Re: Intercepting web proxy on different host from firewall
Thanks, Craig, guess that's my fallback. I've got some non-desktop clients on the network so I'll have to see if some of the mobile and game platform browsers support proxy auto-configuration. I tried to set this up with the 2-system design discussed in the document from pkg-readmes/ and in the end was defeated. A little more complexity than I really wanted. On Wed, Jul 15, 2015 at 5:23 AM, Craig Skinner wrote: > Hi Darren, > > On 2015-07-14 Tue 17:47 PM |, Darren Spruell wrote: >> Shamefully realized I missed the documentation from >> /usr/local/share/doc/pkg-readmes/ that covers this. >> > > I use Squid in basic non-transparent mode & http publish a proxy.pac > file (& symlinked wpad.dat), which browers load once at start up. > > Easy enough to do with base daemons, & saves all that redirect traffic. > > http://wiki.wlug.org.nz/WPAD > http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatic_Configuration > "All major browsers out now implementing WPAD. I think WPAD is an > excellent feature that will return several hours of life per month." > http://findproxyforurl.com/example-pac-file/ > Option 5 of http://nscsysop.hypermart.net/setproxy.html > http://nscsysop.hypermart.net/proxypac.html > http://www.deckle.co.uk/squid-users-guide/browser-configuration.html > > > Unix hosts also have this in /etc/profile: > [[ -n ${http_proxy} ]] || . /etc/proxy.env > > # -- /etc/proxy.env --- > http_proxy='http://proxy.internal:3128' # < must be a port number, not > /etc/services name > https_proxy=${http_proxy} > ftp_proxy=${http_proxy} > gopher_proxy=${http_proxy} > wais_proxy=${http_proxy} > export http_proxy https_proxy ftp_proxy gopher_proxy wais_proxy > # -- /etc/proxy.env --- > > This works for ftp(1), curl, dillo, xombrero, claws-mail, etc > > The DHCP method doesn't work, even with Windows boxes running IE, > as the Squid wiki page says. > > > There's also this index.html in the same directory as the proxy.pac file: > > "http://www.w3.org/TR/html4/strict.dtd";> > > > > > Browser Setup - WPAD setup help > > > > Direct Access Forbidden! > WWW access is via a proxy. > > For your safety and secuity, configure your browser to auto-detect proxy > settings for this network. > > > > | For help, contact mailto:webmaster";>webmaster | > > > > -- Darren Spruell phatbuck...@gmail.com
Re: Intercepting web proxy on different host from firewall
Shamefully realized I missed the documentation from /usr/local/share/doc/pkg-readmes/ that covers this. Bad luser. Will RTFM. On Tue, Jul 14, 2015 at 4:46 PM, Darren Spruell wrote: > [Internet] > | > | > re1| >+=+re2 (10.0.8.0/30) >| FW|=---+ >+=+|fxp0 > re0| +---=---+ > | | proxy | > | +---=---+ > | |xl0 >|||+ >/|\(10.0.7.0/24) > [LAN] > > > Is it possible to configure the indicated setup above for > transparent/intercepting proxy using OpenBSD 5.6 router/firewall and > OpenBSD 5.4 proxy with Squid 3.3.8? > > LAN clients have the FW as the default gateway. I planned on > intercepting WWW traffic at the firewall and redirecting to the proxy > out re2 (over the 10.0.8/0/30 net). The proxy has an intercept > listener on fxp0: > > http_port 10.0.8.2:3129 intercept > > I see from Squid documentation [1] that this should be done with > divert-to and divert-reply in PF. > > Is this configuration only possible if Squid runs on the same host as > the PF firewall because of a divert socket having to point locally? > With the following rule active in PF, no traffic is seen on re2 at FW. > > @51 pass in log quick inet proto tcp from 10.0.7.32 to any port = 80 > flags S/SA divert-to 10.0.8.2 port 3129 > > The following log is seen when attempting connection from client > 10.0.1.32 to WWW: > > Jul 14 16:35:18.081709 rule 51/(match) pass in on vlan103: > 10.0.7.32.63958 > 209.68.27.16.80: S 1842850855:1842850855(0) win > 65535 > (DF) > > Is there any way to successfully configure this or similar sort of > design with interception in Squid so that the proxy can reside on a > different host than the firewall? > > [1] http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf > > -- > Darren Spruell > phatbuck...@gmail.com -- Darren Spruell phatbuck...@gmail.com
Intercepting web proxy on different host from firewall
[Internet] | | re1| +=+re2 (10.0.8.0/30) | FW|=---+ +=+|fxp0 re0| +---=---+ | | proxy | | +---=---+ | |xl0 |||+ /|\(10.0.7.0/24) [LAN] Is it possible to configure the indicated setup above for transparent/intercepting proxy using OpenBSD 5.6 router/firewall and OpenBSD 5.4 proxy with Squid 3.3.8? LAN clients have the FW as the default gateway. I planned on intercepting WWW traffic at the firewall and redirecting to the proxy out re2 (over the 10.0.8/0/30 net). The proxy has an intercept listener on fxp0: http_port 10.0.8.2:3129 intercept I see from Squid documentation [1] that this should be done with divert-to and divert-reply in PF. Is this configuration only possible if Squid runs on the same host as the PF firewall because of a divert socket having to point locally? With the following rule active in PF, no traffic is seen on re2 at FW. @51 pass in log quick inet proto tcp from 10.0.7.32 to any port = 80 flags S/SA divert-to 10.0.8.2 port 3129 The following log is seen when attempting connection from client 10.0.1.32 to WWW: Jul 14 16:35:18.081709 rule 51/(match) pass in on vlan103: 10.0.7.32.63958 > 209.68.27.16.80: S 1842850855:1842850855(0) win 65535 (DF) Is there any way to successfully configure this or similar sort of design with interception in Squid so that the proxy can reside on a different host than the firewall? [1] http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf -- Darren Spruell phatbuck...@gmail.com
Re: OT:Password strength
On Sun, Nov 30, 2014 at 7:00 PM, wrote: > On Sun, November 30, 2014 8:09 pm, Eric Furman wrote: > > On Sun, Nov 30, 2014, at 12:48 AM, Nick Holland wrote: > > >> Then there is the system where it is stored. If you are working on a > >> stock Solaris 9 or AIX system with the default settings, only the first > >> eight chars are used, so the random string is much better than > >> "mylittle", and if you, like most people, reuse passwords or don't know > >> that the target system only uses the first eight characters, you can end > >> up using a trivial pw that you thought was really good. > > > > Yes, part of the reason for asking this question was that I am aware > > that some authentication schemes only use the first 8 characters. > > Is there any way of knowing if they do ignore any characters after > > the first eight? > > sure. after setting your password to more than eight characters, try > logging in by entering just the first eight characters. > > > Are authentication schemes that don't recognize more than eight > > characters still common? > > try it and see. > > > One of my banking sites won't except certain special characters. > > Like $, %, ? > > Which messes up my best short passwords that I actually remember. > > i too find it annoying when the set of valid password characters is > not listed somewhere easy for the user to find. > > -wes > > -- Darren Spruell phatbuck...@gmail.com
Re: dhcpd(8) support for option domain-search
On Tue, Dec 24, 2013 at 8:22 AM, Kenneth R Westerback wrote: > On Mon, Dec 23, 2013 at 12:03:13AM -0700, Darren Spruell wrote: >> Wanted to verify my understanding that the included dhcpd(8) in base >> does not currently support the domain-search option: >> >> """ >> option domain-search domain-list; The domain-search option specifies a >> 'search list' of Domain Names to be used by the client to locate >> not-fully-qualified domain names. The difference between this option >> and historic use of the domain-name option for the same ends is that >> this option is encoded in RFC1035 compressed labels on the wire. For >> example: >> >> option domain-search "example.com", "sales.example.com", >> "eng.example.com"; >> """ >> >> dhcpd.conf(5) and dhcp-options(5) don't mention the option. > > option 119 (domain search, specified in rfc 3397) is not supported > in the base version of dhcpd. > > One *could* provide it with the syntax > > option-119 nn:nn:nn:nn:nn... > > where you provide the appropriate hex digits to specify the contents > of the option. Not a nice solution. :-) > > >> >> I can currently override the search domains on clients, and it seems >> like it might be supported in isc-dhcp-server package. Anything likely >> to make it into base? Simply a matter of patch not having been >> submitted, or anything deeper than that? > > Nothing deeper than that, as far as I know. Is option 119 in wide use as > far as you know? "As far as I know" for me doesn't extend very far at all. I can cite a few corporate environments where a list of search domains are given out because in typical disorganized hellhole fashion they want clients to resolve hosts in their several disjointed domains that have been cobbled together over the decades of poorly done mergers and acquisitions and technology upgrades. So I've seen it frequently in this regard. -- Darren Spruell phatbuck...@gmail.com
dhcpd(8) support for option domain-search
Wanted to verify my understanding that the included dhcpd(8) in base does not currently support the domain-search option: """ option domain-search domain-list; The domain-search option specifies a 'search list' of Domain Names to be used by the client to locate not-fully-qualified domain names. The difference between this option and historic use of the domain-name option for the same ends is that this option is encoded in RFC1035 compressed labels on the wire. For example: option domain-search "example.com", "sales.example.com", "eng.example.com"; """ dhcpd.conf(5) and dhcp-options(5) don't mention the option. I can currently override the search domains on clients, and it seems like it might be supported in isc-dhcp-server package. Anything likely to make it into base? Simply a matter of patch not having been submitted, or anything deeper than that? -- Darren Spruell phatbuck...@gmail.com
pgrep(1) not matching process pattern from rc script
: wd1: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 wd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x10: irq 11 uhci1 at pci0 dev 7 function 3 "VIA VT83C572 USB" rev 0x10: irq 11 viapm0 at pci0 dev 7 function 4 "VIA VT82C686 SMBus" rev 0x30: SMI iic0 at viapm0 spdmem0 at iic0 addr 0x50: 512MB SDRAM non-parity PC133CL3 spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC133CL3 spdmem2 at iic0 addr 0x52: 128MB SDRAM non-parity PC133CL3 viapm0: 24-bit timer at 3579545Hz auvia0 at pci0 dev 7 function 5 "VIA VT82C686 AC97" rev 0x20: irq 10 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 12, address 00:01:03:d4:3f:c6 exphy0 at xl0 phy 24: 3Com internal media interface fxp0 at pci0 dev 10 function 0 "Intel 8255x" rev 0x05, i82558: irq 10, address 00:08:c7:b2:8b:8f inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0 fxp1 at pci0 dev 11 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, address 00:08:c7:ba:6f:95 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: density unknown fd1 at fdc0 drive 1: density unknown usb0 at uhci0: USB revision 1.0 uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on wd0a (f79e8f05439765a0.a) swap on wd0b dump on wd0b -- Darren Spruell phatbuck...@gmail.com
SSDs in RAID and bio(4)
I don't have a great deal of experience with SSD disks but was spec'ing some systems to use them. We'd be doing RAID on the hosts and I'd prefer to have something supported by bio(4) for volume management. Do SSDs have any impact on ability to do this? Or can one use the same HW RAID controllers for volume management and bio(4) doesn't have to deal with any differences? Or do SSDs typically require special RAID controllers? Looking at Dell R420s and hoping the PERC controller + SSD combination will work under bio(4) (although knowing precisely the driver/controller would be necessary, I realize). -- DS
Re: Best OpenBSD cloud hosting?
On Thu, Oct 10, 2013 at 12:55 AM, wrote: > On 10. oktober 2013 at 7:15 AM, "InterNetX - Robert Garrett" > wrote: >> >>I just want to know what a cloud is. > > Not really satisfied with the definition at > http://en.wikipedia.org/wiki/Cloud_computing, here's my own attempt at one: > > A cloud is a bunch of machines connected into a distributed network, acting > like a single virtual machine but with unlimited speed, memory and bandwidth, > with the possibility of downtime completely eliminated, and where one only > has to pay for the speed, memory and bandwidth one uses. > > Please correct me if I'm wrong. Virtue: knowing when to put the pitcher of kool-aid down. How many times have I heard the brazen promises of cloud, only to see it not deliver. There's been a few delivers, but it's just technology and is therefore capable of not living up to marketing hype and to being implemented poorly by adopters. I see lots of both. Trends and hype haven't really been as strong in OpenBSD as other OSes, so for cloud I'd probably not be looking at OpenBSD. DS
Re: Best OpenBSD cloud hosting?
