[no subject]
Tim Nelson > Fantastic points, I'd love to hear more, from both sides. I'll blink. This is a big deal ... but it's not specific to OpenBSD and further, this is not news. http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis This discussion is pertinent on any forum. Hence here where the focus is tight and anecdotally anti-turbo-legal ... it's bound to be off topic. Still, it's about the fourth and perhaps the fifth but not the first and definitely not the second ... While I don't have the protection afforded by the bill of rights (the US one not the englsh one), the fourth is understood where habeus corpus rules, i.e. those of us in "free societies". This is relevant but, ranting about the "amendments" to a global crowd, while allowed by the first, is hot air. I have no first nor second sir ... So, relevant but poorly phrased. Anything else? Sure. Where we have the rule of law, the plan is to stand up for yourself, in law (i.e. the fourth if that's what you've got) and get some case law under your belt. You've got to stand up for yourself ... Everything else is hot air or text (i.e. hot air). The US is the light on the hill. Stand up for yourself. Use the law. The constitution if that's all you've got. Talking about it is one thing. DHS told me I had to hand over my password and I did ... I'm so angry they violated my rights. That's neither precedent nor threadworthy.
Re: From the military propaganda department
Tim Nelson > Fantastic points, I'd love to hear more, from both sides. I'll blink. This is a big deal ... but it's not specific to OpenBSD and further, this is not news. http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis This discussion is pertinent on any forum. Hence here where the focus is tight and anecdotally anti-turbo-legal ... it's bound to be off topic. Still, it's about the fourth and perhaps the fifth but not the first and definitely not the second ... While I don't have the protection afforded by the bill of rights (the US one not the englsh one), the fourth is understood where habeus corpus rules, i.e. those of us in "free societies". This is relevant but, ranting about the "amendments" to a global crowd, while allowed by the first, is hot air. I have no first nor second sir ... So, relevant but poorly phrased. Anything else? Sure. Where we have the rule of law, the plan is to stand up for yourself, in law (i.e. the fourth if that's what you've got) and get some case law under your belt. You've got to stand up for yourself ... Everything else is hot air or text (i.e. hot air). The US is the light on the hill. Stand up for yourself. Use the law. The constitution if that's all you've got. Talking about it is one thing. DHS told me I had to hand over my password and I did ... I'm angry they violated my rights. That's neither precedent nor threadworthy.
Re: From the military propaganda department
Hi. If I understand correctly, this is off topic here, as much as generic hardware or networking issues or whatever. General cryptology and associated legal issues in this sense (again as I understand you) are not specific to OpenBSD being vendor neutral issues. That said I'm all for this discussion. Not to pre-empt others (disregarding the initial negative responses), I think you should be aware there's a valid and consistent case to be made that this might be one of those cases where you'll get little traction. My advice, if this thread doesn't get the traction you like; go elsewhere. Insert quotes from Ben Franklin et al. ... choose your audience. Regardless. While there's a lot of commonality between the US and some of the rest of us, we have constitutions of our own (except england of course). Please don't fall into the trap that any of this stuff is transferrable. That's a point of law and it stands. I don't have "freedom of speech", the right to keep and bear arms and so on. FYI, I live in a democracy, not a republic. We're transitive. There's a real world difference. Nevertheless, Aristotle nailed this. http://en.wikipedia.org/wiki/Modes_of_persuasion Those ideas are somewhat intertwined but you've failed. You've failed on logos - the facts - give some context. Clear context. Why do I or anyone else here care about rights violations? Without that, prima facie this comes off as a rant without relevance ... uname(1) or tread lightly. You've failed on your pathos - my sympathy or empathy - this is why this is definitely in the off topic "decisions to be made" grey area. I don't see a clear connection between LEO and OpenBSD here. See previous ... uname(1) or tread lightly. You've failed to clarify your ethos - I don't believe you. Your constitution is enough authority but I'm not seeing it presented appropriately. I admire your conjunction of munitions and the second. May I use that? In this case though, open sauce, crypto, second, etcetera are an entirely different issue to the fourth amendment question - protection against unreasonable search and seizure. You've muddied the waters and failed to convince on either account. That's the big deal here. The fourth ... "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated ..." http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html#4 First? Sure. Publish, done. Matter of course. No infringements. Right? Second? Sure. Sidebar. Again off topic but trivially interesting. Rubber hose cryptanalysis, the browbeating or otherwise of citizens to gain passwords so DHS inter alia, i.e. Border Patrol, can look at your stuff is strictly a fourth amendment issue (obliquely a fifth). That's where you should be thinking. You live in a common law country with a written constitution - not something to be assumed. There's a trodden path. Stand your ground - "no officer ... unless you provide a warrant based on probable cause I won't be giving you my key". Go read the fourth ... The key is standing your ground. Get arrested or worse or combinations of whatever and go from there. To paraphrase a founding father: "They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." Trees need iron. Blood serves fine. Ask Thomas Jefferson ... Good on you for taking an hour out of your life. Give me something more than a hypothesis of how bad things are happening that might be violations and how people that I care about are affected on the ground ... Get arrested or GTFO ... I'm not Armorican. I read your constitution and your bill of rights and study your law and your country. I've stood up to LEO here. Describe your experience. Light on the hill. Get the fuck up there.
Re: Route bad address
Something like: # cat hostname.pppoe0 pppoedev vr0 authproto chap authname 'u...@on.net' authkey 'pass' up inet 0.0.0.0 255.255.255.255 dest 0.0.0.1 !/sbin/route -v add -inet default -ifp pppoe0 0.0.0.1 See: man -s 4 pppoe http://www.openbsd.org/cgi-bin/man.cgi?query=pppoe&sektion=4
Re: LAN -> LAN via External IP
"James Chase" If I fully understand your situation a lot of what you do depends on whether you intend to resolve names and whether you can use subnets. In my situation I have a number of servers and internal clients on different subnets with one external public IP address. pf obviously becomes trivial. The obvious issue is resolving zones you are authoritive for to internal clients. I've chosen to pass resolving onto the ISP partly to overcome this. If that's on the table as an option I recommend looking at this: http://www.openbsd.org/faq/pf/rdr.html#sepnet Once you do that, add a rule for your client subnet(s) that redirect any incoming on the corresponding internal_IF on your router to the appropriate server. That is: server ="192.168.250.1" vhosts ="58.108.203.117" pass in on pppoe0 inet proto tcp from any to (pppoe0) port www rdr-to $server pass out on xl0 inet proto tcp from any to $server port www pass in on dc0 inet proto tcp from dc0:network to $vhosts port www rdr-to $server pass in on rl0 inet proto tcp from rl0:network to $vhosts port www rdr-to $server Note vhosts can be any number of domains. Again it depends on different subnets and as far as resolving goes, public IPs can be returned and pf will take care of that. No other consideration necessary. As far as I understand it I was facing exactly the same decisions and made the sweeping decision to pass all resolving to the ISP. I have no over-riding security or performance consideration there and it seemed like a great idea to miss the fun of splitting DNS or screwing around with hosts files. Having a quick look at dhcpd.conf it might be possible to specify hosts from there. I expect it is but certainly doable by some other mechanism. I thought about chasing that down but in the end it didn't seem worth it. Best wishes.
Re: Issue with U of A hosting site
James Woodward > Thank you, > James Thank you. While it's expected that universities will support the wider community it's probably entirely optional. Thank you for supporting us. In this case you happen to be supporting something very cool ...
Atheros driver.
Hi. I'm trying to find a PCI wireless card and bought one of these: http://www.tp-link.com/en/products/details/?categoryid=246&model=TL-WN350GD dmesg shows: vendor "Atheros", unknown product 0x001d (class network subclass ethernet, rev 0x01) at pci1 dev 1 function 0 not configured Does this mean point blank this is an un-supported chipset or are there things to check, etcetera? Best wishes.
Re: OpenSMTPD getting closer to stable ;-)
Gilles Chehade > We are getting closer to a stable version of OpenSMTPD Which to my mind raises the question of how OpenSMTPD is to be implemented alongside Sendmail in the base system. Presumably, as per other items that are included in base but not the default, i.e. DNS services, etcetera, there will be a perhaps lengthy period where these systems co-exist and are both intended to be usable in their own right. AFAIUI, currently base contains some specific OpenSMTPD items for use and documentation, smtpd and smtpd(8), smtpctl and smtpctl(8), smtpd.conf and smtpd.conf(5) ... These items exist in their own name space and are accessible. These man pages, and by extension these services, reference and depend on utilities and concomitant man pages which are taxonomically identical to similar items designed for Sendmail ... Being labelled identically there's only room for one of each and as Sendmail is the current default mail system the OpenSMTPD items are not installed. The OpenSMTPD man pages don't make this clear and other than OpenSMTPD not working when the Sendmail incumbents are used and referenced there's no indication that something is awry. For instance, if I read smtpd.conf(5) I see references like this: map map source type source Maps are used to provide additional configuration information for smtpd(8). map may be named freely. type may be one of the following: db Mappings are stored in a file created using makemap(8). This is the default type if none is specified. plainMappings are stored in a plain text file using the same format as used to generate makemap(8) mappings. On any system from the last year or so, following the reference to makemap(8) takes me to the installed Sendmail items. As the OpenSMTPD makemap(8) man page puts it: The .Nm command first appeared in .Ox 4.6 as a replacement for the equivalent command shipped with sendmail. So I get some OpenSMTPD items, which depend on other items that are not installed, but still appear and do something, as identically named items that Sendmail relies on are installed instead. I may be out of touch here, but certainly in the past this was my experience, using OpenSMTPD items in base and following documentation and assuming that the included items were correct and appropriate. Assumption might not be the best idea, but in this case the assumption was that the Sendmail utilities and documentation were functionally effective as if this was not the case that OpenSMTPD would have it's own utilities that were included in base also and of necessity labelled originally. Best wishes.
Re: Suspend stuff on TOSHIBA laptop.
Zé_Loff >On my Tecra M5 (NVIDIA G72m GPU) I manage to turn off the backlight by hitting >Fn+F5 (the 'switch displays' hotkey). I have to hit it a couple of times again >to get it back on, because it cycles through all possible combinations, but it >works... I have no idea what makes it switch, but I guess it has something to >do with acpitoshiba(4). Check your dmesg for that, but I'm pretty sure it'll >be there. I've tried switching displays to no avail. >I also have a really old Tecra 8000 whose DVD drive is also always blinking. >Not sure if it always spins, but I keep it empty anyway, so it's not really a >problem. This drive otherwise seem okay. If it's usual for display blanking to kill the backlight maybe I should try another laptop.
Re: Suspend stuff on TOSHIBA laptop.
On 04/09/2012, patrick keshishian wrote: > On Tue, Sep 4, 2012 at 12:36 AM, Ted Unangst wrote: >> I've never seen a laptop that kept the light on when the lid was >> closed. Is it really still on? Yes. Whether or not the screen blanks I can see the backlight glow with the lid closed. If I put it to sleep, apm -S the backlight disappears. obviously that doesn't help me as that shuts off network stuff but as an aside, I can't wake it up, using the keyboard starts one of the LEDs flashing and the DVD drive spins and flashes incessantly. :]
Suspend stuff on TOSHIBA laptop.
Hi. I'm trying to deploy a slave nameserver on a laptop to sit at somebodies home. It runs NSD and other than salving and serving queries it polls an NTP server and that's it. It doesn't run X11 ... Functionally it all works and I'm looking at keeping this thing quiet and dark so it's cheap and un-annoying. I have apmd_flags="-C" which according to apm is doing its job. The fan kicks in every now and then for a second or so but it's not too bad. I've set the options in wsconsctl.conf to blank the screen which also works but this thing has I think what's called "a backlight" which means the screen constantly glows. I'm planning to go set this thing up, let the screen blank and close the lid. I'd like to remove the backlight and the eerie glow. I'm unfamiliar with laptops but I've tried zzz and apm -S both kill the backlight which is great but network functions cease, yes I did not know that. I also can't seem to bring it back up form either state short of a power cycle but that's moot. Is there a way to turn off the backlight? Is there anything else I can do to sedate this machine? TIA apm -Pv Performance adjustment mode: cool running (192 MHz) OpenBSD 5.1 (GENERIC) #160: Sun Feb 12 09:46:33 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.60GHz ("GenuineIntel" 686-class) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,NXE real mem = 769912832 (734MB) avail mem = 747220992 (712MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/05/06, BIOS32 rev. 0 @ 0xfd450, SMBIOS rev. 2.34 @ 0xdf810 (38 entries) bios0: vendor TOSHIBA version "V1.20" date 06/05/2006 bios0: TOSHIBA Satellite L30 acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG SSDT SSDT acpi0: wakeup devices PB2_(S4) OHC1(S3) OHC2(S3) EHCI(S3) P2P_(S5) LANC(S5) AUDO(S3) MODM(S3) AZLA(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-13 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PB2_) acpiprt2 at acpi0: bus -1 (PB3_) acpiprt3 at acpi0: bus -1 (PB4_) acpiprt4 at acpi0: bus 9 (P2P_) acpiprt5 at acpi0: bus 1 (AGP_) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1 acpitz0 at acpi0: critical temperature is 110 degC acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT1 not present acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xd000 0xcd000/0x1000 0xdf800/0x800! 0xe/0x4000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "ATI RS400 Host" rev 0x01 ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200M" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 18 function 0 "ATI SB400 SATA" rev 0x80: DMA pciide0: using apic 1 int 22 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 5 ohci0 at pci0 dev 19 function 0 "ATI SB400 USB" rev 0x80: apic 1 int 19, version 1.0, legacy support ohci1 at pci0 dev 19 function 1 "ATI SB400 USB" rev 0x80: apic 1 int 19, version 1.0, legacy support ehci0 at pci0 dev 19 function 2 "ATI SB400 USB2" rev 0x80: apic 1 int 19 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "ATI SB400 SMBus" rev 0x81: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x52: 256MB DDR2 SDRAM non-parity PC2-4200CL5 SO-DIMM spdmem1 at iic0 addr 0x53: 512MB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM pciide1 at pci0 dev 20 function 1 "ATI SB400 IDE" rev 0x80: DMA, channel 0 wired to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 azalia0 at pci0 dev 20 function 2 "ATI SB450 HD Audio" rev 0x01: apic 1 int 16 azalia0: codecs: Realtek ALC861, AT&T/Lucent/0x1040, 0x/0x, using Realtek ALC861 audio0 at azalia0 pcib0 at pci0 dev 20 function 3 "ATI SB400 ISA" rev 0x80 ppb1 at pci0 dev 20 function 4 "ATI SB400 PCI" rev 0x80 pci2 at ppb1 bus 9 rl0 at pci2 dev 2 function 0 "Realtek 8139" rev 0x10: apic 1 int 21, address 00:16:36:54:f0:ec rlphy0 at rl0 phy 0: RTL internal PHY usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port
Re: My first macppc install not going well.
