. The cables / connections are good on known good hardware, plus two other different drives were fine. It can't be some odd variable limit (or similar thing) because the 500GB values went well beyond where the 1.5TB drives crapped out. I don't believe it's the hardware (other than the drive), nor the software, but seeing those numbers being identical down to the byte is either incredibly coincidental or .. ? I'm going to run the test again, but as you can see from the time it won't be done for another 6.5 hours. Betcha it'll be the same. Can anyone think of a plausible explanation for this, other than maybe a bad batch where the drives are all equally defective at the exact same spot? While I'm here, can anyone recommend another tool than dd for testing drives? Seems to me with those numbers, to finish a 1.5TB drive it'll take around 76 hours. I don't mind the time, I need thoroughness. It's better than having a workstation (or server) mysteriously lock up after the 30-day return/exchange is over. You can speed dd up considerably by setting bs to a larger size, by default it's 512 bytes. Although this may interfere with the accuracy of your testing. Here's an example: # time dd if=/dev/rsd1c of=/dev/null 494079+0 records in 494079+0 records out 252968448 bytes transferred in 371.001 secs (681852 bytes/sec) 6m11.00s real 0m0.11s user 0m6.36s system # time dd if=/dev/rsd1c of=/dev/null bs=4m 60+1 records in 60+1 records out 252968448 bytes transferred in 23.160 secs (10922468 bytes/sec) 0m23.16s real 0m0.00s user 0m0.00s system