On Tue, Oct 8, 2013 at 6:16 PM, wrote: > Hi, > > Can anyone recommend a decent OpenBSD cloud hosting provider? No experience with their cloud services, but M5 Hosting proudly offers OpenBSD options. Maybe worth checking out: http://www.m5cloud.com/ -- Darren Spruell phatbuck...@gmail.com
Re: Interface input errors incrementing
On Tue, Sep 24, 2013 at 5:18 AM, Stuart Henderson wrote: > On 2013-09-24, Darren Spruell wrote: >> On Fri, Sep 20, 2013 at 12:13 PM, Alexey E. Suslikov >> wrote: >>>> Any idea what the issue could be? >>> >>> could you provide netstat -s output after "several hours"? >> >> To circle back, errors started building again and below is netstat -s. >> As Chris suggested I'll try a snapshot and see if issue surfaces >> again. > > Are you certain your cabling and switch are OK? No. I've got to swap them out to see but wanted to first check out the firewall due to fact that rebooting it clears the issue for a few days. > What do you mean by "ethernet tap"? One of these units: http://auctionimages.s3.amazonaws.com/1936/20572/14577108.jpg It sends a copy of network traffic from link between firewall and LAN switch to an IDS sensor. I'll also need to verify it along with the switch (it's a layer 1 device and passes through link negotiation but could still introduce errors I believe). +-++--++-+++ | cable modem || firewall || tap || switch | +-++--++-+++ | | | | | | ++ | \.|| \___| sensor | || ++ -- Darren Spruell phatbuck...@gmail.com
Re: Interface input errors incrementing
0 stale states 0 failed state lookup/inserts 0 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error divert: 0 total packets received 0 dropped due to no socket 0 dropped due to full socket buffers 0 packets output 0 errors pflow: 187455 flows sent 9319 packets sent 0 send failed due to mbuf memory error 0 send error ip6: 20 total packets received 0 with size smaller than minimum 0 with data size < data length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (duplicates or out of space) 0 fragments dropped after timeout 0 fragments that exceeded limit 0 packets reassembled ok 0 packets for this host 0 packets forwarded 0 packets not forwardable 0 redirects sent 19 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 packets that violated scope rules 0 multicast packets which we don't join Input packet histogram: ICMP6: 20 Mbuf statistics: 0 one mbufs 20 one ext mbufs 0 two or more ext mbufs 0 tunneling packets that can't find gif 0 packets discarded due to too many headers 0 failures of source address selection 0 forward cache hit 0 forward cache miss divert6: 0 total packets received 0 dropped due to no socket 0 dropped due to full socket buffers 0 packets output 0 errors icmp6: 0 calls to icmp6_error 0 errors not generated because old message was icmp6 or so 0 errors not generated because of rate limitation Output packet histogram: multicast listener report: 16 neighbor solicitation: 3 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length Input packet histogram: neighbor advertisement: 20 Histogram of error messages to be generated: 0 no route 0 administratively prohibited 0 beyond scope 0 address unreachable 0 port unreachable 0 packet too big 0 time exceed transit 0 time exceed reassembly 0 erroneous header field 0 unrecognized next header 0 unrecognized option 0 redirect 0 unknown 0 message responses generated 0 messages with too many ND options 0 messages with bad ND options 0 bad neighbor solicitation messages 0 bad neighbor advertisement messages 0 bad router solicitation messages 0 bad router advertisement messages 0 bad redirect messages 0 path MTU changes pim6: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 messages received with bad version 0 registers received 0 bad registers received 0 registers sent rip6: 0 messages received 0 checksum calculations on inbound 0 messages with bad checksum 0 messages dropped due to no socket 0 multicast messages dropped due to no socket 0 messages dropped due to full socket buffers 0 delivered 0 datagrams output -- Darren Spruell phatbuck...@gmail.com
Interface input errors incrementing
rface Stats for sis1 IPv4 IPv6 Bytes In 17094712650 Bytes Out 57081488 64 Packets In Passed 12376810 Blocked 93170 Packets Out Passed 6499551 Blocked 00 State Table Total Rate current entries 43 searches 3869540 22.7/s inserts972410.6/s removals 971980.6/s Counters match 1131870.7/s bad-offset 00.0/s fragment 00.0/s short 20.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 4510.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s OpenBSD 5.3 (GENERIC) #50: Tue Mar 12 18:35:23 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Am5x86 W/B 133/160 ("AuthenticAMD" 486-class) cpu0: FPU real mem = 66646016 (63MB) avail mem = 54611968 (52MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/40/19, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product 0 stepping 1.1, CPU clock 133MHz, reset 40 gpio0 at elansc0: 32 pins ral0 at pci0 dev 16 function 0 "Ralink RT2860" rev 0x00: irq 10, address 00:0e:8e:1d:a6:b1 ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (MIMO 2T3R) cbb0 at pci0 dev 17 function 0 "TI PCI1420 CardBus" rev 0x00: irq 11 cbb1 at pci0 dev 17 function 1 "TI PCI1420 CardBus" rev 0x00: irq 11 sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83815D: irq 5, address 00:00:24:c1:7d:80 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83815D: irq 9, address 00:00:24:c1:7d:81 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 2 device 0 cacheline 0x10, lattimer 0x3f pcmcia1 at cardslot1 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors wd0(wdc0:0:0): using BIOS timings pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (b68774c473e1555e.a) swap on wd0b dump on wd0b -- Darren Spruell phatbuck...@gmail.com
Re: error while adding amavisd....
On Dec 30, 2007 11:00 AM, badeguruji <[EMAIL PROTECTED]> wrote: > root:84# pkg_add amavisd-new-2.3.2p0.tgz > arc-5.21op0: complete > Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: > 550 Failed to open file. > Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: > 550 Failed to open file. > Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: > 550 Failed to open file. > Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: > 550 Failed to open file. > Can't find freeze-2.5 > /usr/sbin/pkg_add: freeze-2.5:Fatal error Notice the license(?) on archivers/freeze prohibits FTP distribution: # None PERMIT_PACKAGE_CDROM= No PERMIT_PACKAGE_FTP= No PERMIT_DISTFILES_CDROM= No PERMIT_DISTFILES_FTP= No > what can i do to correct this? i didnt find this file at the specified > location. i am looking for pre-compiled pkgs only. Build and install the archivers/freeze package from ports. DS
Re: Ethernet jumbo frames?
On Dec 29, 2007 11:41 PM, Girish Venkatachalam <[EMAIL PROTECTED]> wrote: > What on earth is this? > > http://www.cyberciti.biz/faq/rhel-centos-debian-ubuntu-jumbo-frames-configuration/ > > I was under the impression that Ethernet frames can never be more than > 1500 bytes. > > Or is it some kind of stupid linux hack? Or does it have any meaning? No, yes. > Is there real value in this? Can be. http://www.psc.edu/~rreddy/networking/mtu.html > I don't get it. http://sd.wareonearth.com/~phil/net/jumbo/ http://en.wikipedia.org/wiki/Jumbo_frames DS
Re: backup firewall connectivity
On Dec 29, 2007 4:41 PM, Aaron <[EMAIL PROTECTED]> wrote: > I also added in my aliases on the external interface (two less aliases > now), with the > prescribed 255.255.255.255 netmask. All of my aliases now have only > their address as the > broadcast address. I realize this is right using a /32 netmask, but > will this affect > the workings of the network? Nope, network functions will be fine. Those that rely on these settings do so from the primary IP settings on the interface, not the interface aliases. Note as from hostname.if(5) that the broadcast address is typically optional; a setting of NONE will result in computation from the network mask and for aliases it can be left off entirely with no ill effects. Examples given: inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13 inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255 inet alias 10.0.1.16 0x DS
Re: backup firewall connectivity
On Dec 29, 2007 2:59 PM, Aaron <[EMAIL PROTECTED]> wrote: > Otto Moerbeek wrote: > > I think your problem will be solved if you assign an alias in the > > 192.168.3.0 net to fxp0 and an alias in the 192.168.247.0 net to fxp3. > > Just like Henning already suggested. > Henning wrote: > > >that depends wether you "external" carp interface has numbered or > > unnumbered parents. > > if the parents ("carpdev") are unnumbered (no ipassigned),it is quite > > normal. otherwise you have sth wrong. > > > > I guess I'm missing something or I didn't understand what he means by (no > ipassigned). > All carp parents are numbered by the inverse of the definition he gave for > unnumbered, > because there are ip's assigned to all of the carpdev interfaces, just not > with the same > network as the carp interfaces. Is it required for the carp parents' ip > addresses > to be in the same network as the carp interfaces? I didn't see that anywhere > as a requirement. The typical configuration is that the CARP interfaces will be assigned addresses on the same IP subnet as the parent interfaces. I don't believe that this is a requirement, per se, but it is hinted at in ifconfig(8): carpdev iface If the driver is a carp(4) pseudo-device, attach it to iface. If not specified, the kernel will attempt to select an interface with a subnet matching that of the carp interface. This configuration is the only way that makes sense to me; you don't have to overlap subnets on the same Ethernet segment, you don't have to fiddle with interface aliases, and if you need to reach the "natural" IP addresses for the real (parent) interfaces, they're routed and reachable the same as the CARP addresses. Again, not knowing if this impacts your problem, but may be worth testing. DS
Re: backup firewall connectivity
On Dec 28, 2007 7:13 AM, Aaron <[EMAIL PROTECTED]> wrote: > main firewall Carp0: > inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass > tester1 > inet alias 192.168.3.66 255.255.255.224 > inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the "correct" netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS
Re: sendmail: smarthost help
On Dec 24, 2007 2:18 PM, Martin Schrvder <[EMAIL PROTECTED]> wrote: > Hi, > this is probably a stupid error, but I'm stuck. :-( > > I'm trying to set up my sendmail to use a smarthost. If I now do > - > > sudo sendmail -bv [EMAIL PROTECTED] > [EMAIL PROTECTED] deliverable: mailer relay, host > gwyn.kn-bremen.de, user [EMAIL PROTECTED] > - > But sendmail still uses the mx for oneiros.de for mails to > [EMAIL PROTECTED]: If you have a mailertable entry (/etc/mail/mailertable) for oneiros.de, that would override delivery via the smarthost in the way you observe. Other maps may have this effect as well. DS
Re: BIND and logging channels in 4.2-current
On Dec 17, 2007 5:49 AM, J.D. Carlson <[EMAIL PROTECTED]> wrote: > I am having trouble with BIND logging in my OpenBSD 4.2-current DNS server. > > I run it normally with this line in /etc/rc.conf.local: > > named_flags="" # for normal use: "" > > My /var/named/etc/named.conf has these sections: > > options { > version ""; > listen-on port 53 { any; }; > directory "/data"; > allow-recursion { clients; }; > recursive-clients 2000; > statistics-file "/var/stats.log"; > }; > > logging { > channel mmsuite_log { file "/data/mmsuite.log"; > severity info; print-category yes; > print-severity yes; print-time yes; }; > channel mmsuite_syslog { syslog user; severity error; }; > category lame-servers { null; }; > }; > > > and I created the file mmsuite.log via touch, changing its ownership to named: > > $ls -l /var/named/data > total 6 > drwxr-xr-x 3 named named 512 Dec 15 12:54 conf/ > drwxr-xr-x 4 named named 512 Dec 15 12:54 hosts/ > drwxr-xr-x 2 named named 512 Dec 15 13:01 mmsuite/ > -rw-r--r-- 1 named named0 Dec 15 12:55 mmsuite.log > > > But nothing gets logged to the file. I see entries in /var/log/daemon when I > do a rndc querylog and I see entries in /var/log/messages. Doesn't seem to me that you're actually sending any log messages to that channel. Maybe a missing 'category' stanza? >From my config: // Logging options logging { channel simple_log { file "/log/named.log" versions 3 size 5m; severity info; print-time yes; print-severity yes; print-category yes; }; category default { simple_log; }; category lame-servers { null; }; }; My 'category default' stanza looks to be the kind of thing missing in your config. DS
Re: BIND reverse lookup
On Dec 16, 2007 8:33 AM, mufurcz <[EMAIL PROTECTED]> wrote: > Greetings, > > New DNS server setup, suppose to be authoritative for the > `transylvania.org.au` zone > but reverse lookup is not working - as it suppose to work. > # dig transylvania.org.au > - > ; <<>> DiG 9.3.4 <<>> transylvania.org.au > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5537 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 That query failed to return an answer; your forward lookup zone doesn't appear to be functioning correctly either. > # dig 192.168.1.199 (selena.transylvania.org.au is the DNS server) That's not the way you use dig to query for a reverse DNS record on an IP address. Read the dig(1) manual page, or use one of two possible syntax: $ dig -x a.b.c.d $ dig ptr d.c.b.a.in-addr.arpa > ;; QUESTION SECTION: > ;192.168.1.199. IN A And here's why - you're trying to look up the A record for the IP address, rather than the PTR record. > So, what I am doing wrong? I'd say at first glance you don't have your zone files and/or named.conf configured correctly. The example configs provided under /var/named/ should get you started quickly. You may want to refer to the BIND administrator's manual at http://www.isc.org/index.pl?/sw/bind/index.php. Refer later to http://www.cymru.com/Documents/secure-bind-template.html for tips on securing your BIND configuration to help the rest of us out. -- Darren Spruell [EMAIL PROTECTED]
Re: i386: fxp & re: both not 1000baseT by default
On Dec 15, 2007 8:22 PM, vladas <[EMAIL PROTECTED]> wrote: > Hi, > > Should not both - fxp0 and re0 - autoselect 1000baseT by > default by the dhclient? Both are connected to the same 1000M switch, > no other tweaks in GENERIC's setup: > re0: flags=8843 mtu 1500 > lladdr 00:16:01:3d:7f:a6 > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) Verify the settings on your switch port that re0 connects to and verify you've got nothing but autonegotiation selected. If you've got an unmanaged/unmanageable switch, that should certainly be the case. If it's manageable, at least see if you can determine the negotiated state on the switch port. Although my understanding of the specs re: GigE was that a mismatch would result in no link, not a mismatch. You running current switch firmware? DS
Re: Play Nice - Real men don't attack straw men (Theo)
On Dec 15, 2007 10:36 AM, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Richard is the face that launched a thousand Gnus. You as well as anyone > > here know what he did for the concept of giving away source code. He > > inspired a whole generation of free software writers. > > I was not inspired by him, but by Chris Torek, Keith Bostic, and Mike > Karels, who chose to not play politics. Some context: http://www.smh.com.au/articles/2004/10/07/1097089476287.html Although I'm sure it's convenient for most of the world to think that free software and open source originated solely in the Linux and GNU projects... DS
Re: Getting envolved
On Dec 13, 2007 7:39 PM, Jeremy Huiskamp <[EMAIL PROTECTED]> wrote: > > Users who can no invest the effort learn enough to use a simple > > interface do not deserve a reliable operating system. They deserve > > windows, > > and they deserve pop up buttong in their browsers that they click > > ok blindly > > for everything. > > > > -Bob > > > > When I read that, it sounded a lot to me like saying "if you're not a > skilled medical practitioner, you don't deserve decent health care." No, you misconstrued. If you aren't skilled medical practitioner, and you can't take basic precautions in choosing reputable professionals to diagnose and treat your ailments, then you are at least somewhat liable for the disaster that can happen as a result. You need to be able to take some personal stock in the diagnosis that is given you and act responsibly in getting second opinions if you need to. Good hospitals and good doctors endorse this "patient takes stock" mentality in treatment. Bad ones let users remain clueless and shoot themselves in proverbial foot. Or, If you aren't yourself an auto mechanic, you need to *at least* nail down basic auto maintenance skills - changing your oil, keeping coolant up, getting new tires when threadbare etc. You *shouldn't* complain if you've run your car into the ground at 30,000 miles because you weren't aware you needed to maintain it yourself or at least get it in regularly. And you shouldn't complain to loudly when the auto mechanic recognizes you as a complete idiot and gouges you on the price. Educate yourself a little bit more about that item you dropped $40,000 dollars on and protect yourself a little bit more. These are parallels and don't work perfectly, really, but the point is that computers cannot keep getting dumber because the users are. Remember back in the day when it required some amount of skill to be a computer operator? See the state the Internet is in now that every moron on Earth is being connected to it, not wanting to have to use, maintain, or secure their computers responsibly? DS
Re: : no 4.2-stable package updates??