Now I get ... MBR has invalid signature; not showing it. ... followed by everything working. I've installed and successfully booted from HDD ... Ken, you rock. On 01/09/2012, Kenneth R Westerback wrote: > When you try the install, choose (S)hell. At the prompt try > > dd if=/dev/zero of=/dev/rwd0c bs=1m count=1 > > You may have some old HFS partition table fragments lying around. > > Ken > > On Sat, Sep 01, 2012 at 01:51:43PM +0930, David Walker wrote: >> Hi. >> >> I got an iBook G4 and I'm having issues. >> >> I'm going for an MBR scheme using the whole disk but I'm not sure >> fdisk is working according to the installation instructions but I >> might have a borked disk ... >> Here's what I see: >> >> Available disks are: wd0. >> Which one is the root disk? (or 'done') [wd0] Enter >> Use DUIDs rather than device names in fstab? [yes] n >> Use HFS or MBR partition table? [HFS] MBR >> >> Here I get "read failed" repeated 8 times, "3 not HFS", a print out of >> the HFS style partitions. >> The "read failed" are obviously cause for concern but I don't know if >> that's from trying to read some previous Apple stuff, something >> in-correct that's correctable by proceeding with a write, something >> that's stopping the rest of the install or whatever. >> >> Are you *sure* you want an MBR partition table on wd0? [no] y >> Disk: wd0 geometry: 116280/16/63 [117210240 Sectors] >> Offset: 0 Signature: 0xAA55 >> Starting Ending LBA Info: >>#: id C H S - C H S [ start:size ] >> >> --- >> *0: 06 0 0 2 -2 0 33 [ 1:2048 ] DOS > >> 32MB >>1: 00 0 0 0 -0 00 [ 0: 0 ] >> unused >>2: 00 0 0 0 -0 00 [ 0: 0 ] >> unused >>3: A6 4 1 2 - 116279 15 63 [ 4096: 117206144 ] OpenBSD >> Use (W)hole disk, use the (O)penBSD area, or (E)dit the MBR? [OpenBSD] >> w >> >> I guess the reason for the DOS and OpenBSD partitions is that I've >> been through this a few times. >> I've tried using the whole disk or the OpenBSD area with as far as I >> can see the same result except using the whole disk re-creates the DOS >> partition. >> >> Creating a 1MB DOS partition and an OpenBSD partition for the rest >> of wd0...done. >> /dev/rwd0i: 116720008 sectors in 15490001 FAT32 clusters (4096 >> bytes/cluster) >> bps=512 spc=8 res=32 nft=2 mid=0xf8 spt=63 hds=16 hid=262208 >> bsec=116948016 bspf=113985 rdcl=2 infs=1 bkbs=2 >> The auto-allocated layout for wd0 is: >> #size offset fstype [fsize bsize cpg] >> a: 128.0M 64 4.2BSD 2048 163841 # / >> c: 57231.6M 0 unused >> i: 57103.5M 262208 HFS >> Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c >> >> Here I've tried A and C but I only seem to be able to use 128MB of disk >> space. >> For instance using A ... >> /dev/rwd0a: 128.0MB in 262144 sectors of 512 bytes >> 4 cylinder groups of 32.00MB, 2048 blocks, 4096 inodes each >> /dev/wd0a on /mnt type ffs (rw, asynchronous, local) >> >> I've tried deleting i and adding b and so on but the a is using the >> entire 128MB ... >> If I delete a which as far as I can tell is not what I should be >> doing, I can add 128MB at most ... >> >> There's not enough room to install bsd and etc so I've tried >> installing bsd.rd only but when I try ... >> boot hd:,ofwboot /bsd.rd >> ... at the OF prompt I get: >> Warning: sector size mismatch! can't OPEN: hd:,ofwboot >> Cant open device or file >> >> Any advice appreciated. >> >> Best wishes.
My first macppc install not going well.
Hi. I got an iBook G4 and I'm having issues. I'm going for an MBR scheme using the whole disk but I'm not sure fdisk is working according to the installation instructions but I might have a borked disk ... Here's what I see: Available disks are: wd0. Which one is the root disk? (or 'done') [wd0] Enter Use DUIDs rather than device names in fstab? [yes] n Use HFS or MBR partition table? [HFS] MBR Here I get "read failed" repeated 8 times, "3 not HFS", a print out of the HFS style partitions. The "read failed" are obviously cause for concern but I don't know if that's from trying to read some previous Apple stuff, something in-correct that's correctable by proceeding with a write, something that's stopping the rest of the install or whatever. Are you *sure* you want an MBR partition table on wd0? [no] y Disk: wd0 geometry: 116280/16/63 [117210240 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- *0: 06 0 0 2 -2 0 33 [ 1:2048 ] DOS > 32MB 1: 00 0 0 0 -0 00 [ 0: 0 ] unused 2: 00 0 0 0 -0 00 [ 0: 0 ] unused 3: A6 4 1 2 - 116279 15 63 [ 4096: 117206144 ] OpenBSD Use (W)hole disk, use the (O)penBSD area, or (E)dit the MBR? [OpenBSD] w I guess the reason for the DOS and OpenBSD partitions is that I've been through this a few times. I've tried using the whole disk or the OpenBSD area with as far as I can see the same result except using the whole disk re-creates the DOS partition. Creating a 1MB DOS partition and an OpenBSD partition for the rest of wd0...done. /dev/rwd0i: 116720008 sectors in 15490001 FAT32 clusters (4096 bytes/cluster) bps=512 spc=8 res=32 nft=2 mid=0xf8 spt=63 hds=16 hid=262208 bsec=116948016 bspf=113985 rdcl=2 infs=1 bkbs=2 The auto-allocated layout for wd0 is: #size offset fstype [fsize bsize cpg] a: 128.0M 64 4.2BSD 2048 163841 # / c: 57231.6M 0 unused i: 57103.5M 262208 HFS Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c Here I've tried A and C but I only seem to be able to use 128MB of disk space. For instance using A ... /dev/rwd0a: 128.0MB in 262144 sectors of 512 bytes 4 cylinder groups of 32.00MB, 2048 blocks, 4096 inodes each /dev/wd0a on /mnt type ffs (rw, asynchronous, local) I've tried deleting i and adding b and so on but the a is using the entire 128MB ... If I delete a which as far as I can tell is not what I should be doing, I can add 128MB at most ... There's not enough room to install bsd and etc so I've tried installing bsd.rd only but when I try ... boot hd:,ofwboot /bsd.rd ... at the OF prompt I get: Warning: sector size mismatch! can't OPEN: hd:,ofwboot Cant open device or file Any advice appreciated. Best wishes.
Re: NSD vs BIND
Mikkel Bang > For authoritative nameservers Disregarding other reasons, easier documentation and simpler configuration are definite wins ...
Re: Suspect fragmented packets.
Daniel Melameth > What have you tried? MSS probably incorrectly. I had a 4.9 install I think with a lot of rules but I've started from scratch with 5.1 over the weekend and I think I've got it now. > TCP negotiates MSS so a TCP session will never have an MSS higher than > what one side can accept. Thanks. That makes sense. Interestingly this is the exact setup that ran with the previous ISP so presumably they handled all that within their network and passed on packets somewhat smaller than 1500 to me. I never had to reassemble packets or scrub them or negotiate size. > There is no default block of ICMP. As a matter of fact, unlike some > other poor firewall implementations that break PMTU (and this might be > what you are experiencing with some hosts), you cannot configure pf to > block ICMP for an existing state. Thanks. I was thinking of ICMP from internal clients which is obviously a different matter. Best wishes.
Re: Suspect fragmented packets.
Remi Locherer > The MSS field from your syn packages tells the other side what max package > size you accept. I found this white paper helpful to understand MTU, > PMTUD and MSS: You are apparently correct. This doesn't help: match in all scrub (no-df) This does help: match in all scrub (no-df max-mss 1440) Thanks for the link. Best wishes.
Re: Suspect fragmented packets.
Daniel Melameth wrote: > When using pppoe(4), MSS can be a problem. I recommend you read the > MTU/MSS ISSUES section of the man page and see if that resolves your > issue. I have read and tried. As far as I can see there's an issue with incoming packets. AFAIUI, MSS will limit the size of outgoing. I'd like to know the relationship between that and path MTU and what I see as the apparent default block on ICMP in pf ... Sending packets is one thing but if a distant host is unable to determine the MTU for the next hop (to me) via ICMP then there's a problem right? Does setting MSS on PPP and therefore MTU affect this? Do I need to explicitly allow ICMP to enable this behaviour? Regardless, we're able to talk to the web in general and get good responses from almost everyone. I suspect some are sending ill-formed packets back which is the reason why pf has the no-df option. I haven't had to deal with it previously, my earlier ISP apparently scrubbed and waxed my packets for me. With Internode, I explicitly overturned the default 'set reassemble' to no and avoided MSS (and MTU) considerations and didn't worry about fragments and bad df bits ... Everything worked ... but that's Internode. Best wishes.
Suspect fragmented packets.
Hi. I've had a bridged modem and OpenBSD gateway setup for years on a particular Australian ISP. I've never re-assembled packets and worried over MTU or fragments. Everything just worked ... Recently one of the companies I work for changed ISP. I swapped the relevant details on the gateway, hostname.pppoe0 and whatnot, and it seems that a significant portion of the web is inaccessible, most websites are accessible but many are not. DNS resolution seems fine for all domains and of the sites that won't work some of them will display a title in a browser on an internal client and that's it. Some of them will send all the html but ultimately not display. Most simply "time out" ... I've tred re-assembling packets but it doesn't help. I suspect I'm being sent fragmented packets with don't fragment set. Does this sound right? If this is right, could I achieve anything by explicitly allowing ICMP (datagram too large messages) expecting that the upstream hosts will set path MTU accordingly or is this a wasted effort. Either way, should I start re-assembling packets and scrubbing incoming and ignoring the don't fragment bit with no-df ... match in all scrub (no-df) Best wishes.
Re: OpenBSD forked
John > You may want to give this a try: > http://c.learncodethehardway.org/book/learn-c-the-hard-way.html Cheers. http://publications.gbdirect.co.uk/c_book/
Re: pgt firmware ...
