On Tue, Oct 02, 2007 at 11:46:24AM -0600, Bob Beck wrote:
(though i have to confess, i haven't made a donation since i upgraded
my gateway to 4.1 ... i have an excuse !!! and it was only last week.
and i will)
And this is exactly the problem. Look, you guys can quibble
all you
On Mon, Oct 01, 2007 at 09:43:37AM -0600, Bob Beck wrote:
Wouldn't it be win-win if people there could buy DVD (with more data on
it, i.e. needing less downloads) and an agreement could be made that XX
$ (enough to compensate for the not-sold CDs) for each DVD sold are paid
to OpenBSD?
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
compact OS done by folks you can trust and actually talk to, use OBSD; if
you want
On Sat, Sep 22, 2007 at 08:38:17PM +0300, Ihar Hrachyshka wrote:
The problem of Linux as a whole is that it tries to resolve security
problems not by auditing code but by implementing SELinux. But what
the problem would be if OpenBSD has SeBSD extension?
I think the nearest equivalent is
On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote:
i have a webserver and i'm using ipv6 and ipv4 addresses. the apache
server in openbsd does not support ipv6 so i tought i will use pf to nat
the ipv6 address to the ipv4 address for port 80. but pf for some reason
does not support this.
On Mon, Aug 27, 2007 at 04:36:06PM +0200, alwin wrote:
the faithd daemon als looks quit cool, although it maps the other way
around, it will be usefull when you have an ipv6 only network.
When faithd receives TCPv6 traffic, faithd will relay the TCPv6 traffic
to TCPv4.
Hmm, sounds
On Sun, Aug 19, 2007 at 12:25:43PM +1000, Chris wrote:
fetchmail was complaining that procmail cannot create /var/mail/me
while fetching mail. The permission on /var/mail/ directory was set to
-
drwxr-xr-x 2 root wheel 512 Aug 19 12:16 /var/mail/
I changed it to -
drwxrwxr-x 2 root
On Wed, Aug 15, 2007 at 12:03:37PM +0100, David Given wrote:
Jacob Yocom-Piatt wrote:
[...]
i ask this because i've bought cheapo 4-port switches in the past and
had them seize-up on occasion. seize-ups are totally unacceptable to me
for this application so suggestions on which brand or
On Thu, Aug 09, 2007 at 06:07:08PM +1000, Chris wrote:
I'm trying to buy (from ebay) a cisco switch, router and pix firewall
for learning purposes. All these will be connected to a Linksys ADSL
modem which also has wireless capability. The OSs will be OpenBSD4.1,
Windows XP and Linux distros.
On Sun, Aug 12, 2007 at 09:39:04AM +0100, Brian Candler wrote:
Could anyone recommend anything that would be great for leaning
purposes
Sorry, my mistake - I thought you said for *learning* purposes. For
*leaning* purposes, an empty 72xx chassis is probably heavy enough :-)
On Mon, Aug 06, 2007 at 01:41:17AM +0200, [EMAIL PROTECTED] wrote:
I would like to get a OpenBSD installed on a box where a FreeBSD 6.2 is
currently installed.
I thought about using Yaifo like I did many times before.
I just have to face a problem with FreeBSD.:
My HDD is ad4s1 and I
On Tue, Jul 31, 2007 at 09:59:23PM +0100, poncenby wrote:
Grateful if anyone could recommend a mail retrieval program which does
not require a local SMTP service like fetchmail does.
From 'man fetchmail':
-m command | --mda command
(Keyword: mda) You can force mail
On Mon, Jul 30, 2007 at 05:46:34AM -0700, Juhani wrote:
As far as I undrestood from the kernel source glimpse the - and - in
pfctl -ss mean PF_IN and PF_OUT. So although you have not limited the rules
to a specific interface there happens something similar to tcp src and
dst ports get turned
On Mon, Jul 09, 2007 at 11:02:46PM +0100, Brian Candler wrote:
My home desktop system is an
Epia M-1 in a fanless case. I've not measured its power consumption, but
I think it's pretty low.
I just got an Electrisave. Its resolution is only 10W, but according to
that, this PC takes 20W
On Sat, Jul 14, 2007 at 02:38:14PM -0400, Douglas Allan Tutty wrote:
I'm familiar with apsfilter and actually just got it to work with this
printer on my debian box with debian's stock gs-gpl.