On Dec 12, 2007 1:11 PM, knitti <[EMAIL PROTECTED]> wrote: > On 12/12/07, Darren Spruell <[EMAIL PROTECTED]> wrote: > > > > Why -current? I thought what had fallen behind from lack of resources > > was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) > > still has updated ports. > > > > Just build -stable packages from ports (like you did in the olden days.) > > to quote from the original mail from Nikolay Sturm (thanks to him for doing > this or much of it over some years) to misc: > "as you might have noticed, -stable ports have not been properly updated > in the last few months. Due to lack of resources, especially a > responsible maintainer, you cannot expect any updates to -stable for the > foreseeable future. Although some updates might happen, -stable should > be considered unmaintained." Gah, I'll crawl back under my rock. Misremembered. DS
Re: : no 4.2-stable package updates??
On Dec 12, 2007 11:41 AM, knitti <[EMAIL PROTECTED]> wrote: > On 12/12/07, Raimo Niskanen <[EMAIL PROTECTED]> wrote: > > On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: > > > On Tue, 11 Dec 2007, Joe wrote: > > > >So if there are security bugs in a package or port shipped with OpenBSD > > > >4.2, there will be no updated package or updated port available? > > > > > > That is correct. > > > > > > > Now, this will prevent me from upgrading to 4.2. > > > > It isn't so that any pre-4.2-stable will be updated, so you lose nothing > by upgrading. very often you can backport from -current ports without > any change. Why -current? I thought what had fallen behind from lack of resources was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) still has updated ports. Just build -stable packages from ports (like you did in the olden days.) DS
Re: Can I specify the bios time offset utc?
On Dec 10, 2007 10:58 PM, Dongsheng Song <[EMAIL PROTECTED]> wrote: > > On Dec 10, 2007 9:58 PM, Dongsheng Song <[EMAIL PROTECTED]> wrote: > > > OpenBSD assume bios time is utc, but it's PRC, can I tell OpenBSD the > > > bios time zone? > > > > http://marc.info/?l=openbsd-misc&m=111956694726618&w=2 > Thanks, but I can NOT open the page, could you excerpt for me ? -- On 6/24/05, Hanspeter Roth <[EMAIL PROTECTED]> wrote: > how can one set the time offset of the bios clock different from UTC? You obviously haven't searched the archives Please do so before posting; it'll save you from getting flamed. Your question is rather old (so you'll get an old RTFA, dating back to 2001). http://marc.theaimsgroup.com/?l=openbsd-misc&m=100897442502411&w=2 -- Subject:Re: system clock set to local time From: Dimitry Andric Date: 2001-12-21 22:32:33 On 2001-12-21 at 09:59:35 Matt Wilbur wrote: MW> I have a laptop running 3.0 and dual booting to Lose2k. MW> I'd *really* like to set the system clock to localtime rather than UTC, MW> but I haven't been able to get OpenBSD to like this setup. Read config(8), and search for the "timezone" command. In short (assuming here that you are -480 minutes off): [EMAIL PROTECTED]:~$ sudo /usr/sbin/config -e /bsd OpenBSD 3.0-current (DARTHMAUL) #0: Fri Nov 2 23:40:38 CET 2001 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/DARTHMAUL Enter 'help' for information ukc> timezone -480 timezone = -480, dst = 0 ukc> quit Saving modified kernel. And you should be set... :) But a warning is in order: Windows likes to actually MODIFY the hardware clock when DST changes (insanity, really!), so then your OpenBSD time will be off 1 hour again. So maybe it's better to uncheck "Automatically adjust clock for daylight saving changes" in the Win2k Date/Time control panel. -- DS
Re: Can I specify the bios time offset utc?
On Dec 10, 2007 9:58 PM, Dongsheng Song <[EMAIL PROTECTED]> wrote: > OpenBSD assume bios time is utc, but it's PRC, can I tell OpenBSD the > bios time zone? http://marc.info/?l=openbsd-misc&m=111956694726618&w=2 DS
Re: removing sendmail
On Dec 2, 2007 2:21 PM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > On Sun, Dec 02, 2007 at 12:56:11PM -0700, Anthony Roberts wrote: > > > I have seen several installations of Postfix go catatonic due to spam > > > overload, large messages, mailing list expansions, and other undiagnosed > > > problems. These were run by Postfix lovers, so I have always assumed > > > that the installation was correct. In the one case I saw tested > > > replacing Postfix with Sendmail resulted in no further problems. > > > > I have seen equally catastrophic failures of Qmail. > > > > Trying to do mail right for everyone in base is an exercise in futility. > > > > Does base require an MTA? If so, is there a tiny-drive-footprint > local-only no-config MTA that could be in base? Everything else as a > pre-compiled package or in alternate install sets? Why is everyone trying to come up with a solution to a problem that doesn't exist? DS
Re: OpenBSD for routing & firewalling a 100Mbit/s connection
On Dec 1, 2007 11:12 AM, Iqigo Tejedor Arrondo <[EMAIL PROTECTED]> wrote: > El sC!b, 01-12-2007 a las 17:55 +0100, Henning Brauer escribiC3: > > * Carl Roberso <[EMAIL PROTECTED]> [2007-12-01 17:32]: > > > I don't have any CPU problem, but an impressive (vmstat -i) amount of > > > interrupts (something like 6000/s on external interfaces), and sometimes the > > > system drop packets, even when way less that 100Mbit/s of bandwidth and > > > trying on ISP hosts. > > > > 6000 irq/s is not much. > > increase sysctl net.inet.ip.ifq.maxlen. > > And check 6.6.1 and 6.6.4: > http://www.openbsd.org/faq/faq6.html#Tuning If I'm not mistaken, these FAQs refer to settings applicable to TCP endpoints and will not likely affect OP's role as an intermediary router. DS
Re: Best way to automate administration of multiple servers
> On 14/11/2007, Mikel Lindsaar <[EMAIL PROTECTED]> wrote: > Hello all, > I want to automate handling them as much as possible and would like > some list suggestions on reading materials, software, or web howtos. http://tentakel.biskalar.de/ http://www.garbled.net/clusterit.html http://fermitools.fnal.gov/abstracts/rgang/abstract.html http://www.netfort.gr.jp/~dancer/software/dsh.html.en http://sourceforge.net/projects/dcmd/ http://www.cfengine.org/ http://puppet.reductivelabs.com/ http://www.lcfg.org/ http://quattor.web.cern.ch/quattor/ http://www.hpl.hp.com/research/smartfrog/ ...probably several more. DS
Re: Compromising a host with pf enabled?
On Nov 19, 2007 10:53 PM, Clint Pachl <[EMAIL PROTECTED]> wrote: > In my DMZ research, some sources state that all services need to be > replicated in each DMZ. Following that advice, I would have to setup > Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like > a lot of work. What do you guys think? A company I know just moved to this architecture. They have something on the scope of 5 DMZs consisting of about 10 different segments/tiers. This was the result of security architecture design for "the most secure" setup to provide segmentation. I think it sucks. While the amount of segmentation they have is probably A Good Thing, the way it is implemented imposes this necessary duplication of infrastructure services in each of the segments. So instead of a pair of DNS servers, they've got a pair of DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup and administration jump servers. Maybe more. It significantly increased the amount of systems that need to be maintained in the organization. Introducing jump servers increased the number of administrative accounts that were needed by everyone. It increased the complexity of the design and processes for administration. It increased the amount of replication of services and data transfer on the networks for that. It significantly increased the cost to implement. We have suspicions that it's now too difficult for administrators to effectively maintain the hosts in these segments and some may be slipping on patches, backups, or other necessary administration tasks. Moral: only do this crap if you can balance it out with the ability to reasonably manage the outcome and not incur disproportionate cost to the benefit it provides. DS
Re: [OT] making Firefox respect telnet:// URLs
On Nov 12, 2007 7:21 PM, Linus Swdlas <[EMAIL PROTECTED]> wrote: > On Mon, 12 Nov 2007 18:25:57 +0100, William Boshuck > <[EMAIL PROTECTED]> wrote: > > > On Mon, Nov 12, 2007 at 02:02:32AM +0100, Linus Swdlas wrote: > >> On Mon, 12 Nov 2007 00:25:29 +0100, ropers <[EMAIL PROTECTED]> wrote: > > >> feel free to correct me. =) > > > > This kind of parameter substitution is in the POSIX 1 specification > > for sh. See the parameters section of the man page for sh(1). > I stand corrected. ;) > > > >> But I wouldn't, I'd let bash do it: > > > > Probably better to use sh, or ksh, since they > > are in OpenBSD by default, and are more than > > up to the task. > > OpenBSD's ksh is great, I've never bothered to check if it's > available for Solaris for example. I've just assumed that it's > not, and bash is. And I use Linux too, so, I personally prefer > bash. =) > Though in this case I agree with you, at least if he doesn't > already have bash installed. =) These may be of interest: http://www.wormhole.hu/~ice/ksh/ http://www.mirbsd.org/?mksh DS
Re: Security Comparisons
On Nov 9, 2007 10:53 AM, new_guy <[EMAIL PROTECTED]> wrote: > If this is off-topic, I apologize. Just tell me and I'll go away ;) > > I'm having discussions with a coworkers about moving to OpenBSD for > Apache/PHP web hosting. Right now, we use various Linux distros. I have no > problem with that. Linux is cool... but it's takes more time to secure and > manage. I like the Suhosin (Hardened PHP patch in OpenBSD's PHP package) and > the fact that Apache is chrooted by default. We even uploaded some php > exploit code onto a test OpenBSD box (r57shell) to see how well it contained > the exploit. It worked well. All of these demos and discussions are > informal. So here's the question: Are there any formal/corporate comparisons > that demonstrate the enhanced security of OpenBSD when compared to other > solutions in this space that we can provide to upper management? Sadly, justifying the obvious through these means is often a requirement. Here's an approach you might consider. Take a best practice / standards guide such as from NIST: http://www.itl.nist.gov/lab/bulletns/bltndec02.htm http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf And for the points your organization feels are important (like what you've listed above), map how OpenBSD's implementation and OS approach addresses those points. You'll find this is a pretty good indicator and should be well accepted by the folks that matter. DS
Re: OpenBSD kernel janitors
On Nov 3, 2007 4:29 AM, Karel Kulhavy <[EMAIL PROTECTED]> wrote: > > They write code, then they submit it, it does not suck too much and they > > take the suggestions of the current project leads. Then they resubmit > > better code. > > > > The rest of us should simply buy CD's, ask and answer the occasional > > Buy CD's until you get into the situation I got into with Vim Vandeputte > - ordered a hoodie as a xmas present, he said he can ship it until xmas, > and the first reply was after xmas. > > Take this, add the name calling and unfriendly atmosphere on the mailing list > and you have an explanation why the OpenBSD isn't more popular than is > - because there are factors that motivate people away from OpenBSD. > > More popular OpenBSD means more people sending donations. Your first problem is that you think this is some kind of popularity contest. It isn't. No one cares as much that openbsd adoption increases as they do about it being a good system. No one ever has. That's why no one will be sad when I call you a tool. Tool. You are the latest (again and again) in a long string of whiners. If you can't tell from the general tones of the responses you've gotten, your drivel bores people. Your whining doesn't contribute to anything useful, so you're not going to get anywhere with it. You're really just a bona fide troll. DS
Re: mutt + reply-to
On Nov 2, 2007 4:48 PM, Sean Darby <[EMAIL PROTECTED]> wrote: > Hi Stuart, > > Thank you very much for the info! I appreciate it a lot. > > I've now updated my /etc/mail/trusted-users file with my "[EMAIL PROTECTED]" > address (which is what I currently have in my "from:" field in my muttrc). er, no. /usr/share/sendmail/README: names of users that will be ``trusted'', that is, able to set their envelope from address using -f without generating a warning message. In other words, you list your local Unix user in the file, not an email address. DS
Re: carp(4) and pfsync(4) port numbers and types?