Hi Stuart. > do you know which device you have? This is what I get on the console: pgt0 at cardbus0 dev 0 function 0 "Intersil Prism GT/Duette" rev 0x01: irq 11 According to the meagre research I've done it's a 3880 chipset. The card is an SMC2835W ... > In theory dmesg should be able to pick up the message buffer from that > dump, see the options in dmesg(8). Cheers. I think this is right: cbb0: no bus space panic: io alloc Stopped at Debugger+0x4: popl%ebp ddb>PID PPID PGRPUID S FLAGS WAIT COMMAND 3832 1 1 0 30x80 nanosleep init 14 0 0 0 30x100200 aiodoned aiodoned 13 0 0 0 30x100200 syncerupdate 12 0 0 0 30x100200 cleaner cleaner 11 0 0 0 30x100200 reaperreaper 10 0 0 0 30x100200 pgdaemon pagedaemon 9 0 0 0 30x100200 bored crypto 8 0 0 0 30x100200 pftm pfpurge 7 0 0 0 30x100200 usbtskusbtask 6 0 0 0 30x100200 usbatsk usbatsk 5 0 0 0 30x100200 apmev apm0 *4 0 0 0 70x100200syswq 3 0 0 0 3 0x40100200idle0 2 0 0 0 30x100200 kmalloc kmthread 1 0 1 0 30x80 wait init 0 -1 0 0 3 0x200 scheduler swapper ddb> Debugger(d08cee78,d94fcc88,d097fc1c,d94fcc88,1000) at Debugger+0x4 panic(d097fc1c,d1178ea0,38901270,10,) at panic+0x5d cardbus_read_exrom(d1191c00,0,10,0,0) at cardbus_read_exrom cardbus_read_tuples(d94fcd94,801,d11c6000,800,0) at cardbus_read_tuples+0x125 cardbus_attach_card(d1191c00,d560,d94fcf6c,d03ece07,d0a20ba0) at cardbus_attach_card+0x58d cardslot_event(d1191c80,0,d02008c4,d09b3a60,d03e4e40) at cardslot_event+0x11a workq_thread(d09b3a60) at workq_thread+0x36 Bad frame pointer: 0xd0b8ce38 OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 266 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR real mem = 301330432 (287MB) avail mem = 286351360 (273MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/18/99, BIOS32 rev. 0 @ 0xfd820 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x800 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf9e10/96 (4 entries) pcibios0: PCI Exclusive IRQs: 11 pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371AB PIIX4 ISA" rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xa000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02 cbb0 at pci0 dev 2 function 0 "TI PCI1250 CardBus" rev 0x02: irq 11 cbb1 at pci0 dev 2 function 1 "TI PCI1250 CardBus" rev 0x02: irq 11 vga1 at pci0 dev 3 function 0 "Neomagic Magicgraph NM2160" rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11 piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x01: SMI iic0 at piixpm0 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer 0xb0 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0xb0 pcmcia1 at cardslot1 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.02 midi0 at sb0: audio0 at sb0 opl at sb0 not configured pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus1 at vscsi0: 2
Re: pgt firmware ...
Hi Wesley. On 28/02/2012, Wesley M. wrote: > Why don't you try to install a snapshot version ? > Just to see if the problem is resolved for the next release (5.1)... I have some access to ADSL for the time being so I'll try do that. > And sorry for the wget advice :-) Thank you for reminding me about fw_update in your initial reply. Besides, I broke my system (rule number one) - it's all on me anyway. > > All the best, > > Wesley. > > On Tue, 28 Feb 2012 00:33:06 +1030, David Walker > wrote: >> Hi Magnus. >> >> That was the issue - that directory didn't exist. >> It was my fault - playing with fstab ... >> >> Unfortunately it seems there's bigger issue anyway. >> When I plug the card in there's either no action (no ifconfig, no >> LEDs, no console message) or I get a panic. >> It happens invariably (I think) if the card's in at boot, here's one >> (hand typed) ... >> >> cbb0: no bus space >> panic: io alloc >> Stopped at Debugger+0x4: popl %ebp >> >> ddb> >> >> I've done 'ps' and 'trace' but they're a bit long to transcribe right > now. >> I did 'boot dump' and can see the dump in /var/crash - when I get >> sometime I'll try and read some more man pages and see if I can >> extract anything useful. >> If anyone's interested and wants me to extract anything, please tell >> me how, and I'll do it soonest. I'm not sure what I'm looking for. >> >> Regardless, I might re-install so I can guarantee any other changes >> I've made are voided and try again. It's quite possible theres an >> issue with the card also. I might try it on another OS to verify that. >> >> Best wishes. >> >> On 27/02/2012, Magnus wrote: >>> Hello, >>> >>> check that you have the path /var/db/pkg >>> >>> Information about the package(s) is recorded in a central repository, > by >>> default located in /var/db/pkg/. This will, among other things, prevent >>> the dependencies of a package from being deleted before the package >>> itself has been deleted. This helps ensure that an application cannot > be >>> accidentally broken by a careless user >>> >>> f.i. mine looks like this: >>> >>> # ls -Fl /var/db/pkg >>> total 76 >>> drwxr-xr-x 2 root wheel 512 Oct 19 11:29 bacula-client-5.0.2p1/ >>> drwxr-xr-x 2 root wheel 512 Sep 13 10:14 bash-4.1.9p0/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 dnsmasq-2.55/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 gd-2.0.35p0/ >>> drwxr-xr-x 2 root wheel 512 Sep 13 10:14 gettext-0.18.1p0/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 joe-3.7p0/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 jpeg-8b/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 libdnet-1.12p1/ >>> drwxr-xr-x 2 root wheel 512 Sep 13 10:14 libiconv-1.13p2/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 lua-5.1.4p1/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 nano-2.2.6/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 ngrep-1.45p1/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 nmap-5.21p3/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 ntop-1.1/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 pcre-8.02p1/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 pfstat-2.3p1/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 png-1.2.44/ >>> drwxr-xr-x 2 root wheel 512 Jun 15 2011 postfix-2.8.20110113/ >>> drwxr-xr-x 2 root wheel 512 Sep 12 12:56 screen-4.0.3p2/ >>> >>> // Magnus >>> >>> >>> >>> >>> On 2012-02-27 12:58, David Walker wrote: >>>> Thank you Peter. >>>> >>>> I still get the same error message (error line wrapped): >>>> >>>> pkg_add ./pgt-firmware-1.2p2.tgz >>>> Bad pkg_db: No such file or directory at >>>> /usr/libdata/perl5/OpenBSD/PackageInfo.pm line 63. >>>> >>>> Line 63: >>>> >>>> opendir(my $dir, $pkg_db) or die "Bad pkg_db: $!"); >>>> >>>> Somethings wrong with my environment but what ... >>>> >>>> On 27/02/2012, Peter Hessler wrote: >>>>> NO! >>>>> >>>>> For the love of everything holy, don't fucking use wget. >>>>> >>>>> the built-in ftp(1) client can download from http servers. >>>>> >>>>> and, d
Re: pgt firmware ...
Hi Magnus. That was the issue - that directory didn't exist. It was my fault - playing with fstab ... Unfortunately it seems there's bigger issue anyway. When I plug the card in there's either no action (no ifconfig, no LEDs, no console message) or I get a panic. It happens invariably (I think) if the card's in at boot, here's one (hand typed) ... cbb0: no bus space panic: io alloc Stopped at Debugger+0x4: popl %ebp ddb> I've done 'ps' and 'trace' but they're a bit long to transcribe right now. I did 'boot dump' and can see the dump in /var/crash - when I get sometime I'll try and read some more man pages and see if I can extract anything useful. If anyone's interested and wants me to extract anything, please tell me how, and I'll do it soonest. I'm not sure what I'm looking for. Regardless, I might re-install so I can guarantee any other changes I've made are voided and try again. It's quite possible theres an issue with the card also. I might try it on another OS to verify that. Best wishes. On 27/02/2012, Magnus wrote: > Hello, > > check that you have the path /var/db/pkg > > Information about the package(s) is recorded in a central repository, by > default located in /var/db/pkg/. This will, among other things, prevent > the dependencies of a package from being deleted before the package > itself has been deleted. This helps ensure that an application cannot be > accidentally broken by a careless user > > f.i. mine looks like this: > > # ls -Fl /var/db/pkg > total 76 > drwxr-xr-x 2 root wheel 512 Oct 19 11:29 bacula-client-5.0.2p1/ > drwxr-xr-x 2 root wheel 512 Sep 13 10:14 bash-4.1.9p0/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 dnsmasq-2.55/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 gd-2.0.35p0/ > drwxr-xr-x 2 root wheel 512 Sep 13 10:14 gettext-0.18.1p0/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 joe-3.7p0/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 jpeg-8b/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 libdnet-1.12p1/ > drwxr-xr-x 2 root wheel 512 Sep 13 10:14 libiconv-1.13p2/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 lua-5.1.4p1/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 nano-2.2.6/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 ngrep-1.45p1/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 nmap-5.21p3/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 ntop-1.1/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 pcre-8.02p1/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 pfstat-2.3p1/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 png-1.2.44/ > drwxr-xr-x 2 root wheel 512 Jun 15 2011 postfix-2.8.20110113/ > drwxr-xr-x 2 root wheel 512 Sep 12 12:56 screen-4.0.3p2/ > > // Magnus > > > > > On 2012-02-27 12:58, David Walker wrote: >> Thank you Peter. >> >> I still get the same error message (error line wrapped): >> >> pkg_add ./pgt-firmware-1.2p2.tgz >> Bad pkg_db: No such file or directory at >> /usr/libdata/perl5/OpenBSD/PackageInfo.pm line 63. >> >> Line 63: >> >> opendir(my $dir, $pkg_db) or die "Bad pkg_db: $!"); >> >> Somethings wrong with my environment but what ... >> >> On 27/02/2012, Peter Hessler wrote: >>> NO! >>> >>> For the love of everything holy, don't fucking use wget. >>> >>> the built-in ftp(1) client can download from http servers. >>> >>> and, do NOT just extract the files. we have package tools for a reason. >>> >>> EITHER: >>> a) pkg_add http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2.tgz >>> >>> OR >>> >>> b) ftp http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2.tgz && >>> pkg_add ./pgt-firmware-1.2.tgz >>> >>> Anything else is stupid. >>> >>> >>> >>> On 2012 Feb 26 (Sun) at 18:21:31 +0400 (+0400), Wesley M. wrote: >>> :Try this : >>> :add wget package using pkg_add -vi wget >>> :wget http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2p2.tgz >>> :Then extract this in /etc/firmware. >>> :Halt your machine, Remove your network card, and now plug the new card, >>> :boot >>> : >>> :Hope that it will help. >>> : >>> :Wesley. >>> : >>> : >>> :On Mon, 27 Feb 2012 00:02:28 +1030, David Walker >>> : wrote: >>> :> Thanks Wesley. >>> :> >>> :> I forgot about that. >>> :> I was going from man pgt which says: >>> :> FILES >>> :> >>> :> A prepackaged version of the firmware, designed to be used with &g
Re: pgt firmware ...
Thank you Peter. I still get the same error message (error line wrapped): pkg_add ./pgt-firmware-1.2p2.tgz Bad pkg_db: No such file or directory at /usr/libdata/perl5/OpenBSD/PackageInfo.pm line 63. Line 63: opendir(my $dir, $pkg_db) or die "Bad pkg_db: $!"); Somethings wrong with my environment but what ... On 27/02/2012, Peter Hessler wrote: > NO! > > For the love of everything holy, don't fucking use wget. > > the built-in ftp(1) client can download from http servers. > > and, do NOT just extract the files. we have package tools for a reason. > > EITHER: > a) pkg_add http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2.tgz > > OR > > b) ftp http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2.tgz && > pkg_add ./pgt-firmware-1.2.tgz > > Anything else is stupid. > > > > On 2012 Feb 26 (Sun) at 18:21:31 +0400 (+0400), Wesley M. wrote: > :Try this : > :add wget package using pkg_add -vi wget > :wget http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2p2.tgz > :Then extract this in /etc/firmware. > :Halt your machine, Remove your network card, and now plug the new card, > :boot > : > :Hope that it will help. > : > :Wesley. > : > : > :On Mon, 27 Feb 2012 00:02:28 +1030, David Walker > : wrote: > :> Thanks Wesley. > :> > :> I forgot about that. > :> I was going from man pgt which says: > :> FILES > :> > :> A prepackaged version of the firmware, designed to be used with > :> pkg_add(1), can be found at: > :> > :> http://firmware.openbsd.org/firmware/pgt-firmware-1.2.tgz > :> > :> The problem I have is that fw_update doesn't accept arguments and I > :> need the adjacent pcmcia slot for the ethernet card and they are both > :> bulky cards. > :> I need to remove the conexant card to insert the ethernet card to > :> access the network and then fw_update reports there are no devices to > :> update - the conexant card is no longer attached. > :> :] > :> > :> If you can think of a way to run this locally it'd be great. > :> > :> On 26/02/2012, Wesley M. wrote: > :>> try fw_update (provided in OpenBSD 5.0) > :>> > :>> Wesley. > :>> > :>> On Sun, 26 Feb 2012 17:51:03 +1030, David Walker > :>> wrote: > :>>> Hi. > :>>> > :>>> I'm trying to do: > :>>> pkg_add http://firmware.openbsd.olg/firmware/pgt-firmware-1.2.tgz > :>>> > :>>> I get this: > :>>> parsing pgt-firmware-1.2.tgz > :>>> Bad pkg_db: No such file or directory at > :>>> /usr/libdata/perl5/OpenBSD/PackageInfo. > :>>> pm line 63. > :>>> > :>>> Do I need to add perl manually? > :>>> > :>>> Best wishes. > : > > -- > Cleaning your house while your kids are still growing is like > shoveling the walk before it stops snowing. > -- Phyllis Diller
Re: pgt firmware ...
Thanks Wesley. I forgot about that. I was going from man pgt which says: FILES A prepackaged version of the firmware, designed to be used with pkg_add(1), can be found at: http://firmware.openbsd.org/firmware/pgt-firmware-1.2.tgz The problem I have is that fw_update doesn't accept arguments and I need the adjacent pcmcia slot for the ethernet card and they are both bulky cards. I need to remove the conexant card to insert the ethernet card to access the network and then fw_update reports there are no devices to update - the conexant card is no longer attached. :] If you can think of a way to run this locally it'd be great. On 26/02/2012, Wesley M. wrote: > try fw_update (provided in OpenBSD 5.0) > > Wesley. > > On Sun, 26 Feb 2012 17:51:03 +1030, David Walker > wrote: >> Hi. >> >> I'm trying to do: >> pkg_add http://firmware.openbsd.olg/firmware/pgt-firmware-1.2.tgz >> >> I get this: >> parsing pgt-firmware-1.2.tgz >> Bad pkg_db: No such file or directory at >> /usr/libdata/perl5/OpenBSD/PackageInfo. >> pm line 63. >> >> Do I need to add perl manually? >> >> Best wishes.
pgt firmware ...