Part of my reason for asking on OBSD is that I'm exploring the larger
issue of licensing. I know
I'm trying to make a small router/firewall running with OpenBSD but before
setting up this I want to know her electric consummation.
I have recently discover a linux software whose name is: powertop.
I don't think there's a powertop port for OpenBSD just yet, but for
the application
You don't want user 1's web applications to be able to access data in user
2's web application storage space.
I will only be using mod_php. In the past, without the user shell
accounts, this has worked rather well for me in combination with the
open_base_dir directive in the
In their homedir there is a `ln -s` to their /var/www/home/username
webspace. That webspace is chowned username:www and chmodded 770 so
httpd can access/write to their dir as well.
Is that advisable / workable? Other ideas?
You don't want the www user being able to write to your web space.
On Sat, Jun 30, 2007 at 05:51:22PM +0200, Matt wrote:
You don't want user 1's web applications to be able to access data in user
2's web application storage space.
I will only be using mod_php. In the past, without the user shell
accounts, this has worked rather well for me in combination
1- Check the hardware compatability list to make sure the
lan card is supported.
2- Take a look and make sure the lan card is seated in it's
slot properly. I have had this happen a few times with
smaller cards not seating all the way (it's probably
On Fri, Jun 29, 2007 at 03:16:36PM +0200, St?phane Chausson wrote:
Brian Candler wrote, On 29/06/07 14:43:
Also, under Linux, lspci -v gives useful info about the PCI cards you
have
installed. In theory, you should be able to do this with OpenBSD too:
http://mj.ucw.cz/pciutils.shtml
On Fri, Jun 29, 2007 at 12:40:56PM -0700, John Mendenhall wrote:
I booted an ultimate boot disk, with several small linux distros
on them. None of them found the card.
I'd personally go with a full-sized Linux distro, as it's more likely to
have a complete driver set, but it does seem more
i'm encountering a real performance problem since a recent update :
- previous snapshots dated around 22 may was working perfectly, launching my
session (xfce) took around 10-15sec. Launching firefox took around 5secs
- updated last week on 20 of june, launching my session takes around 1
Does anyone around have an working setup of MRTG, monitoring CPU and
disk utilization?
I have been digging for it on the internet, to OpenBSD, but was not
able to find anything worth.
save yourself the troube and check out symon in ports.
I second henning on this point, symon
On Mon, Apr 09, 2007 at 03:42:50PM -0600, Philip Guenther wrote:
However, OpenBSD 4.0 doesn't actually comply with that: after
waitpid() there will be no SIGCHLD pending, even if there are
additional children to reap.
So, if you're going to have multiple children, you need to call
On Sat, Apr 07, 2007 at 11:09:55AM -0600, Philip Guenther wrote:
Instead of separating the obtaining of the pid from the actual
reaping, you can instead separate the blocking from the return of the
pid+reaping. That lets you lock the datastructure only when you know
wait() won't block. To
On Mon, Apr 09, 2007 at 01:40:06PM -0700, Darrin Chandler wrote:
On Mon, Apr 09, 2007 at 09:10:39PM +0100, Brian Candler wrote:
I'm not saying that anything is actually wrong with the code you've
provided; rather, that it's difficult for me to understand the subtleties
involved
I have a question about the semantics of wait()/waitpid().
My understanding is, as soon as wait() returns, the process is gone from the
process table, and therefore another fork() on the system could immediately
re-use the same PID. Is that correct?
Now let's suppose I have a program which forks
On Mon, Mar 05, 2007 at 04:24:15PM -0700, Jack J. Woehr wrote:
1. Every basic thing you need to know about setting up and
maintaining an
OpenBSD-managed LAN is documented in the OpenBSD FAQ q.v.
2. The three basic things about a typical OpenBSD-managed LAN are:
a. IP setup of both
On Mon, Jan 29, 2007 at 04:09:41PM +, Jeroen Massar wrote:
There is *NO* demand from anyone for giving /48's to customers. It is
only a suggestion.
Talking again about RIPE policy, section 5.4.1 requires /48, or larger for
very large subscribers. Exceptions are made to allow /64
On Sun, Jan 28, 2007 at 03:17:14PM +, Jeroen Massar wrote:
And if you need to change ISP, and
therefore get a new address allocation, many people would rather just put in
some NAT at the border than take the pain of network renumbering (which IPv6
doesn't make any easier than IPv4)
On Sun, Jan 28, 2007 at 12:36:38AM -0800, Joe wrote:
whats sad is how many people will never let go of NAT after they migrate
to ipv6.