On 10/27/07, ropers <[EMAIL PROTECTED]> wrote: > I understand from http://www.openbsd.org/lyrics.html#35 > that carp uses "IP protocol 112". Does that mean CARP's port is 112? > Does CARP use a TCP or UDP port, or both? See also protocols(5) for information. DS
Re: max number of groups
On 10/26/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > On Fri, Oct 26, 2007 at 09:55:13AM -0700, Ted Unangst wrote: > > On 10/25/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 25, 2007 at 10:19:19AM -0600, Theo de Raadt wrote: > > > > Well, there is no solution. 16 was chosen a lot of years ago as a > > > > reasonable amount of state to carry around, and that's the standard > > > > and we're probably going to stick with it. > > > > > > What, then, is the correct way to separate the project files of more > > > than 16 projects, where some users will need access to all of the > > > groups? > > > > read again: there is no solution. > > > > There has to be _some_ solution but it doesn't have to revolve around > groups. Here's a long shot - it's crazy enough it might just work. How about a real project management application? DS
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]: > > Remember back 10-ish years ago when VLANs were being touted as the > > ultimate network segmentation technology by marketers of managed > > switches? And now everyone hopefully realizes that while VLANs > > technically do offer network segmentation, it's really rudimentary and > > cannot be relied on for truly reliable security due to various layer 2 > > attacks that subvert them? > > err, that is a very bad comparision. I am not aware of any "layer2 > attacks" (you probably mean vlan hopping things) that work against any > half reasonable configured switch from the last 10 years. > heck, these days even everybody except cisco has sane defaults. > (well, I dunno about those cheap switches, admittedly) I agree, the key is the reasonably configured part. Vlan hopping, STP attacks, etc. and Cisco particularly. Even if Cisco is (now) one of the few to not have sane defaults, they're common enough for it to be a concern. And consider all the devices (even from good vendors) that are behind on firmware (where the defaults weren't yet sane). If this wasn't the case, Yersinia wouldn't be nearly as interesting as it is. > this comparision is wrong on another basis: vlans are dead simple, just > a tiny and simple header before the ethernet segment. virtualization is > certainly not. Yeah, I was commenting mainly on the flawed "silver bullet" mentality that some LAN admins have with the "if I have VLANs, my hosts are automatically perfectly segmented" mindset rather than the implementation/design itself. Sadly, the average LAN admin these days, at least in the states, isn't smart enough to understand the nuances. DS
Re: About Xen: maybe a reiterative question but ..
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote: > At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: > > > > Anything we can do to increase security, *including* setting up VMs (of > > any > > > flavor) is an improvement [that also increased hardware utilization]. > > > >This last sentence is such a lie. > > That depends on your viewpoint. There certainly may be some issues at the > OS level (which have been mentioned previously), however the majority of VM > applications benefit from security *isolation*, which has nothing to do > with security issues of the underlying OS, and that was the viewpoint I was > communicating. > > For example, say you have three departments within a company: Marketing, > Development, Production. Allowing each department to maintain their own > server instance allows each department to have their own users, home > directory configuration, samba (possibly) network config & authorization, > separate file/print sharing domain, etc. This is called a "tangent." It has nothing to do with the reliable security aspects of segmentation via virtualization. The point you may try making here is that by segmenting your servers into individual instances for each department, rather than having all departments on a shared server, an attack against one department's server doesn't affect the other. _In theory_, that's true. _In reality_, this is only a surface assumption as without strong segmentation at the network level to separate a compromised department from another department, the attacker can compromise the other departments' servers from the first one and have the same result. Remember back 10-ish years ago when VLANs were being touted as the ultimate network segmentation technology by marketers of managed switches? And now everyone hopefully realizes that while VLANs technically do offer network segmentation, it's really rudimentary and cannot be relied on for truly reliable security due to various layer 2 attacks that subvert them? Or that if there's any communication conduits that allows one to talk to the other, that can simply be leveraged to subvert security? That simply segmenting networks with VLANs can't be considering to fully isolate them? That when people want solid assurance of isolating hosts they often still air gap them? That is the point that VM-based segmentation is at right now. This isn't supposed to be a remedial lesson on network architectures; you're supposed to pick up the parallels to separation of systems/applications via VM technology. VM based segmentation or isolation (whichever buzzword you prefer ATM) is fine on the surface level, but please stop acting as if it is a security measure. People much smarter than $you are blowing that idea out of the water right now. http://www.intelguardians.com/ndss.pdf http://www.pauldotcom.com/2007/08/27/pauldotcom_security_weekly_int_1.html http://www.cutawaysecurity.com/blog/archives/170 (read Ed Skoudis' comment on this post) DS
Re: BIND
On 10/22/07, Regie H. Saberon <[EMAIL PROTECTED]> wrote: > Thanks for quick response, I want to set-up a Primary Domain Name > Server, so that I hosts my own domain. Is there any good wiki that I can > follow? You have a few options. - http://www.isc.org/index.pl?/sw/bind/index.php - look at the Administrator Reference Manual. - Have a look at the default configuration under /var/named/etc/ and /var/named/master/; the configuration is essentially already in place (all you need to do is add your zone data) and you've got a functioning DNS server which is authoritative for your zone(s). - Pick up the book DNS and BIND (http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574) which is a nearly necessary reference for BIND administrators. - Follow relevant advice from http://www.cymru.com/Documents/secure-bind-template.html if you want additional hardening instructions / best practice for your server. DS
Re: Wireless WAP encryption question
On 10/19/07, Luca Corti <[EMAIL PROTECTED]> wrote: > AFAIK noone is working on it. > ... > Sure I am not following source changes regularly, I don't believe this > is a requirement to just use the system. It *is* a requirement to comment intelligently on what is or is not being worked on. DS
Re: hardening BSD (was systrace/stsh policies)
On 10/14/07, Aaron <[EMAIL PROTECTED]> wrote: [snip] > I guess with all the hoopla about 'hardening'/trusted this and > that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for > ways to tweak things (which i know can end up either making things less > secure (especially with false sense of security) or just plain breaking > them), but if there is/are acceptable, ways, I'd at least like to be > aware of them and the scope of their use from the people that know > OpenBSD best. You're asking the right questions. Some of the answers, unfortunately, aren't as cut and dry as one might hope at first, and this stems from the fact that some security measures are sometimes subjective. What one person might see as a good hardening measure might be considered completely useless to another person. Ultimately it comes down to whether you feel a hardening measure makes sense for the gap you're trying to cover in your circumstance. OpenBSD goes a very long way toward providing a very hardened Unix system out of the box, without you having to flip a set of switches to turn them on. You can see them everywhere. Run a web server using the included httpd and you'll have the benefit of chroot'd operation. Run the in-tree BIND as a nameserver and you'll find that it employs a number of security improvements out of the box which make it a safer system. This kind of stuff exists everywhere in the system and they are examples of real, practical, and effective things which a.) do improve security of a system against known threats, and b.) don't required complicated decisions by the admin to kludge them into place (a la some of the policy wrappers that exist out there.) Figure out your threat profile for your anticipated use, figure out from that how those threats will impact the services you intend to run, and address those with controls you feel you can put in place that can mitigate those threats. External controls might help, like firewall or IDS/IPS, and don't forget you can use PF locally. See if you think a file integrity checker makes sense. Don't run things as root that don't need to. See if you can help things out with policy and technical enforcement to back it up (like if you have shell users, and you're afraid they'll choose weak passwords, configure SSH to only support key-based authentication and make that your authentication policy. ...and so on. DS
Re: Thank you developers... 4.2 arrived in the mail today
On 10/5/07, Chad M Stewart <[EMAIL PROTECTED]> wrote: > On Oct 5, 2007, at 2:53 PM, Karsten McMinn wrote: > > > On 10/5/07, Chad M Stewart <[EMAIL PROTECTED]> wrote: > >> My 4.2 CDs and t-shirt arrived in the mail today (near Buffalo, NY) > > > > drat, I was hoping for first the first post. you forgot the pic. > > Okay, well fresh from an install on my Sun X2100M2 my daughter wanted > to check it out > > http://balius.com/openbsd.4.2.jpg Looks like she's getting ready to moisturize Puffy. Take care of the fish and it'll take care of you. ;) DS
Packets with IP options passed
I've noticed a few of these PF log entries that were logging traffic passed and containing IP options: Sep 30 22:52:12.586548 rule 32/(ip-option) [uid 0, pid 9872] pass in on sis1: 10.0.1.23.1031 > x.x.13.31.1: [udp sum ok] udp 68 (ttl 255, id 5, len 100, optlen=4 IPOPT-148{4}) 4600 0064 0005 ff11 4709 0a00 0117 0d1f 9404 0407 2710 004c 0c4a b38e b558 0002 60a9 3aea 66c6 929b 9f98 00bb cdac ef28 9b28 c96d 970b 0b81 c834 1336 a7bb 6e8c 5cb5 1a57 93f4 51ec 3ae5 f0b2 e17c 9ac8 b13a 06c8 5bd1 59a9 9292 8fc5 Sep 30 22:52:13.478540 rule 32/(ip-option) [uid 0, pid 9872] pass in on sis1: 10.0.1.23.1031 > x.x.13.31.1: [udp sum ok] udp 68 (ttl 255, id 23, len 100, optlen=4 IPOPT-148{4}) 4600 0064 0017 ff11 46f7 0a00 0117 0d1f 9404 0407 2710 004c ee73 b38e b558 0014 5d3f 9355 fec2 166e abd4 dd96 419a 70f0 4b44 ef4b 4ef3 5a7a 35bd 3cc1 0f02 c857 29ce 2d23 6a22 7694 ecf0 6afe a634 92e0 82fa 332b 2f84 70d3 b743 5759 The rule that this matched is as follows: @32 pass in on sis1 inet from any to ! 10.0.1.1 flags S/SA keep state [ Evaluations: 84252 Packets: 5119148 Bytes: 2733671124 States: 29] [ Inserted: uid 0 pid 9872 ] I was under the belief that packets with IP options were dropped but this appears to be passed and logged. Is it because this is an explicit pass rule and packets with IP options are only dropped if the default pass rule is matched? I figured from pf.conf(5) that the packets would be dropped unless allow-opts was specified: allow-opts By default, packets which contain IP options are blocked. When allow-opts is specified for a pass rule, packets that pass the fil- ter based on that rule (last matching) do so even if they contain IP options. For packets that match state, the rule that initially created the state is used. The implicit pass rule that is used when a packet does not match any rules does not allow IP options. This host is running OpenBSD 4.0/i386. DS
Re: digitally signed distribution (was: OBSD's perspective on SELinux)
> > > Sure it does, just pull from CVS over SSH and compile your own. Only > > > > Where do I get the ssh fingerprints of the CVS servers? http://www.openbsd.org/anoncvs.html#CVSROOT, of course. Not all are listed, but one can either use one that needs verified or contact the maintainer for a correct fingerprint. DS
Re: OBSD's perspective on SELinux
On 9/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On 24.09-11:49, Can E. Acar wrote: > [ ... ] > > > The guy can be some stupid binary software with an "if(uid!=root) bail();" > > > > People running arbitrary binary software requiring root on their systems > > deserve what they get. You can not work around this stupidity by ANY policy. > > that is not the case and is, in fact, the entire point of defining > policy. to define what the applications on the system can and > cannot do, irrespective of how "stupid" they (or their programmer), > or how malicious they (or their programmer) is / was. Oh, that sounds like a recipe for success. - Run _arbitrary_ _binary_ application on system. Intend to use policy wrapper to restrict to allowed operations. - Can't figure out how to get a working policy (made harder because you can't debug the damn blob well anyway). (made harder because the ppl who sold you that application aren't going to be able to help you when you ask them "why is this app doing X Y and Z?" when X Y and Z are system calls they've never heard of.) - So, disable policy stuff or just "allow all" just to get it working. Face it; the fact that you're running the dumb binary app in the first place is because its so critical you can't do without it. Given the choice between having a mission critical app (that you probably paid good money for) crippled by the policy layer or not having to deal with it, what are people going to do? The intentions are great and look good on paper. The reality is a bit different, as others have pointed out. DS
Re: lock(1) to lock all virtual terminals?
On 9/23/07, Todd Alan Smith <[EMAIL PROTECTED]> wrote: > On 9/23/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > On Sun, Sep 23, 2007 at 05:23:37PM -0600, Chris Kuethe wrote: > > > On 9/23/07, Todd Alan Smith <[EMAIL PROTECTED]> wrote: > > > > Does "lock -nv" not work? I just read about this in "BSD Hacks" last > > > > night, oddly enough. > > > > > > # lock -nv > > > lock: unknown option -- v > > > usage: lock [-np] [-a style] [-t timeout] > > > > > > -np will at least lock the terminal with your password and no timeout > > > > > > > Right, but I want it to prevent me from changing to another virtual > > terminal. > > Referring back to the "BSD Hacks" book (page 22) by Dru Lavigne, I see > now that the lock command to which she refers comes with FreeBSD, > although she states that it's available for NetBSD and OpenBSD. > > I'm an OpenBSD newbie, so I'd enjoy learning why a different version > of lock is employed in OpenBSD. If anyone in the know wants to > elaborate, that'd be great. It's not necessarily a different version; all BSDs document in the lock(1) manual page that the implementation came from the 3.0BSD release. Indeed, all of them implement similar options with slight variance in the additional command line switches: FreeBSD adds a -v option to prevent switching virtual terminals during a lock. It notes that only syscons(4) terminals are supported here. (Note it's not saying that all other terminals are locked, just that you can't switch to them. So under OpenBSD you might workaround for similar behavior by logging into a single terminal session and running screen(1) or similar to load others, then locking one in essence locks them all.) http://www.freebsd.org/cgi/man.cgi?query=lock&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html OpenBSD doesn't support -v, but it doesn't use syscons either so that's not really a consideration. But it does add a -a option to extend authentication using the BSD auth subsystem, giving you additional flexibility. http://www.openbsd.org/cgi-bin/man.cgi?query=lock&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html NetBSD is the least featureful of the implementations as it has neither a -v nor a -a option. http://netbsd.gw.com/cgi-bin/man-cgi?lock++NetBSD-3.0 DS
Re: OpenBSD firewalls as virtual machine ?