Hi. I'm trying to do: pkg_add http://firmware.openbsd.olg/firmware/pgt-firmware-1.2.tgz I get this: parsing pgt-firmware-1.2.tgz Bad pkg_db: No such file or directory at /usr/libdata/perl5/OpenBSD/PackageInfo. pm line 63. Do I need to add perl manually? Best wishes.
Re: Backup Redundancy Etcetera
On 07/02/2012, Nico Kadel-Garcia wrote: > On Mon, Feb 6, 2012 at 4:10 AM, David Walker > wrote: >> >> Currently my backup regime is woeful. >> I have years worth of work on a Windows machine and some stuff >> scattered across OpenBSD machines. > > Uh-oh. I know. I do have "hard" copies of some stuff (drives on shelves, etcetera) but I need to "cloud" it a little more and in the process get more methodical (instead of me forgetting). Fortunately I have no problem losing any of these machines and starting from scratch - I don't need drive images or anything, the data I care about is in a few specific areas. For instance the web server, I mainly care about the web sites of which I have multiple copies. I also have a copy of the Apache *conf and I probably have a copy of the /etc changes (rc.conf.local, pf.conf, so on). In a worst case I can re-install from scratch, adjust /etc and copy Apache *conf (or re-write them in half an hour) - all that's not practically rebuildable is the websites themselves. Anonymous wrote: > Solaris > ZFS I've heard of it (ZFS) but here's the thing, I struggle enough keeping up with Wndows and OpenBSD I don't want to put another system into the mix. > Being able to push data to the server manually from Windows and other > operating systems over the network. SSH or IPsec or similar is my idea > here. > Windows is a weakspot since it is so bad and has few standard tools. Especially open protocols and secure. You either accept and embrace Active Directory or install third party software or stay simple. Fortunately the Windows machine is internal so insecure is okay. > You > could probably script Filezilla to SSH what you want to the file server. Good idea. I'll probably end up either installing the Microsoft NFS client and scripting that or use the bog standard ftp client and script that. > You can script cron jobs to rsync from everywhere but on Windows. > NFS is better for sharing in real time. For backups rsync is hard to beat > but Windows is a weak point as mentioned by other posters. I'm looking at that now. Part of the reason I want to use base is so that the curve in getting a machine back up is easy. It's kind of what I was looking for but the overhead probably isn't worth it in my situation. Again thanks for all the replies (including off-list). Again I only want to backup data (which is really limited to the Windows machine) and configuration information (which is easily quantifiable and changes infrequently) - simple is probably best. The scenario is so simple that installing software is possibly creating more difficulty. I'll try scripting NFS maybe in combination with dump on the OpenBSD machines and see how that goes. Best wishes.
Re: Backup Redundancy Etcetera
Thanks for the replies. I should have stated I'm after something I can understand at a block level. There are only a few datapoints I care about: * the /etc from a few internal and external OpenBSD machines. * a few other *conf* areas like /var/named and so on from external machines. * either /var/www/virtuals from an external machine or from the Windows machine they were built on. * some personal data from the Windows machine. All that stuff changes little (especially the OpenBSD machines). If I lose a day or so from the Windows machine that's fine. So simple is good. I've read through the ideas and something like dump looks suitable. dump - filesystem backup -f file Write the backup to file; file may be ... ... an ordinary file ... This suggests I can mount a remote partition via NFS and dump to a file there. Is this correct? Can I do this via SSH also? The only other question mark is doing something similar for the internal Windows machine. I could do this manually via ftp but I suspect that will result in it happening far too little. As far as I understand it, Microsoft supply an NFS client via the resource kit and it looks easy to "at" and script as long as it's interoperable and Microsoft read the RFCs ... Best wishes.
Backup Redundancy Etcetera
Hey. Currently my backup regime is woeful. I have years worth of work on a Windows machine and some stuff scattered across OpenBSD machines. I'm thinking of building a machine (the file server) to provide some backup and central storage. I'll probably try and get my head around softraid for redundancy redundancy on the file server and I'm looking at these ideas for data transfer ... Being able to push data to the server manually from Windows and other operating systems over the network. SSH or IPsec or similar is my idea here. Having some mechanism where I can pull onto the server from the clients at selected times or poll the machines for changes and update the server or something. I have no experience here and I'm thinking about acronyms like NFS, rsync, etcetera. This is for a small number of machines and low rate data changes but if I can find something that's in base, scalable, robust, secure, simple, quick ... :] Please give me some recommended acronyms, man pages, etcetera. Best wishes.
Re: ichiic
Hi Bryan. On 21/01/2012, Brynet wrote: > > Just an idea, but the SMBus controller has the same interrupt mappings as > this "Lite-On" Ethernet device, is that something you installed? Yes. I put a couple of PCI NICs in. I've removed both of them and the issue persists. > > * You can disable ichiich in UKC/config(8), losing admtmp(4). I might do that. Really it doesn't bother me that much. As long as it doesn't interfere with other hardware I'll put it on the todo list. > * Force the driver to use polling (..check the source). Okay but that's beyond me. :] > * Figure out why they won't share the interrupt (..source/datasheets). > or.. > * Remove that Ethernet card. It looks like something else, I've removed all the PCI cards and it persists. Without the cards, the ichii0 is the only device on that interrupt. > > -Bryan. > Best wishes.
ichiic
Hey. I've installed onto an old machine (dmesg follows): uname -rsv OpenBSD 5.0 GENERIC#43 Every few minutes I see this on the console ... ichiic0: abort failed, status 0x2 ... followed a minute or so later by ... ichiic0: abort failed, status 0x40 ... rinse and repeat. This is a bog standard peecee that had a few doodads hanging off it which I've gladly removed - a case switch and "some other item" which I've never seen before but which only interfaces with the PSU and appears to be an external rail or somesuch (it looks like a plugpack connection). Is this normal? Do I have a hardware issue? Should I provide more information? Best wishes. OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.60GHz ("GenuineIntel" 686-class) 2.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 266858496 (254MB) avail mem = 252444672 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/06/04, BIOS32 rev. 0 @ 0xfb8e0, SMBIOS rev. 2.3 @ 0xf0800 (42 entries) bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 04/06/2004 bios0: Acer VERITON 5600G acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices HUB0(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USBE(S3) MODM(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (HUB0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature is 60 degC acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xa400 0xcc000/0x8000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02 vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x800 inteldrm0 at vga1: apic 2 int 16 drm0 at inteldrm0 uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 19 uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2 pci1 at ppb0 bus 1 mem address conflict 0xf000/0x1000 dc0 at pci1 dev 1 function 0 "Lite-On PNIC" rev 0x21: apic 2 int 17, address 00:a0:cc:39:d5:7e lxtphy0 at dc0 phy 1: LXT970 10/100 PHY, rev. 0 sis0 at pci1 dev 2 function 0 "NS DP83815 10/100" rev 0x00, srr 100: apic 2 int 18, address 00:0f:b5:fe:57:de ukphy0 at sis0 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x002080, model 0x0008 ifmedia_set: no match for 0x20/0x bge0 at pci1 dev 13 function 0 "Broadcom BCM5705" rev 0x03, BCM5705 A3 (0x3003): apic 2 int 22, address 00:0c:76:9c:fe:32 brgphy0 at bge0 phy 1: BCM5705 10/100/1000baseT PHY, rev. 2 ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02 pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 39205MB, 80293248 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 2 int 18 for native-PCI interrupt ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 2 int 17 iic0 at ichiic0 admtm0 at iic0 addr 0x2d: 47m192 iic0: addr 0x2f 04=00 06=06 07=00 0c=00 0d=07 0e=85 0f=00 10=c4 11=10 12=00 13=60 14=14 15=62 16=01 17=06 words 00= 01= 02= 03= 04=00ff 05= 06=06ff 07=00ff "eeprom" at iic0 addr 0x50 not configured usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pck
Re: ALIX 2 Hangs on boot at date/time
Hey. On 10/12/2011, Dave Beckstrom wrote: > > David, > > Thanks for the suggestion. I'm 99% of the way there. Basically all I need > to do is edit "/etc/ttys" to configure something like: > > tty00 "/usr/libexec/getty std.38400" vt220 on secure > > and I'll be all set. One of the great things about PXE install (from memory) is that it will set this up for you ... Certainly there's a question on install ... Change the default console to com0? [no] Enter http://www.openbsd.org/faq/faq4.html#InstQuestions > > I've discovered that I can boot into single user mode. That leaves me at > the sh# shell. I remount root as read write and then mount -a. Here is > where I run into trouble. Can't get an editor to run. It doesn't find vi. > Apparently there is an mg editor but I haven't had time to read on how to > run that. So ... it's broken. :] > > If I can't solve this I'll go the PXE route. Not quite ready to give up > yet. If anything, it's a good learning process. :) I admire your tenacity. You could have installed OpenBSD onto an old machine, turned on DHCPD, TFTPD and installed onto the ALIX in about 15 minutes if you knew what you were doing. Notwithstanding the fact you don't know what you're doing and have to read more stuff I suspect you could have easily done this in less time than your current process. Which is more useful learning? When your flashrd breaks ... you'll get no help. I'm not commenting on that for good or bad. That's the way it is. Here's the really good thing. If you install generic you'll get to do things like this: o A colon, followed by a memory buffer size (in kilobytes), followed by another colon, followed by a buffer name. Selected messages are written to an in-memory buffer that may be read using syslogc(8). Memory buffered logging is useful to provide access to log data on devices that lack local storage (e.g. diskless workstations or routers). The largest allowed buffer size is 256kb. http://www.openbsd.org/cgi-bin/man.cgi?query=syslog.conf ... by reading the manual ... and people will help you. I ran an ALIX for a couple of years - it's next to me on the desk now. I had that thing so RAMized and ROized ... Of course flash is pretty robust anyway ... ... but I learn more in those couple of years than I had before by doing it myself ... and I ran GENERIC ... and people answered my questions ... I looked long and hard at the off the shelf somebody elses work installers and figured they were going to be a hard slog and even if GENERIC was a harder slog at least I'd be able to ask for help confidently and know where I stood vis-a-vis the man pages and FAQ and so on. I also felt pretty confident every time it came round to installing a new release ... > > Thanks, > > Dave Best wishes. > > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > David Walker > Sent: Friday, December 09, 2011 3:07 PM > To: misc@openbsd.org > Subject: [SPAM]- Score (15)Re: ALIX 2 Hangs on boot at date/time > > Get an old PC or somesuch, run tftp and install directly onto the ALIX via > ethernet. > See here: > http://www.openbsd.org/faq/faq6.html#PXE > > Problem(s) solved. > > Best wishes.
Re: ALIX 2 Hangs on boot at date/time
Get an old PC or somesuch, run tftp and install directly onto the ALIX via ethernet. See here: http://www.openbsd.org/faq/faq6.html#PXE Problem(s) solved. Best wishes.
Re: Newbie: mounting USB flash drive failure
Hi. Neoklis Kyriazis wrote: > For a hardware type question a dmesg is expected. Maybe usbdevs(8) also. Also here (sysutils/usbutil): http://marc.info/?l=openbsd-misc&m=131385903423582&w=2 http://marc.info/?l=openbsd-ports&m=120133490229421&w=2 I'm no expert. I do know that one of my USB drives that used to work on OpenBSD fine has got flakey to the point where it doesn't any more. Windows still deals with it fine. If it's as simple as that get another one. Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On 14/11/2011, Andres Perera wrote: > > i like your style :) :] I've been writing essays for this guy and fixing his 800 line PF but there's a limit. How cool is this ... To study and not think is a waste. To think and not study is dangerous. Confucius. Pwnage. Teaching people to fish ... it's a little too cheery ...