It's not sad; for many people it would be essential. How would you like your
48-bit MAC address to become a permanent cookie, following you about
whenever you
On Sun, Jan 28, 2007 at 12:29:21AM -0800, Joe wrote:
Why is the write performance of my RAID controller so slow?
...
(write test running bsd kernel)
# dd if=/dev/zero of=/data/testfile count=2 bs=128k
2+0 records in
2+0 records out
262144 bytes transferred in 113.978 secs
On Sun, Jan 28, 2007 at 11:28:27AM -0800, Joe wrote:
Some more tests:
# dd if=/dev/zero of=./testfile count=100
100+0 records in
100+0 records out
51200 bytes transferred in 16.354 secs (31306797 bytes/sec)
# dd if=./testfile of=/dev/null count=100
100+0
They are taking the position that it is upside down to require an
unprivileged source port. What are the issues?
The code is here in /usr/src/usr.sbin/inetd/inetd.c:
if (port IPPORT_RESERVED || port == NFS_PORT)
goto bad;
The only reason I can think of is to avoid
On Wed, Jan 24, 2007 at 02:39:42PM -0600, Travers Buda wrote:
Last time I checked though, clients only talk with the web server on
port 80. So, the only reason you would want to keep state would be if
you have a ruleset like block out all (which is generally only usefull
if you don't trust the
On Wed, Jan 24, 2007 at 09:11:18PM -0500, Umnada Tyrolla wrote:
When compiling code, most transfers will be small. A single hard drive
spinning at 7200rpm is in theory capable of 240 transfers per second
(assuming each transaction requires the platter to rotate on
average by half
a
On Tue, Jan 23, 2007 at 01:35:35PM +0100, Jonas Thambert wrote:
I'm using a Adaptec 2010S SCSI RAID card. I have tried
and tweaked the courier imap server the best I can
without any luck.
...
The sd1 disk has 140 t/s. CPU-load is nothing.
And sd1 is actually a RAID array of some sort, rather
On Tue, Jan 23, 2007 at 02:03:42PM +0100, Jonas Thambert wrote:
The problem is the t/s on the sd1 device where I have the
email-storage. Have less than 10 accounts and clients on a
Xeon 3.0 Ghz server with 1 Gb RAM. I have tried to see why I have so
many t/s on the disk but I can not figure it
On Mon, Jan 22, 2007 at 07:34:13PM -0500, stan wrote:
Well, It Works For Me [TM]. Actually, our office network is divided into
several subnets, and the Windows fileserver is on another subnet in a remote
data centre, several IP hops away, and it all still works.
Locating a machine by
Maybe I'm confused here. Let me explain what I am trying to do. I have to
locations at location A I have a subnet of 192.168.1.0/24 at location B I
have a subnet of 192.168.20/24. Presently I am able to ping from
192.168.1.100 to 192.168.2.100, thus the IP layer is working.
In
On Sat, Jan 20, 2007 at 06:00:57PM +0800, Demuel I. Bendano, R.E.E wrote:
Has anyone did a successful implementation of L2TP+FreeRadius in OpenBSD?
Not that I know of.
If you look through the archives of this list, a few weeks ago I posted a
port of rp-l2tp. However, it doesn't work properly.
On Thu, Jan 18, 2007 at 12:03:05PM -0600, Vijay Sankar wrote:
if top shows ~20% system load, even when idle, try disabling iic and ichiic
in UKC. sth we have to do here with an ASUS server.
Thank you very much for your reply.
I did not notice the system load to be very high (it was 3.5%
On Wed, Jan 17, 2007 at 02:29:13PM +0100, Samuel Mo?ux wrote:
every state is a [src, dst, direction] tuple
which lets pass [src - dst, direction ] and [dst - src,
not(direction)], but not [ src- dst, not(direction) ] packets.
Very clear - I think that description should go into pf.conf(5)
On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:
With this config, I can't access dmz hosts from lan or internet. The
state gets created:
all tcp $dmz_ip:25 - 192.168.1.161:19399 CLOSED:SYN_SENT
but the response is blocked:
Jan 16 19:32:59.627083 rule 0/(match) block
On Fri, Jan 12, 2007 at 05:48:57PM -0800, David Newman wrote:
I use VOIP behind NAT (Sipura and Grandstream phones talking to an
off-site Asterisk server) without any problems. I was using an OBSD PF
firewall. It's booted into Linux right now due to driver problems with
my ADSL NIC, but
On Wed, Jan 10, 2007 at 09:21:45AM +0900, Mathieu Sauve-Frankel wrote:
Could you guys please take this completely useless discussion off-list ?