On 9/20/07, Nick Holland <[EMAIL PROTECTED]> wrote: > Read this: > http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/ > Read the paper linked there as well. Always good to go back to original > source material. > > Anyone who told you VM technology and security had anything to do with > each other was full of doo-doo. Ironically, today's ISC handler's diary entry talks to this as well. http://isc.sans.org/diary.html?storyid=3411&rss DS
Re: OpenBSD firewalls as virtual machine ?
On 9/21/07, Scott Wells <[EMAIL PROTECTED]> wrote: > However, I don't fully agree with the sentiment that running a firewall > in a virtual machine (let's be specific, VMWare ESX) guest environment. > I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly > fine. That being said, you have to be aware of the VM configuraton. > The majority of vulnerabilities in VMWare are patchable (so yes, someone > needs to do maintenance), but are also issues that affect the VMKernel > or service console, and with careful planning, the vulnerabilities can > largely be prevented for being used as exploits on external interfaces. (I'd hoped you would have prefaced that with a statement like "these are my stock options talking, but...") This is the kind of bad advice that virtualization companies (and naive users of those technologies) need to stop spreading. This security model is flawed, and people should not rely on these virtual machine environments to provide firewall services. Here's an entirely realistic scenario at this point: - Administrator pays loads of money for VMware ESX; for better ROI, he intends to replace several systems on the network with one big system running a number of VMs. Maybe there is a full DMZ (say, 10 hosts) on this box. One virtual machine is configured as a firewall, intended to provide packet filtering and other network security services for the other DMZ VMs. - A vulnerability is discovered that allows an attacker who has presence in one VM to execute arbitrary code on the host OS, or transfer files between guest and host. (Both of these have happened already. In fact, VMware Tools seems to be the perfect bit of flawed gateway software to make this even easier.) Virtualized segmentation is compromised at this point. - Attacker now has presence on host OS and can fully control all 10 of the VMs running on the host. VM segmentation was supposed to prevent this, remember? This includes the firewall which he can now play fun games with such as overwriting the ruleset. He can sniff network traffic for all the VM hosts since he has direct access to the host interface. In one short subversion, 10 (11) systems have been compromised through one flawed security model. A weakness in one VM becomes the thing that makes compromising all the others dramatically easier. Why subject your firewall to that? At least in a traditional non-virtualized firewall model, the attacker would have to pull out real exploits and attack real (secured) services to compromise the firewall, and it wouldn't fall at the same time as the other hosts. Yes, these kinds of of flaws have (so far) been able to be patched, but a. They're becoming more frequent as more research goes into breaking out of VMs b. The impact of these flaws can be so high it doesn't justify risking the integrity of an entire network of machines at the same time when you get bit by it. Feel free to lump all of your IIS webservers onto a VM environment and let that get owned up and down. At least have the good sense to physically seperate your firewall (and other network security devices) out of that. DS
Re: OpenBSD firewalls as virtual machine ?
On 9/20/07, Nick Holland <[EMAIL PROTECTED]> wrote: > > Can someone please inform me if this is a really bad idea or not, > > ideally with some nice reasoning? > > > > > > Cheers, > > Josh > > Read this: > http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/ > Read the paper linked there as well. Always good to go back to original > source material. > > Anyone who told you VM technology and security had anything to do with > each other was full of doo-doo. I'll echo Nick's statements here. Virtualization does not provide reliable enough segmentation to rely on for security assurance. Do not buy into the market smack the vendors are putting out about it. As far as that goes, the more time goes on, the weaker the assumption of virtualized segmentation becomes. Research from IntelGuardians and other groups appears to be coming closer to completely unraveling virtualization security, at least in terms of how it's implemented in VMware for example. See also CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, and CVE-2007-4496. DS
Re: Is AMD64 page out of date about W^X?
On 9/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > According to: > http://www.openbsd.org/amd64.html > W^X will not work on Intel's 64 bit chips. I for one chose to go with i386 on > my Core 2 because of this fact alone. Intel produces 2 families of 64-bit processors; the EM64T and an AMD64 family chip. You're probably misinterpreting what is meant to indicate the former. http://en.wikipedia.org/wiki/64-bit#Current_64-bit_microprocessor_architectures http://www.xbitlabs.com/news/cpu/display/20040310223922.html DS
Re: Microsoft gets the Most Secure Operating Systems award
On 9/20/07, The One <[EMAIL PROTECTED]> wrote: > > Don't bother following up, I won't be listening. Or maybe I will, and > > I might even venture out from under my rock again before 4.4 ships. > > If anyone can solve security, whether it is with "Leopard" or in the > future, Apple definitely can. > > In my opinion, Apple performs 100% in the software field, and 90% in > the hardware field, which is due to, as I explained in my previous > messages, depending off of factories in third-world countries that are > not even Apple operated! > > But Apple has done so much with software, it is obvious that, in the > end, Apple will reach the goal. Even when personal computers are > replaced with a different technology, Apple will be on top. You're either incredibly naive, have been drinking too much aqua-colored koolaid, or are just joking. Good one. DS
Re: OpenBSD Install Goal
On 9/18/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > You are given a brand new machine; you bring your install CD; and after > > four minutes of using the standard tools (disklabel, fdisk, ifconfig, > > ...) you are already very familiar with, you have a fully working box, > > modulo afterboot. > > The only issue I've seen is that if you are new to OBSD, even if used to > the command line in Linux (not clicky-pointy-lindows) fdisk and > disklabel are new. On linux, the standard non-GUI partitioner is cfdisk > (curses fdisk) while there is not such thing as disklabel). fdisk isn't new; any operating system that has had to partition an i386 system carries along with it the same fdisk-ish pardigm. whether you call it fdisk, or cfdisk, or anaconda disk partitioning, or windows setup, people have been doing the same damn thing for years and shouldn't find differences in implementation intimidating. disklabels aren't a strictly unique thing either; several systems have them. even Linux has to deal with disklabels on non-x86 platforms (e.g. Sun boxen) e.g. http://www.gentoo.org/doc/en/handbook/handbook-sparc.xml?part=1&chap=4. > To my mind, even a curses interface to cfdisk and disklabel is not > necessary, but a little more help, e.g. a mini-menu along the bottom, > would go a long way. Blech. http://www.openbsd.org/faq/faq4.html http://www.openbsd.org/faq/faq14.html ftp://ftp.openbsd.org/pub/OpenBSD/4.1/i386/INSTALL.i386 There are resources a-plenty; anyone who finds it confusing is either trying to install without having read docs, or is not familiar with computers in the first place (and thus needs to read the docs.) Computer users need to get smarter, instead of technology getting dumber for them. DS
Re: Bug in the wireless wpi driver ?
On 9/16/07, Catalin Stoian <[EMAIL PROTECTED]> wrote: > I did a fresh install of OpenBSD-CURRENT on my new laptop, an Acer > Aspire 5610 that comes with an Intel 3945 wireless adapter. But it > seems I can't use the adapter with OpenBSD.Following the wpi manpage, > I installed the wpi-firmware-2.14.1.5.tgz file with pkg_add, and it > seemed to install fine. > > # cat /var/db/pkg > wpi-firmware-2.14.1.5.tgz ??? /var/db/pkg/ is a directory... $ ls -ld /var/db/pkg drwxr-xr-x 101 root wheel 3072 Sep 9 22:09 /var/db/pkg ...and the contents of that directory would be other directories, package names, without the .tgz suffix. Don't know about your device problems, but that stuff (above) is weird. DS
Re: FW: Problem with ftp-proxy -- additional info
On 9/14/07, Jason <[EMAIL PROTECTED]> wrote: > Hello all, > > Ok, here is a sample. I tried a connection from my workstation 10.0.0.103 > to ftp.openbsd.org. > > > Firewall's pf.conf > ---BEGIN > if_loopback="lo0" # loopback > if_public="em1" # connected to public network > if_int="bnx1" # connected to internal network (10.0.0.0/24) > > ip_public="66.181.246.130" > set skip on $if_loopback > #scrub in > #begin NAT Rules > nat on $if_public from $if_int:network to any -> $ip_public > #Handle FTP Clients behind firewall > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr pass on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > #END NAT Rules > > #BEGIN Filter Rules > #block all incoming > block drop in on $if_public > #ftp > anchor "ftp-proxy/*" > > #allow all outbound > pass out quick on $if_public keep state > > #END Filter Rules > -- END pf.conf Strange that you don't have any firewall rules allowing traffic in/out of your internal interface, short of the rdr pass for your FTP -> proxy traffic. Is that the only stuff that should be going out? [snip] > 3 0.00196110.0.0.103129.128.5.191 TCP > 4096 > ftp [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 > > Frame 3 (54 bytes on wire, 54 bytes captured) > Ethernet II, Src: AsustekC_64:cd:e6 (00:1b:fc:64:cd:e6), Dst: Dell_ca:4d:de > (00:19:b9:ca:4d:de) > Internet Protocol, Src: 10.0.0.103 (10.0.0.103), Dst: 129.128.5.191 > (129.128.5.191) > Transmission Control Protocol, Src Port: 4096 (4096), Dst Port: ftp (21), > Seq: 1, Ack: 1, Len: 0 > Source port: 4096 (4096) > Destination port: ftp (21) > Sequence number: 1(relative sequence number) > Acknowledgement number: 1(relative ack number) > Header length: 20 bytes > Flags: 0x10 (ACK) > Window size: 65535 > Checksum: 0x91c0 [incorrect, should be 0x9335 (maybe caused by "TCP > checksum offload"?)] You said originally that the packet from the server / firewall (ftp-proxy) contained the invalid checksum, but in this capture the syn-ack from your client at the end of the handshake is the first one reported with an incorrect checksum. It's also the one that ungraciously tears down the connection below. > 8 60.001675 10.0.0.103129.128.5.191 TCP > 4096 > ftp [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 > > Frame 8 (54 bytes on wire, 54 bytes captured) > Ethernet II, Src: AsustekC_64:cd:e6 (00:1b:fc:64:cd:e6), Dst: Dell_ca:4d:de > (00:19:b9:ca:4d:de) > Internet Protocol, Src: 10.0.0.103 (10.0.0.103), Dst: 129.128.5.191 > (129.128.5.191) > Transmission Control Protocol, Src Port: 4096 (4096), Dst Port: ftp (21), > Seq: 1, Ack: 1, Len: 0 > Source port: 4096 (4096) > Destination port: ftp (21) > Sequence number: 1(relative sequence number) > Acknowledgement number: 1(relative ack number) > Header length: 20 bytes > Flags: 0x14 (RST, ACK) > Window size: 0 > Checksum: 0x9331 [correct] A few ideas: - test using same internal host, but different FTP client. - test using different internal host, same FTP client and different FTP client. (Preferably one with a different NIC model; e.g. certain hardware checksum offloading features have been known to cause frame corruption. Maybe you've got something like that? - any really good reason you can't use passive mode FTP? - enable debugging in PF to see if you can get any errors that might be occurring. I wouldn't imagine any, but: # pfctl -x loud ...and look for debug output in /var/log/messages. When you're done: # pfctl -x urgent DS
Re: Problem with ftp-proxy
On 9/14/07, Jason Calhoun <[EMAIL PROTECTED]> wrote: > Hi, > > I have an OpenBSD 4.1 system running as a NAT firewall for our office and > unfortunately I have to support a couple of active > FTP clients on the inside of the firewall, so I've set up ftp-proxy. I've > never used ftp-proxy before and I've run into a problem with it. > > I've set up ftp-proxy and pf as described in the PF FAQ. When the client > application tries to connect, it behaves as if it never > gets a response from the server. The connection hangs and eventually the > client ftp application reports a time out. > > What's actually happening is not as much fun. I ran a packet sniffer on the > client computer while trying to establish the ftp connection. > Things happen as follows: > > The client (inside the firewall) initiates a connection to an FTP server on > a public IP. > The TCP handshake completes. > The FTP server sends its first FTP protocol packet containing the usual > welcome/banner string - This packet does make its way back > through the firewall to the client system. However, (according to Wireshark > on the client) the checksum on the pack is incorrect. > The client ftp application then seems to just ignore the packet from the > server, presumably because the checkum in the packet > does not match the calculated checksum. Strictly speaking, if your FTP transaction is being proxied correctly, the way you think it is, the packet sent by the remote FTP server never makes it to the client. It is part of a connection terminating at the PF box. The client never sees packets from the remote server. Source and destination IP addresses will confirm which packets from whom you are talking about. It's typically easier to troubleshoot if we see the information you have rather than hearing about your interpretation second-hand. DS
serial port usage
For the scenario where you have two openbsd hosts, one connected to the second with a serial null modem cable, what is the right device to use when connecting using tip(1) from the first to a console on the second? These suggest that cua is the right device to use: http://www.openbsd.org/faq/faq8.html#TTY http://marc.info/?l=openbsd-misc&m=115868967631296&w=2 http://marc.info/?l=openbsd-misc&m=118764543712174&w=2 But for me, using cua00 fails with "missing phone number" message while tty00 works: molodetz$ tip -19200 tty00 can't open log file /var/log/aculog. connected OpenBSD/i386 (sinoptik.sancho2k.net) (tty00) login: ~ [EOT] molodetz$ tip -19200 cua00 can't open log file /var/log/aculog. missing phone number [EOT] If cua00 is the right device to use when connecting out, why the missing phone number error? DS