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On 13/11/2011, Mostaf Faridi wrote: > Can I optimiz this pf.conf? > Thanks in advance I do not open up the truth to one who is not eager to get knowledge, nor help out any one who is not anxious to explain himself. When I have presented one corner of a subject to any one, and he cannot from it learn the other three, I do not repeat my lesson. http://en.wikiquote.org/wiki/Confucius http://blogs.nasa.gov/cm/wiki/?id=2738#gen6 Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Hey. On 06/11/2011, Gholam Mostafa Faridi wrote: > > NAT1= "10.10.10.194" > > paltalk1= "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }" > > match out on egress inet from !(paltalk1) to any nat-to (NAT1) > > much different is in NAT rule , and other things is simillar old pf. > > I have 27 valid IPs or static IPs , and I have to put many lines in my > pf.conf > > > I want three invalid IPs assigned to one Valid or static IP. for example > if my valid IP is 10.10.10.1 , I need these IPs 192.168.0.1 , > 192.168.0.2 , 192.168.0.3 assigned to 10.10.10.1 > > > this is my net work digram > | > | > | > | > 10.10.10.192/27 > external > > OpenBSD pf firewall > > internal > 192.168.168.0.1/24 > | > | > | > | > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+5.0#EXAMPLES Looking really quickly this is wrong: > match out on egress inet from !(paltalk1) to any nat-to (NAT1) ! == NOT $ == MACRO match out on egress inet from ($paltalk1) to any nat-to ($NAT1) BTW, they are public and private addresses, not valid and invalid. Static is something different again (does not change in contrast to dynamic, i.e. DHCP), > best wishes, > mfaridi > Action learning is an educational process whereby the participant studies their own actions and experience in order to improve performance. Learners acquire knowledge through actual actions and repetitions, rather than through traditional instruction. http://en.wikipedia.org/wiki/Action_learning To study and not think is a waste. To think and not study is dangerous. http://en.wikiquote.org/wiki/Confucius Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Mostaf Faridi wrote: > I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5 > amd64 and run samba server with OpenBSD and it work good . In first step I > run samba server with OpenBSD , and after this I want run NAT server with > OpenBSD . Great. > And for start I want understand , is my PF.conf work in OpenBSD > or no ? No. Next question ... What's the best way to get from there to OpenBSD 5.0 pf.conf? Start from scratch. If you can do all the other things (install, samba, etcetera) you can start writing a pf.conf from scratch. You should be writing one for the Samba server ... so you should look upon this as an essential skill. Besides, if somebody moves the network in the future (add a few machines maybe) what will you do? Follow the dots. Get the pf.conf man page ... Work out your macros ... Hint, that's all the stuff from the old pf.conf with an "=". Another hint, this is the entire macro text as it applies to you: Macros can be defined that will later be expanded in context. Macro names must start with a letter, and may contain letters, digits and underscores. Macro names may not be reserved words (for example pass, in, out). Macros are not expanded inside quotes. For example: ext_if = "kue0" all_ifs = "{" $ext_if lo0 "}" pass out on $ext_if from any to any pass in on $ext_if proto tcp from any to any port 25 Next hint, the only difficult bit about that is "Macros are not expanded inside quotes." and the use of quotes inside the braces ... The $ should help you work that out. Happy hint, that's half your work done in five minutes by copying and pasting from your old pf.conf ... In this case it's okay if you follow the dots - read the man page, if it's the same syntax then it's the same syntax. Work out your OPTIONS ... Keep it really simple, for example in your old pf.conf you load fingerprints but don't appear to use them. Hint, you probably don't need any options at all to start (i.e. default will be fine). Do you understand your timeouts and limit? If not, don't use them. Work out your TABLES ... Or better yet don't use them until you have a working NAT system. Hint, as near as I can tell ... you're not using any of the tables in your pf.conf ... Check that and then ... get rid of them. Read the small section in the man page on "Translation" under PACKET FILTERING - its a few pages down. Look at the EXAMPLES for some ideas. Write one NAT rule and one RDR rule, using your macros. If you get stuck go here: http://www.openbsd.org/faq/pf/nat.html#config http://www.openbsd.org/faq/pf/rdr.html#filter If you're still stuck go here: http://www.openbsd.org/faq/pf/example1.html Bear in mind that parts of the PF FAQ might be still in 4.9 and you want 5.0 ... Someone else should be able to answer that but ... the man page will give you an answer. Once you've got that worked out ... Do NAT and RDR for all your other macros ... Test. Then worry about all the other stuff. If you can install and use OpenBSD you can learn pf or at least if you won't learn pf you shouldn't be installing and using OpenBSD at least not in a packet filtering role. :] > I hate Windows OS , and want only run all of my servers with BSD, specially > OpenBSD. I only want my servers to run OpenBSD but I'm happy to use Windows on the desktop. Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Mostaf Faridi wrote: > My problem is this I do not enough time to start from scratch and make new > rule . If you were moderately familiar with OpenBSD you could have, in the time between the start of this thread and now, read pf.conf for OpenBSD 5.0 and written on paper or wherever a complex ruleset. If your boss won't allocate time for this and expects you to outsource it to the web and whatever then he's doing it wrong. You don't have a good enough familiarity with OpenBSD (or FreeBSD) to know where to start. Right? If you do plan to migrate then you should build a machine, install OpenBSD 5.0, write a ruleset and test it. In your workplace, testing may mean swapping the machines until everyone complains and you swap them back and try again but doing it the way you're doing it now (no experience, asking for copy and paste administration, no testing) is wrong. > in my work place , my boss find another person can do internet > sharing with Windows 2008 and ISA and this person say he can make best > internet sharing server So you want pf on OpenBSD and don't want to see a Windows machine ... ... but you're not interested in reading about pf on OpenBSD ... Who's running the current FreeBSD machine? How come they can't understand it? Why not troubleshoot that? Etcetera ... How will swapping to a new operating system be better than using the current one which almost works? If you want to stay with FreeBSD you should at a minimum understand your current ruleset (removing any non-essential lines might be a good start) if you want to get help on it. Again though you're in the wrong place. Can you explain what every line in the pf.conf you sent is for? If not, find out, if it does nothing, delete it, whatever. Describe your network, do you have issues with DNS, do you have a http proxy, what tests have you done from clients, etcetera ... Have you looked here: http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+8.2-RELEASE So on and so forth. Under those circumstances, maybe Windows is the better choice. Certainly without any relevant OpenBSD experience you're better off with FreeBSD right? > I said before my my pf.conf in FreeBSD work good , but sometimes some user > lost internet and they can not browse web pages , but they can chat with > paltalk , after reboot or disbable or enable PF this problem solve . Fine. You have choices. Fix your current setup which should involve reading the FreeBSD pf.conf documentation and talking to people on the FreeBSD lists. Goodbye. Build an OpenBSD machine, in which case, talk to you when you've got a machine running and you have some more appropriate questions. People will help you. Either way you're should be willing to invest time and if you won't do that on your own and your boss doesn't want you to do it in work time then let the Windows people worry about it. Good times. Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Mostaf Faridi wrote: > Thanks > Your 3 way is good . I choose number 3 . Please note carefully how number 3 works ... *You* either have to track between FreeBSD then and OpenBSD now ... two different trees over however many years ... ... or track between FreeBSD then, whatever pf they imported from OpenBSD then and do method 2 over any number of OpenBSD releases ... Note the asterisks - *You* Please let me know how it goes. ... method 1 is far simpler and better suited to your circumstances. If you *try* method 1 (asterisks) you'll probably get pretty far on your own and get enough help after that to get it working. One rule at a time ... Trying to do method 3 by yourself or asking others to help you or asking others to do it all for you ... is not as good as method 1 ... > I have pf.conf from FreeBSD and it > work good for me over 3 months. But sometimes it dose not work good , I > said my problem in first email . I avoided that bit. It was the lack of paragraphs. Yet you want to use it as a foundation for an OpenBSD pf.conf ... This is problematic ... maybe you could start again from scratch? See method 1 ... > I want only understand : is this pf.conf work great in opnbsd or no ? If it's designed for FreeBSD ... and doesn't work in FreeBSD ... it's not realistic to think it might somehow work in OpenBSD. I'm not sure if your english is a problem for you but you're way off course. Best wishes.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Mostaf Faridi wrote: > Thanks all guys > Sorry for my bad English I , only understand is this pf.conf work in > openbsd 5 or no .? Which part I must edit and change it > Is this pf.conf is correct ? > Thanks in advance You're doing it wrong. Three ways you could write a pf.conf for OpenBSD ... 1. ... start from scratch (start from nothing). Read the documentation that comes with that release, in this case the pf.conf man page for OpenBSD 5.0 ... http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+5.0 Read a vendor supplied FAQ ... for additional help ... if it relates to that release. In this case: http://www.openbsd.org/faq/pf/index.html If you are careful and do your homework you might have the odd question and then you can search the archives, do a Google, post to misc@ and so on. See here: http://www.openbsd.org/mail.html Dumping an entire pf.conf isn't part of this process. 2. ... you go from one OpenBSD release to another OpenBSD release. For example OpenBSD 4.9 to OpenBSD 5.0 ... and use this: http://www.openbsd.org/plus50.html Everything to do with pf.conf (e.g. the first item on that page) should prompt you to examine your existing rules and see if they need modifying ... referring to the pf.conf man page, which is probably good practice anyway. Note, that requires a working pf.conf from the same vendor (e.g. an existing ruleset from OpenBSD) and a willingness to follow the dots (i.e. the plus pages) ... Dumping an entire pf.conf isn't part of this process either. 3. Use a pf.conf from a different release ... and a different operating system ... You either have to track between FreeBSD then and OpenBSD now ... two different trees over however many years ... ... or track between FreeBSD then, whatever pf they imported from OpenBSD then and do method 2 over any number of OpenBSD releases ... Sometimes starting from scratch is the way to go. If you can get a new pf.conf from a FreeBSD one without too much confusion you should still understand it anyway to apply it to your real ruleset as opposed to your copy paste example ... see method 1. Regardless, dumping a large conf and asking people to "fix" it for you without any evidence you've tried yourself won't fly around here. Copy and paste administration will only lead to misery or reading man pages anyway or both ... Apart from the lack of paragraphs in your first mail your english is fine. Best wishes.
Re: ThinkPad 600 screen size.
On 05/11/2011, David Riley wrote: > whoever decided that the BIOS needed a "friendly" mouse-driven interface > ought to be dragged out into the street and shot. Agreed. Mouse BIOS really grates but the little bird is too much. They've hidden everything useful but included a very extensive test suite. The boot and remote management options are hideously extensive. Other than that I can set the time ... and a password. As near as I can tell, the expectation is that BIOS is managed through the operating system - there are downloadable utilities for this purpose. It's in good nick and IBM (Lenovo) still have all the docs and files on the web. The "ThinkPad 600 Suppliment to the User's Guide" (sic) is 221 pages ... That's the supplement. :] It's all english too. One of the PDFs has 63 pages of assembly and C suggestions. :] Ah, the good old days. Best wishes.
Re: ThinkPad 600 screen size.
Hey. Thanks everyone. On 05/11/2011, Antti Harri wrote: > If I understood your problem correctly the solution is to use the hotkey > that > stretches the screen to full size. Try FN+F8. Thanks very much for that. It's persistent between reboots which is great. The font looks a little weird - its a little taller and thinner than what I'm used to but it's very sharp. I played with wsfontload for a while but this might be okay. > -- > Antti Harri > Best wishes.
Re: ThinkPad 600 screen size.
Hey. So I'm looking at wscons stuff and I see this: wsconsctl -a | grep wsdisplay.emulations display.emulations=vt100 In ttys, all the terminals I use are vt220 - the default. Does this make sense? I've tried to change the screen type (e.g. 80x50) using wsconscfg and I can't see anything that budges the size. Are there other things to try? Best wishes.
Re: ThinkPad 600 screen size.
Thanks guys. This BIOS is ... sad. It's mouse driven - the cursor is a bird that flaps its wings. :[ There is a video option but it only disables the external monitor - I tried it anyway. The BIOS video test takes up the whole screen (gives mode numbers and resolutions) and the boot graphic does so as well. I'll try vga(4) but I think you're right. Best wishes.
ThinkPad 600 screen size.
Hi. I got my hands on a ThinkPad 600 and only about 50% of the screen is utilized on ttys in the middle. Can someone please tell me where to look for this, man page or whatever. TIA Best wishes. OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 266 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR real mem = 301330432 (287MB) avail mem = 286351360 (273MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/18/99, BIOS32 rev. 0 @ 0xfd820 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x800 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf9e10/96 (4 entries) pcibios0: PCI Exclusive IRQs: 11 pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371AB PIIX4 ISA" rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xa000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02 cbb0 at pci0 dev 2 function 0 "TI PCI1250 CardBus" rev 0x02: irq 11 cbb1 at pci0 dev 2 function 1 "TI PCI1250 CardBus" rev 0x02: irq 11 vga1 at pci0 dev 3 function 0 "Neomagic Magicgraph NM2160" rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11 piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x01: SMI iic0 at piixpm0 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer 0xb0 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0xb0 pcmcia1 at cardslot1 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.02 midi0 at sb0: audio0 at sb0 opl at sb0 not configured pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (166b03162061edf6.a) swap on wd0b dump on wd0b rl0 at cardbus0 dev 0 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:e0:98:b9:3f:78 rlphy0 at rl0 phy 0: RTL internal PHY
Re: Couple of issues with man pages.
Hi Ingo. On 13/10/2011, Ingo Schwarze wrote: > > Don't look too much at any kind of HTML generated from these > languages. That's not standardized. ASCII terminal output > is what counts. Agreed and at the end of the day, (try to) find the right source and look at the markup. I should know now when I'm looking at CVS and it doesn't agree with current I'm looking in the wrong place. I looked at those cvs man pages for a long time and tried to work how the formatting could drop out whole bits ... Hehe. > > Yours, > Ingo > Thanks again. Best wishes.
Re: Couple of issues with man pages.
Hi Kristaps. Kristaps Dzonsons wrote: > Tip: you can usually tell straightaway whether a manual is in mdoc(7) or > man(7) by looking at the header. If it has the nice volume name as the > centre of three columns (e.g., "OpenBSD Reference Manuals"), then it's > most likely in mdoc(7). I wondered if there was a simple way to check. I'll probably develop a habit now ... I also notice on cgi that man format has the third column (or second in that case) not fully justified to the right, whereas mdoc ... looks good. Thank you. Best wishes.