It has absolutely zero value to anyone running or developing OpenBSD.
Well, maybe there is something useful that can be salvaged :-)
I think the issue
On Mon, Jan 08, 2007 at 10:14:12PM +0100, chefren wrote:
Firstly, it eliminates the choice that we currently have: say mysql versus
Oracle versus BerkeleyDB versus pgsql etc.
And why do you forget the single OpenBSD choice named: FFS?
Well, it's not the only one, although probably the best
On Sun, Jan 07, 2007 at 01:11:57AM +0100, Joachim Schipper wrote:
On Sat, Jan 06, 2007 at 11:37:32PM +0100, chefren wrote:
This problem has little to do with OpenBSD although I do hope with all
hate that's in me that once in the future OpenBSD will be the first
OS with a good database
On Mon, Jan 08, 2007 at 01:07:38PM +0100, chefren wrote:
(1) You won't see any benefit until *all* applications have been rewritten
to use these new semantics instead of traditional ones. That means new
versions of oracle, mysql etc.
Yes and no, the database filesystem should have an own SQL
On Fri, Dec 22, 2006 at 05:03:11AM +, [EMAIL PROTECTED] wrote:
I'm looking for peoples' experiences and advice for setting up a VPN
between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have
tested the Greenbow client and it seems ok. What of the built-in VPN
client for
On Wed, Dec 20, 2006 at 08:53:41AM -0600, Will Maier wrote:
On Wed, Dec 20, 2006 at 02:31:09PM +, Brian Candler wrote:
That makes a lot of sense. But enforcing that policy might be
difficult. This is important if you're relying on your gold server
for disaster recovery purposes
On Tue, Dec 19, 2006 at 06:23:16AM -0700, Clint Pachl wrote:
A pull-only system assumes that the clients actually pull. What if
they don't? How do you know when their last successful pull was?
If you implement a push system, how do you know if something was
actually pushed? What if
On Mon, Dec 18, 2006 at 12:45:19PM -0800, Karl R. Balsmeier wrote:
Is there a specific way to set a name server so that clients are always
*forced* to use an autoritative name server?
What exactly do you mean? What are you trying to achieve?
The DNS architecture looks like this:
On Thu, Dec 14, 2006 at 09:22:47PM +0100, Erik Wikstr?m wrote:
I have three NICs in the box, two rl(4) and one ath(4), rl1 is connected
to the Internet and rl0 and ath0 are the local networks. As I understand
things I need to bridge the two local NICs somehow to be able to access
computers
On Sun, Dec 10, 2006 at 11:00:01AM +0900, Mathieu Sauve-Frankel wrote:
So whereas Linux has both a Security Policy Database and a Security
Association Database in the kernel, I believe (and someone please correct me
if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into
I'm running OpenBSD 4.0. My external interface, fxp0, is a tagged trunk.
I've configured it as follows:
# head /etc/hostname.fxp* /etc/hostname.vlan*
== /etc/hostname.fxp0 ==
up
== /etc/hostname.vlan0 ==
dhcp vlan 853 vlandev fxp0
== /etc/hostname.vlan1 ==
inet 10.69.255.254 netmask
On Fri, Dec 08, 2006 at 10:06:23PM +0900, Mathieu Sauve-Frankel wrote:
So I was just wondering, is there something I've missed which is needed to
get them to self-configure at startup?
you could start by reading the man page.
pay attention to the examples in hostname.if(5), it should be
On Thu, Dec 07, 2006 at 11:08:40PM +0100, misc(at)openbsd.org wrote:
I want to replace my linux firewall/vpn-server with an openbsd 4.0
installation. My problem is, that the linux server is a vpn-endpoint
with two draytek vigor 2900. At the moment I'm looking for a
vpn-documentation (or a
who know is intimate with the
internals of pty(4) and ppp(4), knows enough about rp-l2tp to set up a test
rig, and would like to see the OpenBSD port working, I'd be very grateful
for your assistance.
Many thanks,
Brian Candler.