Re: SMP
On 9/13/07, Darren Spruell <[EMAIL PROTECTED]> wrote: > On 9/13/07, Cyrus <[EMAIL PROTECTED]> wrote: > > Im currently running openbsd 4.1 on my server, Proliant 8500. This server > > is SMP with 4x 700MHz PIII proc. Im just wondering, is it using all four > > cpu's? or do I have to configure the system to utilize SMP? > > SMP is the kernel that supports multiple CPUs. If you're not running > SMP, you aren't multiprocessing. Horrible mistake - bsd.mp is what you're after for SMP support. Sorry for the misguidance. DS
Re: SMP
On 9/13/07, Cyrus <[EMAIL PROTECTED]> wrote: > Im currently running openbsd 4.1 on my server, Proliant 8500. This server > is SMP with 4x 700MHz PIII proc. Im just wondering, is it using all four > cpu's? or do I have to configure the system to utilize SMP? SMP is the kernel that supports multiple CPUs. If you're not running SMP, you aren't multiprocessing. Useful ways to diagnose your CPU configuration; what does your kernel say it found? # dmesg |grep ^cpu # sysctl hw.ncpu DS
Re: OpenBSD Install Goal
On 9/13/07, Steve Shockley <[EMAIL PROTECTED]> wrote: > Bob Beck wrote: > >> As OpenBSD grows there simply is no reason, or logic to keeping > >> around such an archaic method of installation it now uses. > > > I await your diffs! Please feel free to write one that works, and > > fits on the install media for 10 architectures. > > I assume you're only encouraging this because it's likely impossible. > Frankly, I find the FreeBSD installer somewhat confusing. About the > only thing that would maybe make the OpenBSD installer simpler for new > (or impatient) users would be a "default" disk layout with sane > partition sizes for /, /tmp, /var, /usr, etc. Of course I rarely > install OpenBSD on non-x86 boxes but I'm sure sane defaults for x86 are > quite different than mac68k or hppa. I've found times where a default layout would have been useful, but on the other hand I've been bitten more than once by a default layout (from the sysinstall [A]utomatic partitioner) that didn't set up a big enough /tmp for my needs. The result was spending extra time reinstalling to do it right the second time around. In almost all cases I think it's worth just being forced to think about my needs a bit more up front rather than trusting technology to do it for me. _Especially_ in cases where an autopartition scheme is involved (several OSes come to mind...) DS
Re: The Atheros story in much fewer words
On 9/13/07, Shawn K. Quinn <[EMAIL PROTECTED]> wrote: > On Thu, 2007-09-13 at 07:09 -0400, Nick Holland wrote: > > GNUspeak: > > These are definitely not the views of the GNU project. They *might* be > views of the self-styled "Linux nerds" that think they are "k00l" and > "eleet" because they read Slashdot, but to imply the GNU project > espouses these views is, quite frankly, slanderous. > > > "Give back to the community!" (which really means, "I'm the community, > > gimme, gimme, gimme!") > > There may be some in the free software movement that think like this, > but this is far from a majority view. > > > "Free as in Freedom!" (but "Free as in no monetary charge" beats > > the hell out of taking a stand) > > Again, Richard Stallman's famous speech makes it clear monetary charge > is not the reason for the free software movement. > > > Free software: It's all about the price. > > The rest of the talk about "freedom", etc. is just trying to keep > > them from looking like cheap, greedy bastards. > > At least for an awful lot of 'em. > > You know, it's fine if you hate the GPL. But I'll be damned if I just > sit here and let you spread outright Goddamned *lies* about the free > software movement and the people that represent it. > > I'm not cheap. I'm not greedy. All I am after, is the freedom to use my > computer the way I want to without Microsoft, Apple, Google, AOL, Adobe, > Real, or other large companies being able to step in and say "no you > can't do that, it's not in our (financial) best interests to let you". > For me, it's always been about freedom. I would think for most of the > free software movement that truly knows what's going on, it *is* about > freedom. Before you embark on your storm in a teacup, re-read (and re-read again if you still don't get it) Nick's message. It's clear you missed/misunderstood half of the points he was making. DS
Re: The Atheros story in much fewer words
On 9/13/07, Claudio Jeker <[EMAIL PROTECTED]> wrote: > > The FSF should take a deep breath and apologize to Reyk, apologize to > > Theo, apologize to OpenBSD and apologize to the open source community at > > large. > > > > While reading this I got a mail that OpenSolaris released the adapted > version of our malo(4) driver. > > http://www.opensolaris.org/os/community/laptop/wireless/malo/ > > Second sentence on the page is: > This driver is based on the source code from OpenBSD, and is provided > under the same BSD-type License. Bravo. DS
Re: unix on lenovos
On 9/13/07, Julian Leyh <[EMAIL PROTECTED]> wrote: > On 20:52 Wed 12 Sep , Pau Amaro-Seoane wrote: > > You'll notice that Mark Kohut (Lenovo's worldwide analyst) cannot tell > > the difference between linux and BSD (both freebsd and openbsd fall in > > the category of "linux") but, in any case, maybe you feel like > > clicking the OpenBSD entry... I did > > Well, only FreeBSD was in the initial set of answers. OpenBSD was added > by somebody else, as you can see from the footnote. > > BTW, I voted for OpenBSD, too. But I think, Ubuntu already has too much > to catch up. Why is it about catching up? I don't understand the community at large's (the free software community's, that is) flawed mindset that one or a couple of distributions or flavors of operating systems have to be supported, or that one has to be ahead of the other. It's obvious that people don't get the big picture when you see users of different LInux distributions arguing about which _distributions_ should be supported; don't they get that they share a common kernel, and they can *all* be supported? Likewise for the idiots that say "support FreeBSD" or "support OpenBSD". Open up and release specs and documentation, and suddenly EveryBSD is supported. The userbase should be communicating with the vendor in a way that makes it clear that everyone can win if they produce documents and specs, or choose components for their products that are well supported already in the open source community. Arguing back and forth about which flavor you have a religious preference for only sends a signal to Lenovo that supporting open source is complicated, takes too much work, and makes them want to forget about it. DS
Re: What "Linux" distribution would you most like to see supported on a ThinkPad?
On 9/12/07, Sunnz <[EMAIL PROTECTED]> wrote: > http://lenovoblogs.com/insidethebox/?p=98 > > Interestingly both FreeBSD and OpenBSD are listed as a choice of > "Linux distro"; as well as "anyone that refuses to carry binary-only > drivers, so that all others will also benefit, as it will require > documented hardware". Everyone gets that the poll is set up so that you can put arbitrary answers on there and pick them? Someone added them. That's all. DS
Re: OpenBSD 4.2 Question
On 9/6/07, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote: > hello misc@ > from the page http://www.openbsd.org/42.html , one of the changes made > to OpenBSD 4.2 is > > A change in the way the kernel random pool is stirred greatly > increases performance with network interface cards that support > interrupt mitigation, especially on architectures where reading the > clock is expensive (such as amd64). > > What would be some Examples of Network Cards that Support "interrupt > mitigation" > > I guess on this Subject I need educated because I am not all together > sure what interrupt mitigation is and why I want it. I'm not the right person to try to explain it, but I have generally been interested in seeing where it crops up and what it's associated with. The various /plusXY.html pages often have notes indicating drivers for which interrupt mitigation has been enabled/enhanced, and you can see what generally has it. For example, from plus38.html: "Add microcode to support interrupt mitigation on fxp(4) 82551 F stepping chipset. Big performance boost." plus39.html: "Fix for the nfe(4) interrupt mitigation code." ...or a CVS commit about enabling it in a National Semiconductor chip: http://marc.info/?l=openbsd-cvs&m=118037514315592&w=2 ...after which Soekris boxen with the DP83816 chips could experience better throughput at lower interrupt rates, good since the poor thing's CPU is a limiting factor. It's fun to look for this kind of stuff in the CVS commit logs, e.g. http://marc.info/?l=openbsd-cvs&w=2&r=1&s=%22interrupt+mitigation%22&q=b http://marc.info/?l=openbsd-cvs&w=2&r=1&s=%22interrupt+holdoff%22&q=b http://marc.info/?l=openbsd-cvs&w=2&r=1&s=interrupt+coalesce&q=b and other places: http://www.openbsd.org/papers/cuug2007/mgp00016.txt DS
Re: filesystems?
On 9/6/07, Jona Joachim <[EMAIL PROTECTED]> wrote: > On Thu, 6 Sep 2007 07:11:47 -0700 > "J.C. Roberts" <[EMAIL PROTECTED]> wrote: > > > On Tuesday 04 September 2007, Jona Joachim wrote: > > > On Mon, 3 Sep 2007 18:17:44 +0200 > > > > > > "Martin SchrC6der" <[EMAIL PROTECTED]> wrote: > > > > 2007/9/3, The One <[EMAIL PROTECTED]>: > > > > > FAT32. > > > > > > > > And everyone can be compiled to read NTFS; Linux can even write to > > > > it. > > > > > > FreeBSD can also write NTFS using the ntfs-3g driver together with > > > fusefs. > > > > > > > > > Jona > > > > Actually, this is tenative at best. Though some have had success both > > reading from and writing to various NTFS versions, it's not really a > > safe thing to do. It's still an undocumented file system, and many > > typical operations fail disastrously. This week I wasted two > > different XP installations by attempting to resize the NTFS partition > > (shrink) with two different open source tools (PartitionLogic and > > GParted). > > I never really used it, I think I just tested it once. > On their site they say: "The driver is in STABLE status since February > 2007, after twelve years of development" so I thought it was ok. > I had some terrible crashes with sshfs on FreeBSD. I think the FreeBSD > fuse kernel module is a bit flaky. I never tried it on Linux. How stable a driver is doesn't indicate the actual level of success writing {safely,properly,sanely} to a problematic filesystem.like NTFS. It may successfully corrupt data without crashing or throwing errors at all. DS
Re: That whole "Linux stealing our code" thing
On 9/1/07, David H. Lynch Jr. <[EMAIL PROTECTED]> wrote: > Constantine A. Murenin wrote: > > That is entirely false. > Why ? The ISC seems to me to say you can do anything you wish - > except remove the copyright. > > ... but I do not see anything in the license that > requires preserving the license. > In essence the license says you can do almost any short of remove > the copyright. Your reading comprehension seems to be suffering. I would *love* to know how you read this statement: "Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies." THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ...and then come to the conclusion that the only restriction it names on copying, modification, and distribution is that the copyright alone must remain. The statement "provided that the above copyright notice *and this permission notice* appear in all copies" seems to speak pretty clearly, does it not? A = copyright notice B = permission notice A != A+B DS
Re: That whole "Linux stealing our code" thing
On 9/1/07, Siju George <[EMAIL PROTECTED]> wrote: > On 9/1/07, Marco Peereboom <[EMAIL PROTECTED]> wrote: > > > > Try to run strings on windows command line utilities. You'll see that > > they preserved the copyrights as required. > > > > Could somebody please explain about "Running Strings"? strings(1) - print the strings of printable characters in files Pull down many of the Windows command line utilities to your Unix host (particularly those that share similar names with the Unix commands) and run strings against them. Pay attention to the strings referencing the University, CSRG, etc. Also: http://www.undeadly.org/cgi?action=article&sid=20030927090008 DS
Re: More on the Atheros driver situation
On 9/1/07, Steven <[EMAIL PROTECTED]> wrote: > If code is released under copyright. be it BSD, or GPL, and someone > other than the author(s) changes the license, can the person(s) > who(m) made the changes seriously expect that somebody else cannot > take that code under the terms of the original license, or some > other license _they_ prefer and do the same? Someone other than the authors _cannot_ change the license. Neither of these licenses grants anyone rights to change or remove licenses of the distributed code. In fact, they explicitly state that the license (and copyright) must stay intact. (New material can have a new license clause appended to it, but that is completely different than what you're talking about.) This whole escapade would be a lot simpler if people would stop relying on guesswork and assumptions for matters they do not understand. For most matters like these in the real world, the preferred behavior is to clam up until you study and understand it, and then engage in commentary. Read Theo's earlier email on the matter. He explains it quite well. http://marc.info/?l=openbsd-misc&m=118861134304239&w=2 DS
Re: OpenBSd or HP-UX?
On 8/29/07, Jussi Peltola <[EMAIL PROTECTED]> wrote: > On Tue, Aug 28, 2007 at 09:17:11PM +0200, Joachim Schipper wrote: > > P.S. One more issue: you *do* realize that getting OpenBSD to > > authenticate against LDAP is not entirely trivial, right? This might be > > a serious problem if the LDAP system is to handle network-wide logins... > This doesn't stop you from using OpenBSD as the server other machines > authenticate against, or does it? I think it's only good that users > can't login to the LDAP server itself. No, he's just pointing out that if you're using this to provide centralized authentication for all the servers in your environment as well, OpenBSD won't take advantage of it well. > I'm only checking to be sure, since I'll need to set up a new LDAP server > for the unofficial *nix users group we have at school, and since we have > nobody except a bunch of busy and lazy students to administer the boxes > OpenBSD would be a painless choice... LDAP is a fantastic choice. OpenBSD can do what you need. Why in the world are you even tossing HP-UX around for this purpose? ;) DS
Re: OpenBSd or HP-UX?