Re: Couple of issues with man pages.
Hi Ingo. Thank you for answering all my questions. Best wishes. On 13/10/2011, Ingo Schwarze wrote:
Couple of issues with man pages.
Hey team. I'm looking at cvs and man pages and stuff. I notice that two cvs pages - cvs(1) and cvs(5) - don't have SEE ALSO hyperlinks appearing in cgi ... http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1&manpath=OpenBSD+Current http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=5&manpath=OpenBSD+Current ... so I browse mdoc and see this: Xr Link to another manual ... .Xr name section If section is followed by non-punctuation, an Ns is inserted into the token stream. ... and think I'm not used to seeing punctuation after the last link which the two offending man pages have (one has a punctuation which probably isn't good at any rate). So I check against a 5.0 snapshot and the pages square with cgi, viz. the SEE ALSO is formatted differently on the operating system from what I'm used to. Take mdoc and afterboot as examples, they both have cgi hyperlinks and the OS pages are what I'm used to. So I'd like to look at that and the place to start is src ... http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/cvs.1?rev=1.127 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/cvs.5?rev=1.8 ... where I run into other issues. Those man pages are quite different to what I see on the OS and on the web. I readily accept there might be build processes I'm not looking at but is this correct? One difference I'm particularly curious about is the presence of cvsintro.7 both as a file in http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/ and referred to in the previous cvs files but if I'm looking in the wrong place that would make a lot of sense. Of minor note also is the "page demarcations" on the cgi and the OS, which looks like it's done by Dt, is in lowercase on cvs(5) which is a clear violation of the rules. :] As I apparently can't find the source, however, I can't think about fixing this. I love to be clued in on how this works or correct source for those pages ... Regardless, in terms of formatting, there's an inconsistency between those two man pages and other man pages as they appear on a console which I guess is at least worth noting. Best wishes.
Re: smtpd and virtuals
Here's a couple of manual diffs. smtpd.8 against revision 1.12 ... --- smtpd.8 Wed Oct 12 08:01:04 2011 +++ diffs/smtpd.8 Tue Oct 11 22:56:22 2011 @@ -126,3 +126,16 @@ The .Nm program first appeared in .Ox 4.6 . +.Sh CAVEATS +.Nm +may not be suitable for production use at the present time. +.Pp +It should be noted that while the requisite +.Nm +binaries are included in the default installation, +in cases where there is a corresponding Sendmail utility, +the OpenSMTPD manual page(s) should be fetched from CVS. +Currently this affects +.Xr makemap 8 +and +.Xr newaliases 8 . smtpd.conf.5 against revision 1.45 ... --- smtpd.conf.5Wed Oct 12 09:49:54 2011 +++ diffs/smtpd.conf.5 Tue Oct 11 23:07:18 2011 @@ -217,7 +217,7 @@ The rule matches only locally originating connections. This is the default, and may be omitted. .It Ic from Ar network -The rule matches if the connection is made from the specified +The rule matches if the connection is made from .Ar network , specified in CIDR notation. .El @@ -431,3 +431,16 @@ accept for all relay .Xr smtpd 8 first appeared in .Ox 4.6 . +.Sh CAVEATS +.Xr smtpd 8 +may not be suitable for production use at the present time. +.Pp +It should be noted that while the requisite +.Xr smtpd 8 +binaries are included in the default installation, +in cases where there is a corresponding Sendmail utility, +the OpenSMTPD manual page(s) should be fetched from CVS. +Currently this affects +.Xr makemap 8 +and +.Xr newaliases 8 . I took the liberty of changing the previous diff ... from network The rule matches if the connection is made from the spec- ified network, specified in CIDR notation. ... "specified network, specified in CIDR" is a little too repetitive for me and unnecessary. Best wishes.
Re: smtpd and virtuals
Hi Henri. On 11/10/2011, Henri Kemppainen wrote: > > I agree this isn't ideal. On the other hand, having a system ship with > two overlapping & incompatible alternatives is a rather exceptional case, > and there's no way to automagically please everyone. One could suggest > renaming the manuals (and binaries?) and installing them both, but that's > nasty and ugly, and probably not worth it, if one of the daemons is to > be axed anyway. > > There's surely a good reason smtpd isn't the default yet, and there's > a good reason I kept hearing that smtpd isn't considered ready for > production yet, back when I started using it. The message is rather > clear to me: you may play with it, as long as you know what you're doing, > and are okay with the possibility of problems. Finding the manual is a > part of knowing what you're doing :-) I can see why one could get > confused though, even if the title lines for these (installed) manuals > contain "sendmail". You are 100% correct about all of that. Including this ... "finding the manual is part of knowing what you're doing". It seems to me though, that unless people are actively looking through src for makemap(8) it will easily go unnoticed even for the patch senders. I've been through there maybe a hundred times in the last few months and never noticed it. I go there to look for something specific, find it, move on. Whenever I want documentation I start at man smtpd and go from there. Again though you are 100% correct and we've all been warned. This is why I've tried to understand the situation and tried to laugh about it. I've started drinking now which is helping somewhat ... >> If not, what can be done about users who read the man pages and have >> issues as a result? > > I don't know what can be done about users, but I know what the users can > do: try figure out what is lacking or misleading, maybe contact the > developer(s), and propose a change. Something like this: > > Index: makemap.8 > === > RCS file: /cvs/src/usr.sbin/smtpd/makemap.8,v > retrieving revision 1.14 > diff -u -p -r1.14 makemap.8 > --- makemap.8 3 Sep 2010 11:22:36 - 1.14 > +++ makemap.8 10 Oct 2011 19:10:51 - > @@ -90,11 +90,14 @@ accept for domain map "primary" deliver > .Ed > .Sh VIRTUAL DOMAINS > Virtual domains are kept in maps. > -To create single virtual address, add > -.Dq u...@example.com user > +To create a virtual domain, add > +.Dq example.com kittens > to the virtual map. > -To handle all mail destined to any user at example.com, add > -.Dq @example.com user > +To create a virtual address for one user under that domain, add > +.Dq u...@example.com user > +to the virtual map. > +To catch all mail destined to the domain, add > +.Dq @example.com user > to the virtual map. > .Pp > In addition to adding an entry to the virtual map, I'll have a look at that in a minute, well maybe after a good sleep but I don't see any reason not to make some adjustment to smtpd.conf(5) ... That's where the smtpd man pages start to go to makemap(8) ... The next best and as far as I can see other deviation into the Sendmail man pages is from smtpd(8) into mailwrapper. Changing /etc/mailer.conf is discussed there and I don't see any reason not to make it obvious not to follow the breadcrumbs too blindly (i.e.caveats) or maybe a BUGS section. I would like to see smtpd.conf include some "warning" also and I think it's warranted there more than anywhere. As you say smtpd is known non-production, transitional, so on. Under these circumstances it seems reasonable to me that this information is clearly outlined in all the smtpd specific man pages which it currently isn't. not in any of them that I can see. You and I know this but there are others. Whether or not that happens I see no reason under the same circumstance to be careful when pointing to other man pages that are irrelevant and/or harmful. For instance if I see smtpd and smtpd.conf man pages included can I assume that other included man pages they point to and reference without warning are pointed to and referenced for a reason ... That's what I've assumed. Absent input from Gilles I'll get up tomorrow and do this. It's 7am here ... > The need to have a value for the domain key is a bit ugly. I noticed > the stdio backend is happy with empty values, allowing for a pretty list > under a colon terminated domain name: > virtual.domain: > user1@virtual.domainuser1 > user2@virtual.domainuser2 > > another.domain: > user3@another.domainuser3 > user4@another.domainuser4 > .. > > Makemap doesn't like it, though. > > You're talking a very different language from me. These terms don't appear outside of makemap(8) and maybe newaliases(8) which again I notice is in src ... I pulled makemap(8) from the web last night and had a couple of reads but I really need to take my time with it ... ... but your previous examples were exac
Re: smtpd and virtuals
Hi Gilles. If my previous is hostile ... sorry. Without the context of the makemap man page in src/usr.sbin/smtpd/ there's no correlation between your first and second mails which creates more confusion. With that man page, however, pennies start to drop ... I spent 4= hours glued to my screen reading and drafting before I understood the full import of what was going on and found some hopefully constructive questions. I was angry about various things but that's down to me. You've done work here. I haven't. Best wishes.
Re: smtpd and virtuals
Hi. In manXX.tgz (since 4.8) and also on web-cgi, the smtpd.conf(5) man page references makemap(8) more than once ... ... with explicit instructions to use that man page as a guide when making db maps and/or understanding the format of plain maps. The web-cgi page obviously hyperlinks to the other page. The makemap(8) man page - again in manXX.tgz and also on web-cgi - contains the following ... NAME makemap - create database maps for sendmail ... and references another associated man page - editmap ... NAME editmap - query and edit records in database maps for sendmail ... both of which reference Sendmail ... ... both of which also reference the sendmail(8) man page ... These breadcrumbs (implicitly and explicitly) eventually also lead to looking at the Sendmail README ... This has been the case for over a year every single time I've looked at web-cgi and on multiple iterations of base ... ... and I've been trying very hard to exhaust myself there before coming here. Suffice to say this is not optimum. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/makemap.8 - smtpd's db maps are incompatible with sendmail's and needs a distinct makemap utility, this is needed for virtual users support amongst other things. links to smtpd's aliases.c and only provides a frontent to parse map descriptions. contains code from pyr@, chl@ and I. Should have also been imported with smtpd. Etcetera. I feel ill. It's somewhat obvious when you do the math between /etc/mailwrapper and /usr/share/man but not obvious enough apparently ... On 10/10/2011, Gilles Chehade wrote: > This behavior is not specific to OpenSMTPD, at least Postfix ... That came as quite a surprise. So I go read this ... http://www.postfix.org/virtual.5.html ... and it's quite different from the OpenBSD man pages ... obviously ... ... but it answers a lot of questions ... ... such as why users who are probably much smarter than me (such as Henri) struggle to get this going ... ... and more importantly are apparently asking the wrong questions ... If that's reminiscent of iRobot (Arthur C. Clarke) ... that's exactly how it feels. Asking the wrong questions ... Is this known (AKA are developers installing from source and not seeing this)? Should this be "fixed" for some definition of fixed? If so, what's a good course of action? - outline it for me, and if I can do, it I will, help me get rid of some of the disappointment. If not, what can be done about users who read the man pages and have issues as a result? - presumably at some point, Sendmail will no longer be in base, man pages will get rotated, this will cease to be an issue. In the interim ... I've apparently wasted a lot of time and enthusiasm on this ... ... but perhaps more importantly I've wasted a opportunities to ask questions about what's really going on and instead I've been asking about things that are irrelevant ... ... the "real" makemap man page is somewhat cryptic to me and I need to be asking about that. Best wishes.
Re: smtpd and virtuals
Hi Henri. On 08/10/2011, Henri Kemppainen wrote: > though the code I'm running is no > longer current (5.0-BETA, to be precise Sorry. I should have said version. I don't have the machine here at the moment but it's a 5.0 BETA from about a month ago. > I hope Gilles can tell whether this is a documentation bug or code bug. Or > maybe I just missed something obvious (such as a sufficiently recent > snapshot) :-). I was looking through the archives for this earlier and you've prompted me with some search terms: http://marc.info/?l=openbsd-misc&m=127412833020023&w=2 I had an issue with aliases a few months back and had a workaround that used domain names: http://marc.info/?l=openbsd-misc&m=130506171602880&w=2 I thought I might get by and avoid the virtual map but smtpd won't allow relay with aliases. :] I think there was another misc@ thread a month or so ago about this but I can't see it. Best wishes.
smtpd and virtuals
Hi. inet <-> hosting.com <-> mail.hosting.com smtpd.conf ... listen on ext map "virtuals" { source plain "/etc/mail/virtuals.plain" } accept from all for virtual virtuals relay virtuals.plain ... postmas...@hosted.com somewh...@gmail.com I can send mail from external to local accounts on the box (and alias them) by various methods - using the ISP provided PTR name and explicitly accepting mail for that "domain", changing the hostname of the box, fiddling with DNS, so on. I can send mail from the box to external addresses (including the gmail address) if I add the appropriate rule and so on. So ... I think routing/filtering is fine - mail comes in and mail goes out. Also, the mail machine is resolving (doing lookups) okay - I can do "host" commands from there. If I send mail to the virtual domain I get "bounces" back to the originating server - recipient rejected. If I check the default log (/var/log/maillog) on the mail machine I see the mail is getting that far and the same error is there - recipient rejected. Sample from my ISP mail server: Final-Recipient: rfc822;postmas...@hosted.com Action: failed Status: 5.0.0 (permanent failure) Remote-MTA: dns; [w.x.y.z] Diagnostic-Code: smtp; 5.1.0 - Unknown address error 530-'5.0.0 Recipient rejected: postmas...@hosted.com' (delivery attempts: 0) That's a good facsimile of what's in the log on the mail machine and all the domain names and IP addresses are correct. I've checked smtpctl show (run)queue and they're empty. It seems that DNS records for both domains (the hosted and the hosting) are fine as mail sent to the hosted domain makes it the hosting machine (AKA - it hits the logs). One thing that concerns me is PTR resource records. I'm working through that at the moment but it's fair to say if I can send mail from that machine to the gmail address that's "good enough" for now right? Before I go and set up smtpd logging next week, does this look in the ballpark? I've spent a couple of days on this over the last month - walking to the shop and fiddling with the servers and walking home and sending email ... Every time I say "start logging smtpd" I say "it should work ... let me try this first" and the walking back and forth begins. If it's not an obvious error I will be more rigorous. Best wishes.