On Wed, Dec 06, 2006 at 11:35:00AM +, Brian Candler wrote:
Anyway, if there's anyone on this list who know is intimate with the
internals of pty(4) and ppp(4), knows enough about rp-l2tp to set up a test
rig, and would like to see the OpenBSD port working, I'd be very grateful
for your
On OpenBSD 4.0 release, I'm trying to get up ppp(8) to run over UDP. The
manpage isn't clear about how to set up the server side of this.
I've added to /etc/services:
ppp-in 6669/udp
ppp-in 6669/tcp
And to /etc/inetd.conf:
ppp-in dgram udp nowait root
On Wed, Nov 29, 2006 at 06:57:41AM -0500, Nick Holland wrote:
The MBR contains the FreeBSD bootloader. At startup, the machine displays
HA!
F1 FreeBSD
F2 BSD
But when I press F2 I just get a beep.
which proves conclusively that I was right, it isn't an OpenBSD problem,
as
I am in the process of trying to port rp-l2tp to openbsd.
I have a problem with dlopen(). rp-l2tp calls dlopen() to load its
sync-pppd.so module, and this in turn has callbacks to functions defined in
the main program. However under OpenBSD these callbacks fail to link.
Here's a simple test to
On Wed, Nov 29, 2006 at 09:16:54AM -0800, Pawel S. Veselov wrote:
the better way to do this is to put 'bar()' in another shared object, and
dlopen() it before the module with the RT_GLOBAL flag.
I put the modified stuff in http://manticore.2y.net/temp/callbacks
Thank you - although that
I've recently installed OpenBSD 4.0 on two machines in spare space at the
end of the disk.
It turns out that OpenBSD is unbootable if the root filesystem starts above
cylinder 1024. However, this isn't a problem for FreeBSD; I guess it makes
use of newer BIOS calls.
I can still boot OpenBSD on
I can think of several possibilities as to why some negotiations are taking
more than 60 seconds. For instance:
(1) The Cisco 7301 may be slow to respond. It does have a VAM2+ crypto
accelerator installed, but I don't know if it's used for isakmp exchanges,
or just for symmetric
the same.
Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
precedence over the others.
Is there a way to achieve what I'm trying to do, either using ipsecctl, or
manually configuring isakmpd?
Thanks,
Brian Candler.
P.S. I can paste the IOS config if you like, but I'm
On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote:
Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
precedence over the others.
Is there a way to achieve what I'm trying to do, either using ipsecctl, or
manually configuring isakmpd?
To answer my own
On Fri, Nov 24, 2006 at 10:22:26AM +, Brian Candler wrote:
To answer my own question: inspired by the output of ipsecctl, I wrote a
perl program (attached) to generate a suitable isakmpd.conf (also attached),
and this appears to work just fine.
And now I seem to have hit some sort
Hans-Joerg Hoexer wrote:
more correct diff:
Cool. It occurs to me that the protocol ought to be included as well though:
e.g.
[IPsec-10.1.1.6:1-10.1.1.1:1701-17]
That's because (in theory) you might have one SA for UDP and another SA for
TCP.
Other possibilities would be:
(Entity 5.420)
Date: Fri, 24 Nov 2006 06:10:45 -0700
From: [EMAIL PROTECTED]
To: Brian Candler [EMAIL PROTECTED]
Subject: Message rejected
X-Security: message sanitized on shear.ucar.edu See
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision:
1.147 $Date: 2004-10-02 11:16
On Fri, Nov 24, 2006 at 08:20:02AM -0700, Darrin Chandler wrote:
On Fri, Nov 24, 2006 at 02:52:23PM +, Brian Candler wrote:
I'm getting the following when posting to 'misc'. Is this known and/or
intentional?
I'm not bcc'ing to 'ports' - honest!
Something weird is going
On Fri, Nov 24, 2006 at 10:33:35AM -0500, Alden Pierre wrote:
This happens to me as well and unfortunately I don't know how to remedy
this problem.
OK, I actually read those headers this time, and I think I have a clue now.
Look:
Received: from wx-out-0506.google.com (wx-out-0506.google.com
On Fri, Nov 24, 2006 at 05:22:05PM +0100, H?kan Olsson wrote:
5. the selected SPI (or larval SA state) on the local system is
updated with the keying material, timeouts etc - i.e the real SA is
finalized
This continues until all negotiations are complete -- however there
is a limit on
75 matches
Mail list logo