On 8/27/07, Alvaro Mantilla Gimenez <[EMAIL PROTECTED]> wrote: > Travers Buda wrote: > > > *snip* > > > > Just tell him that OpenBSD in the stead of HP-UX will be cheaper, faster to > > setup, and easier to maintain (because of your experience with Open.) Both > > OpenBSD and HP-UX can do LDAP, yes, but it's yourself that makes the > > difference here. > > > > Oh, and you have much more freedom in picking out your hardware (back to > > the cheap tangent.) > > > > -- > > Travers Buda > > It would be wonderful convince my boss with that argumentbut the > next question he will ask is: "What ifyou die tomorrow?? Who can > maintain the system??... Easy. Let him know that any person who has a grasp of the written language can easily pick a system up and administer it by reading the available documentation. I'm not kidding - this is an easy win. Docs are a strong point and an unappreciated one. How hard is it to find good for commercial Unix variants? It works out for me that even if you find the docs, it's incredibly hard to find the specifics you're looking for in all the fluff. Between the excellent manual pages and online docs (e.g. http://www.openbsd.org/faq/), coupled with the amassed years of other users' experience and developer input found in the misc@ archives, it is not difficult for anyone with some Unix familiarity to pick OpenBSD up and run with it. DS
Re: Backport drivers from 4.1 to 4.0
On 8/27/07, Kevin Cheng <[EMAIL PROTECTED]> wrote: > Artur, > > Thanks, > > Upgrade code based on release of obsd is easy, but it would a big job to > maintain early released of products based on previous version of obsd. For > example, we would maintain 8 version of products from 3.3 to 4.0 if codes > are upgraded every half years. Why would you maintain support for products going back to vastly unsupported versions of OpenBSD? If I had a product based on OpenBSD, I wouldn't give customers an excuse to keep themselves on older and unsupported releases. Do you want customers running 3.3 right now? They haven't been able to get patches for years now. In my experience at least part of the reason system designers choose OpenBSD as a basis for their solution is the security focus. You go that far out of date, you lose that advantage. Yes, the project has a release schedule. No, that doesn't make it easy to maintain the 5 year life cycle that other platforms like to advertise. It also doesn't mean that their schedule is superior or is even a good idea (or accurate). Some vendors are maintaining "support" for NT4 still; customer demand is driving that. It's stupid, and those that play that game are either really stupid or really good at getting risk acceptance documents signed off on. Or both. DS
Re: openbsd instead of cisco vpn client
On 8/27/07, Paolo Supino <[EMAIL PROTECTED]> wrote: > Hi > > I came across the following situation: there's network where several > employees have access to a client of theirs using Cisco VPN clients. > To centralize and ease administration I want to put in place an OpenBSD > box that will create a single VPN. > The client is so bearucratic that by the time their paperwork for > setting up a site to site VPN the need for this VPN will be gone. > So is it possible to mimick Cisco VPN client connection with OpenBSD > IPSEC? It completely depends on the configuration of the Cisco IPsec device, but in most cases the answer is no. Common configurations for client VPN will use Cisco extensions that are not supported outside of their implementation. DS
Re: Compiling Release Patches
On 8/25/07, Clint Pachl <[EMAIL PROTECTED]> wrote: > >> The reason for this is that I can use a single build machine running the > >> current release, and two source trees, current and previous. > > [1] Well, it usually does, but it can break in interesting ways that are > > difficult to fix. > > Joachim, your footnote is what I was expecting to hear. After running a > few tests, I have been able to compile 4.0 patches on a 4.1 system, but > I'm sure I will run into edge cases that crap out sooner or later. I > guess I will mark this up as an unreliable operation. > > Thanks for your suggestions. I think a dual-boot machine will be the way > I'll go. Are you talking about many 4.0 systems? In your place, I might simply opt to push for upgrades to 4.1 as it would be about as simple and easy as dual boot to build patches. This crazy guy (http://erdelynet.com/tech/openbsd/quick-upgrade-process/) clocks 20 minutes start to finish. In a couple of months your 4.0 will no longer be supported anyways. DS
Re: Securing syslog in insecure mode (syslog -u )
On 8/24/07, Lars Noodin <[EMAIL PROTECTED]> wrote: > Is there a recommended best practice for securing a remote log server? > > Is it worth it to try to tunnel between the machines? Would be good to know what is meant by "securing", as in "what exact sense of security are you trying to address?" DS
Re: bind 9 cache poisoning
On 7/25/07, Allen <[EMAIL PROTECTED]> wrote: > Richard Storm wrote: > > Is openbsd bind vulnerable to attacks on binds PRNG described here: > > http://www.securiteam.com/securitynews/5VP0L0UM0A.html > > A glance at the README.OpenBSD file for 4.1 in /usr/src/usr.sbin/bind > shows (among other things): > > - add LCG (Linear Congruential Generator) implementation to libisc > - use LCG instead of LFSR for ID generation until LFSR is proven reliable > - strlcpy/strlcat/snprintf fixes > > Without digging into things deeper, it looks like this is unlikely to > be an issue since the OBSD version doesn't rely on LFSR. One would think that with 16 bits for the query ID and 16 bits for the source port on DNS requests that the source port would be considered as important in terms of cache poisoning / response spoofing resiliency. named(8) uses a static source port for every query from the time of server startup; is there a good reason the authors don't pass source port allocation off to the OS where it can be randomized? DS
Re: route command
On 8/18/07, steve szmidt <[EMAIL PROTECTED]> wrote: > On Saturday 18 August 2007 22:19, steve wrote: > > Hmm, I had added the route commands to rc.local and with each edit executed > sh netstart which of course does not read rc.local. See hostname.if(5), and particularly the description for '!command-line' in that manual. DS
Re: route command
On 8/18/07, steve <[EMAIL PROTECTED]> wrote: > It must have been too long ago since I built routers under BSD. I got three > subnets in a series below the internet connection and cannot add a proper > route between subnet 1 and 3. > I've tried numerous route commands but it never results in routing it down to > 198.168.0. My last routing commands looks like this: > > route add 192.168.0 192.168.1.253 > route add 192.168.0.254 192.168.1.253 > > What is the route command supposed to look like to route down to 192.168.0? One way is with an explicit CIDR mask on the network: # route add 192.168.0.0/24 10.0.1.1 add net 192.168.0.0/24: gateway 10.0.1.1 # route -n show | grep ^192 192.168.0/24 10.0.1.1 UGS 00 - fxp0 DS
Re: howto set global environment variable (e.g. PATH, JAVA_HOME)
On 8/8/07, Lars Hansson <[EMAIL PROTECTED]> wrote: > On 8/9/07, Clint Pachl <[EMAIL PROTECTED]> wrote: > > Or you could programatically change each user's .profile. > > Uhm, why? Markus is correct that both /etc/profile and $HOME/.profile > are sourced when you log in so to set up global variables you set them > in /etc/profile. ~/.profile overrides /etc/profile. $ echo 'var1=a' >> /etc/profile $ echo 'var1=b' >> ~/.profile $ /bin/ksh -l $ echo $var1 b In this case, users' dot files will have be updated. DS
Re: spamd - 250 return text
On 8/3/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > Hi all, > > Short of recompiling spamd, is there any undocumented way of changing > the 250 responses from spamd? > > - 250 Hello, spam sender. Pleased to be wasting your time. > - 250 You are about to try to deliver spam. Your time will be spent, for > nothing. > > "man spamd" and a quick search in the ML archives weren't very successful. > > We've had a pretty hard time from a client saying how "rude" this > default message is. Even though their tech people didn't care, the > people higher up got really offended... Quite understandably I'd say, > since these "greetings" aren't really what we can call friendly... hehe > > Sorry to bug you guys with this lame "problem" but in the financial > world, people can be very touchy :D This *has* been discussed in the past, and should be in the archives, and ultimately was dropped as a pointless subject. No, there's no magic "hugs and rainbows" knob. Why are people in positions of financial impact seeing this SMTP dialog in the first place? Give them a software client with a wysiwyg interface and a send button and this is all moot. DS
Source port allocation and named(8)
Has named(8) on OpenBSD ever used randomized source ports for DNS queries? I thought for some reason it had and noticed today that this probably was not right: 10.0.1.2.34140 > 192.35.51.30.53: 64395% [1au] ? sec1.apnic.net. (43) 10.0.1.2.34140 > 192.0.34.126.53: 50119% [1au] ? blackhole-1.iana.org. (49) 10.0.1.2.34140 > 192.0.34.126.53: 42816% [1au] A? blackhole-2.iana.org. (49) 10.0.1.2.34140 > 192.0.34.126.53: 50486% [1au] ? blackhole-2.iana.org. (49) 10.0.1.2.34140 > 139.91.1.10.53: 51546% [1au] ? a.iana-servers.net. (47) 10.0.1.2.34140 > 139.91.1.10.53: 59001% [1au] ? c.iana-servers.net. (47) 10.0.1.2.34140 > 202.12.29.59.53: 58965% [1au] ? sec1.apnic.net. (43) 10.0.1.2.34140 > 192.0.34.126.53: 51376 A? blackhole-1.iana.org. (38) 10.0.1.2.34140 > 192.0.34.126.53: 44588 ? blackhole-1.iana.org. (38) 10.0.1.2.34140 > 192.0.34.126.53: 57558 A? blackhole-2.iana.org. (38) 10.0.1.2.34140 > 192.0.34.126.53: 48825 ? blackhole-2.iana.org. (38) 10.0.1.2.34140 > 192.175.48.42.53: 48486 [1au] PTR? 6.2.0.10.in-addr.arpa. (50) 10.0.1.2.34140 > 192.5.6.30.53: 44602 [1au] A? www.tacobell.com. (45) 10.0.1.2.34140 > 144.135.8.182.53: 58126 [1au] A? www.tacobell.com. (45) 10.0.1.2.34140 > 144.135.8.182.53: 37108% [1au] A? usc1.akam.net. (42) 10.0.1.2.34140 > 144.135.8.182.53: 36869% [1au] ? usc1.akam.net. (42) 10.0.1.2.34140 > 144.135.8.182.53: 41857% [1au] A? ns1-95.akam.net. (44) Given the recent buzz around predictable query IDs in BIND 9 (exempting the in-tree implementation), I started wondering why ephemeral ports wouldn't also be randomized for DNS queries as they are for many other services. I assume this is somehow related to named simply choosing the port at startup and may have some (small, if any) performance implications, but why not simply allow the OS to provide the source port for you? DS
Re: how to clear dmesg outpout
On 7/6/07, Jose H. <[EMAIL PROTECTED]> wrote: Kernel messages since a certain time and hide the hardware specs from users will be achieved the same way, suppose you have a parameter for dmesg that prints the current buffer and then clears it. I don't think it is a silly knob, in fact it may be the only knob you can have, dmesg holds messages/texts, you can print it, and you can clear it, other than that may be a silly knob. I'm failing to understand why anyone feels the hardware specs are sensitive enough to hide from anyone. Honestly. There's security that matters, and then there's make-believe not-worth-an-ounce-of-effort-to-obfuscate stuff that isn't important at all. I classify this in the latter. DS
Re: can not install binaries with pkg_add
On 7/1/07, Alden Pierre <[EMAIL PROTECTED]> wrote: Hello All, I'm having a hard time trying to install packages on my machine. 1. PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ 2. pkg_add -i screen gives me the following: sh: cannot create /var/tmp/pkgout.V6ybCkITOgB: File exists No packages available in the PKG_PATH Can't resolve screen You probably didn't export PKG_PATH into your environment: $ env - ksh $ env _=/usr/bin/env PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin $ PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ $ env _=/usr/bin/env PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin $ sudo pkg_add -i screen Password: No packages available in the PKG_PATH Can't resolve screen $ export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ $ sudo pkg_add -i screen Ambiguous: choose package for screen 0: 1: screen-4.0.3p0 2: screen-4.0.3p0-shm 3: screen-4.0.3p0-static Your choice: DS
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On 6/29/07, Matt <[EMAIL PROTECTED]> wrote: In their homedir there is a `ln -s` to their /var/www/home/username webspace. That webspace is chowned username:www and chmodded 770 so httpd can access/write to their dir as well. Is that advisable / workable? Other ideas? You don't want the www user being able to write to your web space. Think about it. DS
Re: http://openbsd.rt.fm/faq/faq10.html#httpdchroot
On 6/17/07, Darrel <[EMAIL PROTECTED]> wrote: http://openbsd.rt.fm/faq/faq10.html#httpdchroot Per the heading 'What is a chroot?', I plan to change the owner of all the files in the /var/www directory as read-only by User www. Should the group of directories and files be changed to www as well? At the moment, all of the files are owned by root and the groups are either bin or daemon in /var/www. You misunderstand what you've read. The FAQ is telling you that under the existing ownership and permissions, the www user _currently_ has read-only access to the files in the chroot. You should not alter the ownership or permissions. I plan to implement cgi. The only modifications you'll need is to 'chmod +x' whatever CGI scripts/programs you place in cgi-bin directories. DS
Re: [OT] Open Source OSS for OpenBSD?
On 6/16/07, Aaron Hsu <[EMAIL PROTECTED]> wrote: [snip] Is this the correct interpretation or not? So far off base, it seems like you haven't even read it. DS
Re: Looking for other ideas to encrypt a wifi connection
On 6/14/07, Steve B <[EMAIL PROTECTED]> wrote: Recently I acquired an old Belkin wireless nic that has an RTL8180D chipset on it. It supports Host AP and is working nicely. Thanks to all those who helped breath life into that card/chipset! Dmesg reports it as: rtw0 at pci0 dev 10 function 0 "Belkin F5D6001" rev 0x20: irq 7 rtw0: ver RTL8180D, radio SA2400A, amp SA2411, address 00:30:bd:4c:8e:5c Currently its functioning as an unencrypted connection secured with authpf. I'd like to encrypt the traffic so as to prevent prying eyes from gathering something they should not. However it seems like my only choices are WEP, an SSH tunnel, OpenVPN or PoPToP. WEP is out since it is not very secure and I've tried PoPToP but it does not seem to like being used for this purpose. Before I embark on setting up OpenVPN I was wondering if there were any other methods to encrypt my traffic that I had not thought of? ipsec(4) is still a fairly popular choice for securing WLANs. DS
Re: [OT] Open Source OSS for OpenBSD?