Re: smtpd.conf - network
Hi Gilles. On 03/10/2011, Gilles Chehade wrote: > Hi, > > Will commit it tomorrow evening when I'm home, > thansk ! Thanks, except it was lame ... ... made from the specified network specified in CIDR notation. . ^^ ^ . Number two ... --- smtpd.conf.5Mon Oct 3 16:30:08 2011 +++ diffs/smtpd.conf.5 Mon Oct 3 17:45:06 2011 @@ -217,8 +217,10 @@ The rule matches only locally originating connections. This is the default, and may be omitted. .It Ic from Ar network -The rule matches if the connection is made from the specified -.Ar network . +The rule matches if the connection is made from +.Ar network , +written in CIDR notation. +Additional netblocks may be defined, separated by whitespace. .El .Pp Next comes the selection based on the domain the message is sent to: Hopefully I understood this correctly: > accept from 192.168.0.0/16 [...] > Gilles Best wishes. > On Mon, Oct 03, 2011 at 06:31:13AM +1030, David Walker wrote: >> >> As always ... thanks. >> >> My first ever diff ... >> ... which was done manually ... >> ... involving cvsweb, a Windows machine, a USB stick, etcetera. >> If it's useless sorry for wasting your time. >> I'll go read cvs(1) sometime. >> >> --- smtpd.conf.5 Mon Oct 3 16:30:08 2011 >> +++ diffs/smtpd.conf.5 Mon Oct 3 05:55:06 2011 >> @@ -218,7 +218,8 @@ This is the default, >> and may be omitted. >> .It Ic from Ar network >> The rule matches if the connection is made from the specified >> -.Ar network . >> +.Ar network >> +specified in CIDR notation. >> .El >> .Pp >> Next comes the selection based on the domain the message is sent to: >> >> > >> > Gilles >> >> Best wishes. >> >> > -- >> > Gilles Chehade >> > >> > http://www.poolp.org/ http://u.poolp.org/~gilles/ >> > > -- > Gilles Chehade > > http://www.poolp.org/ http://u.poolp.org/~gilles/
Re: smtpd.conf - network
Hi Gilles. On 01/10/2011, Gilles Chehade wrote: > Hi, > > The format for network is as follow: > > accept from 192.168.0.0/16 [...] As always ... thanks. My first ever diff ... ... which was done manually ... ... involving cvsweb, a Windows machine, a USB stick, etcetera. If it's useless sorry for wasting your time. I'll go read cvs(1) sometime. --- smtpd.conf.5Mon Oct 3 16:30:08 2011 +++ diffs/smtpd.conf.5 Mon Oct 3 05:55:06 2011 @@ -218,7 +218,8 @@ This is the default, and may be omitted. .It Ic from Ar network The rule matches if the connection is made from the specified -.Ar network . +.Ar network +specified in CIDR notation. .El .Pp Next comes the selection based on the domain the message is sent to: > > Gilles Best wishes. > -- > Gilles Chehade > > http://www.poolp.org/ http://u.poolp.org/~gilles/
smtpd.conf - network
Hi. In smtpd.conf(5) ... accept | reject from network The rule matches if the connection is made from the spec- ified network. What is the format for network? >From /etc/networks? >From DNS? Other? Best wishes.
Re: no home no shell accounts
Hi Stefan. On 28/09/2011, Stefan Johnson wrote: > Please disregard my last... gmail sent the email before I was finished > composing it. I figured as much. > Using false for your shell is okay for ftp. It is not for ssh/sftp. I kind of expect that SSH (the shell) either passes commands directly to the sftp-server or the sftp-server is enough of a shell to take over (in the same way that ftpd has enough vocabulary) ... In that sense it wouldn't seem useful to have another shell in play. I'm not saying you're wrong but unless I get something definitive (e.g. a man page) I'll test it anyway. > Match User sftpuser >X11Forwarding no >AllowTcpForwarding no >ForceCommand internal-sftp >ChrootDirectory /home/sftpuser > > Where the user is named sftpuser and the home directory for the user is > /home/sftpuser. Yeah I got that bit worked out and I've got the forwarding commands globally. >> >> Hope this helped. > Stefan Johnson > Absolutely. Best wishes.
no home no shell accounts
Hi. I have some accounts that don't require home directories or shells. In the past I used ftpd for web uploading and would do the shell==false thing and chroot them and set the login directory via the passwd file. Bye bye ftpd, hello sshd. So I'm looking at this again, using the sshd's internal sftp and chroot directives on a per user basis. For now I'm looking at using password authentication. Here's the nervous administrator talking but is this correct ... If these users connect via ssh, sshd will authenticate them via their password entry and once that's achieved, the "home" directory will be according to sshd_config and the "shell" will be whatever interface sftp provides. In other words, for that purpose the home and shell directives in master.passwd will never come into play. If that is correct, should I care about what the entries are in master.passwd? Is blank okay? Presumably I could set up shell==false but is a blank entry as good here? I notice that there are a couple of items in master.passwd that seem to fit the bill for this - UID 32767 ("nobody") has directory set to /nonexistent and it and many others have shell set to /sbin/nologin ... I think I get the purpose of nologin and it can be used to disable accounts as needed. If users are connecting via sshd for sftp purposes only will setting /sbin/nologin or any other shell affect them at all? Is nonexistent a key word? I've been stumbling through source but I'm very out of my depth. Is it merely a good english word that points to any non-existent directory? A hundred other questions ... TIA Best wishes.
Re: Security over wireless.
Hey. On 21/09/2011, Rod Whitworth wrote: > It need not be spoofed. > If you use authpf whilst your are on a LAN that is NATted (very common) > everyone on that LAN will be able to access your remote host. Nice one. On 21/09/2011, ropers wrote: > The way I understood David's concern (please correct me if wrong) was > that he was simply mindful of the security limitations of using *only* > authpf (and not then also an ipsec tunnel as you're suggesting). It is > true (or at least it's my understanding) that for some purposes, > sometimes people use only authpf. In such a scenario, David's concerns > might be justified ... Exactly. I assume authpf accomplishes what is described in the man page - no more no less ... It loads rules to PF on a per-session basis for a user that authenticates via SSH and SSH takes no further part in the transaction other than to signal termination of the session ... There's no implicit authentication (or encryption) on any other session traffic. Spoofing or tailgating is probable (thank you Peter). Protecting other traffic in that session is up to the user and requires other mechanisms (IPsec). A couple of posters seemed ... conflicted about that. > > Well, unless I'm completely confused too. > > regards, > --ropers > For the purposes of that other discussion ... ... exeunt == exit ... Best wishes.
Re: Starting popa3d ...
Hey. On 14/09/2011, samt wrote: > Not all binaries that can be run as services have rc.d(8) control > scripts. I moved past that quickly. >From the 4.9 release announcement: - New rc.d(8) for starting, stopping and reconfiguring package daemons: o Only a handful of packages have migrated for now. http://marc.info/?l=openbsd-misc&m=130425995218202&w=2 It's to be expected migrating packages takes time and migrating base takes time. Considering that rc and company have been in release for some time ... ... and it is documented (for the most part) that base services are controlled by rc ... ... and they have concomitant flags in rc.conf ... ... and in my experience every base service behaves this way ... ... perhaps the absence of popa3d is an oversight and worth reporting. That may be known and there is nothing to see here. I fully expect it may be a case of only the usual suspects are in rc and rc.conf but I don't know. > I'm not sure what the process is, but if you post an rc.d(8) popa3d > control script suggestion > then at least it will be in the mail archives and if found 'acceptable' > might be included in future > releases. I read rc.d and rc.subr and then I copied smtpd and changed the names. :] Nevertheless, there you have it, that's what I did. > As the popa3d(8) manpage suggests, you have two options for running popa3d: > >* directly, benefit of lower overhead (useful for busy servers) or >* through inetd(8) > > Many people use popa3d (which I guess means that many of us do not have > a resource issue) > running it that way. If your use case requires running it directly then > you now need > to launch it at host startup (as you've documented in your OP) I don't have a requirement either way. The OpenBSD www site is offline at the moment but the man pages essentially say ... Essentially, inetd allows running one daemon to invoke several others, reducing load on the system. http://www.freebsd.org/cgi/man.cgi?query=inetd Standalone server mode. This has lower overhead than starting popa3d from an inetd equivalent ... and is thus useful on busy servers to reduce load. http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/popa3d/popa3d/popa3d.8?rev=1.5;content-type=text%2Fplain My understanding is that inetd mode reduces load in the sense of less memory footprint (not all services run all the time but as needed) and standalone mode reduces load in the sense of less work done by disk and probably a few other items. I have plenty of room to manoeuvre here. Rooms full of hardware and very few network services. When I have the choice of not running inetd and simplifying things (albeit perhaps trivially) I'm happier to avoid it. Standalone server mode. In this mode popa3d also does quite a few checks to significantly reduce the impact of connection flood attacks. http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/popa3d/popa3d/popa3d.8?rev=1.5;content-type=text%2Fplain As I understand the only other pertinent issue is using tcpd but I haven't gone to the bottom of that. However if that is relevant and indeed anything less than heartache (how do I implement hostname control when my clients might be using connections that don't care for reverse lookups) I'm all ears but at some point is that any more pertinent than any other concerns (weakness in inetd, weakness in tcpd, strength in less running services, strength in less administration, etcetera). As I said I've skipped over that, so ... Do wrappers (maybe that's not the correct term) apply here? Is that tcpd? If so how much of the feature set in the tcpd man page do you take advantage of? How useful are they? Are there any gotchas? What's the performance trade off for client access time? Etcetera. > As rc.d(8) evolves we'll hopefully find more (?) control scripts placed > into /etc/rc.d, > likewise hopefully more ports evolve to using said scripts. > > > Good luck, > Thankyou. > > Sam T. > Best wishes.
Starting popa3d ...
Hi. uname -rsv OpenBSD 5.0 GENERIC#39 I'm gearing up to use popa3d and testing it on a machine. I tried the following in rc.conf.local (where V is version number and exeunt) ... popa3d_flags="-D" popa3d_flags="-V" popa3d_flags="-D -V" ... and it does not start. Even though I see this in RC.D(8) ... Services comprising OpenBSD base are started by rc(8). ... and this in RC.CONF(8) ... This file contains a series of Bourne-shell syntax assignments that are used to configure the system daemons. ... and these in RC(8) .. rc is the command script that is invoked by init(8) when the system starts up. It performs system housekeeping chores and starts up system daemons. Normal- ly, rc.local contains commands and daemons that are not part of the stock installation. A quick (quick) grep of rc (and rc.conf) shows that while other services in base are there popa3d is absent in both. Is this an oversight for popa3d (and perhaps others) that aren't included in rc but are in base? Is this intended by the use of "Normally" in rc(8) and do those other man pages warrant re-wording? So I added popa3d to rc.local and that works although I'm not sure if the intended method is to merely pop the command in there ... popa3d -D ... bypassing rc.conf.local flags or some other method. Doing thiss I get no feedback on whether or not popa3d has started other than looking at ps -x ... It doesn't seem to matter whether or not I have a popa3d file in rc.d ... This doesn't seem to be the intent of rc.d(8). If I mv some of the other files related to rc services in rc.d (notably ntpd and smtpd) I get an error message at boot when I try to start those services. Has popa3d or rc.local slipped through the cracks? I added popa3d to pkg_scripts= in rc.conf and that appears to function as intended (rc.conf.local flags obeyed and requires file in rc.d). Best wishes.
Re: Security over wireless.
Hi Stuart. Stuart Henderson > iked doesn't handle retransmitting dropped ike packets yet, so it's not a > great choice for wireless. isakmpd should be fine though. I read through ISAKMPD and IKED and noticed this: iked is not yet finished and is missing some important security features. It should not yet be used in production networks. I might try and get IPsec up first anyway and stop being so ambitious. > - if you will be communicating with other machines in the same subnet, > they will send return traffic directly rather than via the router, > i.e. unencrypted and will not update PF state (so tcp sessions > will break after a short time). you can either setup bypass flows > in ipsec.conf, use different subnets, maybe other options. It will be gateway to gateway so I'll avoid that. Fortunately I'm the only Wireless client. Thanks for the examples. When I get stuck later on I'll re-read your mail. :] Best wishes.
Re: Security over wireless.
Hi Marian. On 10/09/2011, Marian Hettwer wrote: > I'd say SSH tunnels are still in. Cool. > No. IP spoofing won't help them script kiddy at all. > To successfully authenticate via authpf, you need a valid ip adress for > responses. > With a fake source ip, the script kiddy won't even get a full tcp > handshake ready... This goes to my understanding of how authpf works. Could you clarify which one of these applies? log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on normal IP from that address occurs according to the loaded ruleset (e.g. to any port 80 from that address). In other words other ports are opened at the interface and the only access control is the continuation of the SSH session (happening concommittantly on another port). This would allow spoofing to occur. This is how I interpret the FAQ and the man page (specifically the warning in BUGS). OR log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on all traffic from that IP address includes some SSH data that authenticates *each* packet as being from that IP address. This would prevent spoofing. OR log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on all traffic is passed through SSH and demuxed internally at the gateway. This would prevent spoofing and a bunch of other stuff. > Use SSH and/or IPSEC. I'm starting to think an ESP IPsec tunnel is the way to go. Best wishes.