On 6/13/07, Edd Barrett <[EMAIL PROTECTED]> wrote: Hi guys, I have been reading a thread on opensolaris.org regarding the open-sourcing of 4front's OSS. After explaining why CDDL licensing is unsuitable for OpenBSD, some of the developers have expressed an interest to contact Theo regarding licensing and OpenBSD. I do not know much about licensing, nor do I feel that I should email Theo personally as he may not appreciate it. Just thought I would point out the thread here. http://www.opensolaris.org/jive/thread.jspa?threadID=32401&tstart=0 Is OpenBSD even interested in multi threaded OSS? I wouldn't mind it. "...After much deliberation - we're going with CDDL for BSD. I don't know why OpenBSD can't work with CDDL since FreeBSD and NetBSD can." - http://www.opensolaris.org/jive/thread.jspa?threadID=32401&tstart=0 It appears that the question might be whether anyone over in their camp is concerned with releasing code under a license even permissive enough to be included. They don't seem to care that OpenBSD as a project seems to have more stringent goals and policies than others. DS
Re: Spamd variation
On 6/12/07, Soner Tari <[EMAIL PROTECTED]> wrote: Probably a simple shell script could do the job, which would look at SpamAssassin logs to find out the spam score and IP address, and insert into spamd blacklists as necessary. The only caveat is that threshold spam score for blacklisting should be kept very high to prevent inserting false positives into spamd blacklist. In my experience spamd is very successful, but SpamAssassin catches some spam e-mails that spamd misses occasionally. (After all, OpenBSD maillists also use both, see http://www.openbsd.org/mail.html). Please correct me if I am wrong, but I believe the OP's point was missed in the other replies. I also would like to know what people at misc@ think about such a scheme. I think you summed it up; no modifications to spamd are necessary, your post-spamd filters can modify blacklists directly with a little ingenuity and some script-fu. Remember, it's unix. Modular. Pieces. Simplicity. DS
Re: T1 pci card
On 6/10/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote: I am looking for a Data T1 card to put in an OBSD firewall/router looking for suggestions on a quality card for under 1000 that OBSD supports reasonably well. digium offers the Wildcard TE120P for about 600 but i was unsure of support where could i find out if such a card is supported with out asking the list? You could ask the vendor as well. Sangoma also offers many of these types of products, and they directly list OpenBSD support on list of supported OSes. Not quite sure, but I think "supported" means a proprietary binary blob from Sangoma. http://www.sangoma.com/main/products/hardware/cards DS
Re: WWW to go public, if pf would let me
On 6/9/07, Bryan Vyhmeister <[EMAIL PROTECTED]> wrote: On Jun 9, 2007, at 9:28 PM, Darren Spruell wrote: > So, not sure about the connections failing. As for your aliases, check > hostname.if(5) and you'll see that IPv4 interface aliases typically > have full /32 subnet masks. Sorry! I spoke too soon. I find that it works either with the /32 or the actual netmask. According to hostname.if(5) it is not clear except that the example given shows /32 as the netmask for aliases. Are there any problems with using the actual netmask? Nowadays, I don't know. It used to be back in the days of /etc/ifaliases that you'd have problems getting the alias in the routing table correctly unless you gave the alias a full 255.255.255.255 netmask. Nowadays I don't know if it really matters, but I stick with it because that what all the references say. e.g.: http://marc.info/?l=openbsd-misc&m=95202862819912&w=2 DS
Re: WWW to go public, if pf would let me
On 6/9/07, Bray Mailloux <[EMAIL PROTECTED]> wrote: Hello Everyone; # ifconfig -A rl0: flags=8843 mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet 64.142.102.9 netmask 0xff00 broadcast 64.142.102.255 inet 64.142.102.10 netmask 0xff00 broadcast 64.142.102.255 inet 64.142.102.11 netmask 0xff00 broadcast 64.142.102.255 rl1: flags=8843 mtu 1500 lladdr 00:13:46:30:0b:b2 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 vr0: flags=8843 mtu 1500 lladdr 00:19:5b:3d:12:12 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #Macros # 192.168.0.1 subnet ext_ip="64.142.102.8" int_ip="192.168.0.1" int_block="192.168.0.0/24" #DMZ subnet #Interface dmz_ip="192.168.1.1" dmz_block="192.168.1.0/24" #DNS 1 scarlett="192.168.1.2" pub_scarlett="64.142.102.9" #DNS 2 shelly="192.168.1.3" pub_shelly="64.142.102.10" #WWW 1 www_ip="192.168.1.4" pub_www="64.142.102.11" #DMZ Services services="{ domain, www, smtp, }" #Normalizing scrub in all 64.142.102.11 #NAT and Binat nat on rl0 from $int_block to any -> $ext_ip binat on rl0 from $scarlett to any -> $pub_scarlett binat on rl0 from $shelly to any -> $pub_shelly binat on rl0 from $www_ip to any -> $pub_www #Redirection rdr on rl1 proto tcp from any to 64.142.102.11 port 80 -> $www_ip port 8000 rdr on rl1 proto udp from any to any port domain -> $shelly rdr on rl1 proto udp from any to any port domain -> $scarlett #Default block policy block all #Anti-spoofing block in quick from urpf-failed #vr0 traffic pass in on vr0 proto tcp from $int_block to any port 6112 pass in on vr0 proto tcp from $int_block to any port 80 pass in on vr0 proto tcp from $int_block to 207.212.58.16 port 25 pass in on vr0 proto { udp, icmp } from $int_block to any #rl1 traffic pass in log on rl1 proto tcp from $dmz_block to $www_ip port 80 pass in log on rl1 proto udp from $dmz_block to $shelly port domain pass in log on rl1 proto udp from $dmz_block to $scarlett port domain pass out on rl1 proto tcp from $www_ip to any port 80 pass out on rl1 proto udp from $shelly to any port domain pass out on rl1 proto udp from $scarlett to any port domain So, I'm trying to get my WWW server, public: 64.142.102.11; private: 192.168.1.4, to answer requests from the internet. Each time I try to access the public address, via firefox, the browser claims it does not exist. "Does not exist" is a vague error description. What happens when you attempt a simple socket connection (with telnet or nc, etc.) to the IP/port it uses? There are many variables (DNS, etc.) in testing with a browser; simplify your test to a focused tool. Also, you're testing this from the Internet, not from your internal network, right? Although by the time I've written this someone else has already solved your problem, generally speaking, it helps to reduce your pf.conf to as simple a configuration as you can to isolate the issues. You can load the trimmed down ruleset from an alternate file and diagnose just the components you need to. For me personally, following your use of macros and jumping up and down the ruleset requires more time than I'm willing to commit. :) So, not sure about the connections failing. As for your aliases, check hostname.if(5) and you'll see that IPv4 interface aliases typically have full /32 subnet masks. DS
Re: About BSD Certification
On 6/8/07, Rico Secada <[EMAIL PROTECTED]> wrote: Hi What do you think of The BSD Certification Group at bsdcertification.org? Is this a good idea? From my perspective it looks like a smart marketing way. A way to make money from people who think this would help in some way. Read up about the goals of the organization, and the intentions they have going in. Then take a look at the names affiliated with the organization, and the people that are putting effort into furthering a BSD certification track and the reasons why. Many of the names you should recognize as contributors in our community. Then have a look at the fully disclosed proceedings and progress of what the group's accomplished so far. Once you come to your conclusions, I hope you'll be more hesitant to drop this kind of insulting and uninformed drivel. DS
Re: Quad ethernet card
On 6/6/07, Ronnie Garcia <[EMAIL PROTECTED]> wrote: Henning Brauer a icrit : > * nate <[EMAIL PROTECTED]> [2007-06-05 21:44]: >> I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and >> was able to get a peak throughput of about 520Mbps in bridged mode >> (pf disabled) measured using iperf. > > the single-stream tcp test iperf uses is pretty meaningless > (unless.. well, that's another story) What other tool would you recommend, then ? The idea is to simulate legit Internet traffic and/or DDoS traffic. net/netrate (from FreeBSD) was just committed as a port. Might be useful. http://www.undeadly.org/cgi?action=article&sid=20070603040549&mode=expanded http://ports.openbsd.nu/net/netrate DS
Re: alternatives to sendmail
On 6/4/07, Douglas Allan Tutty <[EMAIL PROTECTED]> wrote: On Mon, Jun 04, 2007 at 03:28:50PM +0200, Timo Schoeler wrote: > Thus [EMAIL PROTECTED] (Peter N. M. Hansteen) spake on Mon, 04 Jun 2007 > 15:17:26 +0200: > > > Douglas Allan Tutty <[EMAIL PROTECTED]> writes: > > > > > However, sendmail is a very steep and tall learning curve. I'm > > > coming from Debian (which no longer installes with 32 MB ram) so > > > I'm used to exim. I know that exim is GPL. I'm wondering if there > > > are other BSD-licensed MTAs. > > > > exim is available as a package on OpenBSD as well, so if that's what > > you are used to, you should feel right at home. > > Exim ist GPL, Postfix is 'IBM public license'. Neither is BSD > compatible. > > Honestly, Postfix' license (or my moral on BSD :) convinced me to > switch back to sendmail... :) > I know that exim is in ports. However I wanted some perspective before I started on sendmail's learning curve. Where possible, I would like to honour OBSD's philosophy. Also, since sendmail comes with the base install, I'd have to figure out how to get any other MTA I install to play with the sendmail that is already there. If you're after perspective then, I can share the cycle I went through. I started out hating Sendmail because of the configuration. It's a beast at first. I first ran qmail instead and then postfix, because both of them were easier to get set up at first - I didn't have to go editing through the mc file and the sendmail docs to get them configured. Later I ended up moving back to sendmail on OpenBSD because the default config works for most of my needs. The initial hatred for Sendmail in my case was a little misplaced; while it's a featureful MTA with many complex configuration choices, the majority of them are not needed in the majority of cases. For the cases I do need to change something, it's easy to do and documented (although in somewhat terse language) in the sample .mc files or the official docs (or the bat book, or many other places.) My own ignorance was to blame; once I invested some time into learning what I needed to know, it came together. The other reason most people dislike Sendmail is because of the (in)security history. I trust the OpenBSD implementation enough to believe that I'm not extremely likely to get compromised (mine are not Internet-facing anyway) and if there is an exposure I know there'll be a patch released quickly. So in short, sticking with the in-base MTA made more sense to me. While it's not difficult to replace it with another MTA using mailer.conf(5)/mailwrapper(8) and such, I like the integration and the fact that it's ready to go by default. YMMV. DS
Re: Reclaim mounted space
On 6/3/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote: Well my old set up was to have just one harddrive, so my old home is part of the root drive, and since my root drive is in use as root, how would i mount just that part of it? When you added your new drive and mounted it as /home, did you do anything to the old disk (repartition, reformat?) if not, then you've probably got your new disk and its data mounted at /home. If you unmount /home, you should be able to "uncover" your old /home on the old drive and clean it up. Then remount the new drive on its /home mountpoint. DS On 03/06/07, Darrin Chandler <[EMAIL PROTECTED]> wrote: > On Sun, Jun 03, 2007 at 09:10:34AM -0700, Lawrence Horvath wrote: > > I have just changed from 1 harddrive into having a root, and a home > > harddrive. > > its now working but i had several gigs in the old home that i would > > like to clear off, how can i clear the old home dir with out > > unmounting the new home > > # mount /dev/ /mnt > > where is whatever your old home directory was. Perhaps wd0h. Then > it'll be available under /mnt/* > > -- > Darrin Chandler| Phoenix BSD User Group | MetaBUG > [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ > http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation > -- -Lawrence -Student ID 1028219 -CCNA -- Darren Spruell [EMAIL PROTECTED]
Re: c2k7 hackathon is over
On 6/2/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: The c2k7 hackathon is over, with roughly 50 developers attending the event for 10 days in Calgary. So many projects were started or finished, it is basically impossible for me to describe all the projects. I elect merdely to fill in all the holes on Undeadly. :) Hope you guys out there enjoy the changes that we've made. I'm sure many will. I've enjoyed reading the commit messages, particularly in areas of increased pf performance. Killer work. Thanks to everyone! DS
Re: Packets Per Second Limit?
On 5/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: [...] by the way. I know where google is. I've been there and have even read some of the links that are posted in this very thread. However I am confused and there even seems to be some confusion/discrepancies within this thread... so I thought I would bounce the question off of people who might have a better grip on this than I, and already been through similar situations for feedback, something google cant offer(yet). I am not going to apologize for my ignorance but thank the people who are actually trying to help me understand this, without being a smartass about it. First rule of Fight Club: dont' talk about Fight Club. Second rule of Fight Club: don't take public mailing lists so seriously. People will be smartasses. You will get ridiculed for questions you ask, good or bad. Oftentimes you'll actually deserve it. Thicken the skin and wear flame-retardant apparel. Smell the roses. Enjoy the experience; it's not going to change any time soon. DS
Re: Packets Per Second Limit?
On 5/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Anyone know the maximum packets per second that can traverse a 100MB internet link. From what I've been able to gather its about 8300 or so? Is this number accurate? Do connections just start to timeout once I hit this limit? I'm a little worried about this because we are fast approaching this mark and am afraid were gonna hit it before we max out are available bandwidth? Anyone ever run into this situation or am I just paranoid? Packets per second are a capability limitation of the equipment interfaces responsible for passing the traffic and don't directly relate to the link speed. It's also highly dependent on the size of the packets being passed by the interface. It's dependent on many several factors, actually. You hit a pps limit and you'll see packets drop; the interface simply can't keep up with the throughput. DS