Re: Security over wireless.
I have some idea IPsec might be useful so I do a search and this comes up (first cab off the rank) ... http://www.symantec.com/connect/articles/zero-ipsec-4-minutes ... it's specifically about OpenBSD and it looks pretty easy. So I go to the ipsec(4) man page and see this ... If we apply ESP in tunnel mode to the original packet, we would get: [IP header] [ESP header] [IP header] [TCP header] [data...] Again, everything after the ESP header is cryptographically protected. Notice the insertion of an IP header between the ESP and TCP header. This mode of operation allows us to hide who the true source and destination addresses of a packet are (since the protected and the unprotected IP headers don't have to be exactly the same). A typical application of this is in Virtual Private Networks (or VPNs), where two firewalls use IPsec to secure the traffic of all the hosts behind them. For example: Net A <> Firewall 1 <--- Internet ---> Firewall 2 <> Net B Firewall 1 and Firewall 2 can protect all communications between Net A and Net B by using IPsec in tunnel mode, as illustrated above. ... which seems to fit the bill if I subsitute "Wireless" for "Internet" in the diagram. I should use IKED or ISAKMPD to avoid replay protection. Is that sensible? Best wishes.
Re: Security over wireless.
Nick Holland > define "security" :) Ouch. I like Bruce Schneier's cynicism ... As long as I feel secure right? Encryption to some standard (yet to be determined). At a minimum packet contents but headers would be great. I'm a fair bit out of my depth but if I can encapsulate endpoint IP addresses and everything after them I'd be pretty happy. I'm guessing that TLS is out and that IPsec might be in on that criteria. Is SSH out there too? > Your risks with wireless: > * Unauthorized use to access Internet > -> use AuthPF so that you have to ssh authenticate to use the > gateway. Yep. Too good to be true but it won't stop a persistent script kiddie from spoofing though right? > * Unauthorized use of local resources > -> Use strong authentication for anything internal Yep. No SSH server until I sit down and read the docs. > * Packet sniffing > -> use encrypted communications for all you can, and everything > important. SSH tunnels are your friend I'd like to encrypt everything. Thanks for the search term. :] > * Uncontrolled access to network' > -> authenticate everything. Here's where the flags go up for authpf right? If I'm right the authentication is on the initial connection and everything subsequent is based on the associated IP address (or with noip the userid) which won't prevent a MITM from hijacking that IP and certainly won't prevent them from reading my packets. Is that right? > Basic trick for safer wireless is to assume your wireless devices and > all devices that are accessible via wireless are raw on the Internet. > As all your listed devices are OpenBSD, this is entirely possible. I guess that works both ways. I'm quite concerned about the youngsters down my street with too much time on their hands and not so much with some guy from the intarwebs using my wireless to attack them ... I'd like to see that. :] Best wishes.
Re: Security over wireless.
Thank you Thomas. On 09/09/2011, Tomas Bodzar wrote: > http://www.openbsd.org/faq/pf/authpf.html At first glance that looks really cool (well it still looks cool) but I'm not sure it's what I'm after. As far as I can tell the authentication is secure and ties a ruleset to an IP but from then on the usual suspects apply (eavesdropping, spoofing). I see this on the man page: BUGS The authenticating ssh(1) connection may be secured, but if the network is not secured the user may expose insecure protocols to attackers on the same network, or enable other attackers on the network to pretend to be the user by spoofing their IP address. I'll be doing everything here http, etcetera. Am I reading this right? I do see a authpf-noip section in the man page but it seems that as far as encryption goes that is up to other mechanisms also. Is that right? > or you can slightly modify this one which is quite old, but not so > much changed in fact > http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html Cheers. I read about halfway and it seems focussed on securing from Windows clients onward. While I do have some Windows machines I'd rather crunch my data from the OpenBSD machines. Best wishes.
Security over wireless.
Hi. I'm using some old gear that doesn't support WPA or better (WEP only). Until I get around to that what are my options security wise? Here's the machines: inet <-> OpenBSD <-> CPE AP <-> USB <-> OpenBSD <-> desktops The AP is some Cisco or something. Like those WRT54s and whatnot. I notice it has options for L2TP pass through and maybe IPSEC and PPTP. I'm not really sure how they work that (no man pages of course). The USB stick is old and WEP only (Netgear MA111). I have control over all the machines It's a bit dual purpose - it's my route to the internet so I figure encrypting/decrypting at the OpenBSD machines or tunneling between them or something is probably good but the plan is also to access the immediate inet OpenBSD machine from the desktop end OpenBSD machine via SSH at some point but I'm not sure if that matters. I'm unfamiliar with all of that (yes even SSH). I'd like to use something that's in base at a minimum. If it's conceptually simple that's a bonus. Best wishes.
Re: Netgear WG111.
On 08/09/2011, Jonathan Gray wrote: > This is not a urtw device (which is 0x6a00) but rather an old > style fullmac prism device which we don't support. We > support the newer softmac usb prism (upgt) and the older 802.11 > prism (wi@usb) but not that particular device. Thank you Jonathon. Best wishes.
Re: Netgear WG111.
Hi Thomas. Sorry for the delay. On 21/08/2011, Tomas Bodzar wrote: > Hi, > > post output of 'usbdevs -v' command. Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 addr 2: full speed, power 500 mA, config 1, NETGEAR WG111(0x4240), GlobespanVirata(0x0846), rev 10.20, iSerialNumber 3887- port 2 addr 3: full speed, self powered, config 1, Generic USB Hub(0x9254), ALCOR(0x058f), rev 3.12 port 1 powered port 2 addr 4: low speed, power 100 mA, config 1, Microsoft Basic Optical Mouse v2.0(0x00cb), Microsoft(0x045e), rev 1.99 port 3 powered port 4 addr 5: low speed, power 100 mA, config 1, USB Keyboard(0x00f2), NOVATEK(0x0603), rev 1.12 > Install usbutil package as well > and post output of 'usbctl -a 2 -f /dev/usb0' DEVICE addr 2 DEVICE descriptor: bLength=18 bDescriptorType=device(1) bcdUSB=2.00 bDeviceClass=0 bDeviceSubClass=0 bDeviceProtocol=0 bMaxPacketSize=64 idVendor=0x0846 idProduct=0x4240 bcdDevice=1020 iManufacturer=1(GlobespanVirata) iProduct=2(NETGEAR WG111) iSerialNumber=3(3887-) bNumConfigurations=1 CONFIGURATION descriptor 0: bLength=9 bDescriptorType=config(2) wTotalLength=53 bNumInterface=1 bConfigurationValue=1 iConfiguration=0() bmAttributes=80 bMaxPower=500 mA INTERFACE descriptor 0: bLength=9 bDescriptorType=interface(4) bInterfaceNumber=0 bAlternateSetting=0 bNumEndpoints=5 bInterfaceClass=255 bInterfaceSubClass=255 bInterfaceProtocol=255 iInterface=0() ENDPOINT descriptor: bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-in bmAttributes=bulk wMaxPacketSize=64 bInterval=0 ENDPOINT descriptor: bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-out bmAttributes=bulk wMaxPacketSize=64 bInterval=0 ENDPOINT descriptor: bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=2-in bmAttributes=bulk wMaxPacketSize=64 bInterval=0 ENDPOINT descriptor: bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=2-out bmAttributes=bulk wMaxPacketSize=64 bInterval=0 ENDPOINT descriptor: bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=3-in bmAttributes=interrupt wMaxPacketSize=64 bInterval=1 current configuration 1 -- I noticed this: MASTER_SITES= ftp://ftp.augustsson.net/pub/netbsd/ http://www.openbsd.org/cgi-bin/cvsweb/ports/sysutils/usbutil/Makefile?rev=1.19;content-type=text%2Fplain AFAICT, there's nothing useful there. I see this: http://www.freshports.org/sysutils/usbutil/ Best wishes.
Netgear WG111.
Hey kids. I'm running a snapshot from a week or so ago: OpenBSD 5.0 GENERIC#39 I have a Netgear WG111 v2 USB wifi adapter that might be supported according to urtw(4) but only gets ugen status. I haven't used this thing for a long time and can't remember previous status. Is there any procedure I need to do or should I assume it's unsupported? Best wishes. OpenBSD 5.0 (GENERIC) #39: Mon Aug 8 14:53:43 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class) 731 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE real mem = 266858496 (254MB) avail mem = 252444672 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/05/01, BIOS32 rev. 0 @ 0xfd87d, SMBIOS rev. 2.2 @ 0xe4010 (42 entries) bios0: vendor Phoenix Technologies Ltd. version "IP.01.08US" date 12/05/2001 bios0: Hewlett-Packard HP Vectra apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd810/0x7f0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa000 0xe/0x4000! 0xe4000/0xc000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x02 vga1 at pci0 dev 2 function 0 "Intel 82815 Video" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xf000, size 0x400 ppb0 at pci0 dev 30 function 0 "Intel 82801AA Hub-to-PCI" rev 0x02 pci1 at ppb0 bus 1 xl0 at pci1 dev 4 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 7, address 00:01:03:03:c3:8c bmtphy0 at xl0 phy 24: 3C905C internal PHY, rev. 7 ichpcib0 at pci0 dev 31 function 0 "Intel 82801AA LPC" rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 82801AA IDE" rev 0x02: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 7633MB, 15633072 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 "Intel 82801AA USB" rev 0x02: irq 11 ichiic0 at pci0 dev 31 function 3 "Intel 82801AA SMBus" rev 0x02: irq 9 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2 spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC133CL2 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4: polled npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support ugen0 at uhub0 port 1 "GlobespanVirata NETGEAR WG111" rev 2.00/10.20 addr 2 uhub1 at uhub0 port 2 "ALCOR Generic USB Hub" rev 1.10/3.12 addr 3 uhidev0 at uhub1 port 2 configuration 1 interface 0 "Microsoft Microsoft Basic Optical Mouse v2.0" rev 1.10/1.99 addr 4 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev1 at uhub1 port 4 configuration 1 interface 0 "NOVATEK USB Keyboard" rev 1.10/1.12 addr 5 uhidev1: iclass 3/1 ukbd0 at uhidev1: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev2 at uhub1 port 4 configuration 1 interface 1 "NOVATEK USB Keyboard" rev 1.10/1.12 addr 5 uhidev2: iclass 3/0, 4 report ids uhid0 at uhidev2 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev2 reportid 3: input=3, output=0, feature=0 uhid2 at uhidev2 reportid 4: input=2, output=0, feature=0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (01f39c01585cc992.a) swap on wd0b dump on wd0b wsdisplay0: screen 6 added (80x25, vt100 emulation) wsdisplay0: screen 7 added (80x25, vt100 emulation) wsdisplay0: screen 8 added (80x25, vt100 emulation) wsdisplay0: screen 9 added (80x25, vt100 emulation) wsdisplay0: screen 10 added (80x25, vt100 emulation) wsdisplay0: screen 11 added (80x25, vt100 emulation) wsmouse0 detached ums0 detached uhidev0 detached wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev1 detached uhid0 detached uhid1 detached uhid2 detached uhidev2 detached uhub1 detached uhub1 at uhub0 port 2 "ALCOR Generic USB Hub" rev 1.10/3.12 addr 3 uhidev0 at uhub1 port 2 configuration 1 interface 0 "Microsoft Microsoft Basic Optical Mouse v2.0" rev 1.10/1.99 addr 4 uhidev0: iclass 3/1 ums0 at uhi
Re: inetd_flags in rc.conf
Hi Kevin. Kevin Chadwick > Why turn it off, Just hash everything in inetd.conf and your nmap > fingerprint will be lower than without inetd running. I used to hash the file back in the day until it became clear I was never using it. The few machines I run serve very few services and I'm happy for them to be running 24x7 - although I'm in an opposite situation this still seems apposite ... FTPD(8): This has lower overhead than starting ftpd from inetd(8) and is thus useful on busy servers to reduce load. POPA3D(8): This has lower overhead than starting popa3d from inetd(8) and is thus useful on busy servers to reduce load. In this mode popa3d also does quite a few checks to significantly reduce the impact of connection flood attacks. ... and so on. Yes, I also see this: INETD(8): Essentially, inetd allows running one daemon to invoke several others, reducing load on the system. In my situation after many releases of hashing inetd.conf I decided to stop playing chinese whispers. As far as nmap goes, sure, but I don't care about port scans. As a matter of principle I think knowledge of running services should never be an issue. If there's a failure there, it's either a flaw in the software which I'd like to know about, or I've made an administration error. Right? Frankly I'm happy to have people trying to break into these machines, if only there was more of it ... If I needed to do something a little more critical I would re-think my service choices and probably still not care about port scans. As it stands though I'm okay for these machines to be cracked wide open and be off the air for a day or so if I can help squash a bug or learn something. The only associated issue that concerns me at all there is DoS and I think other methods are more appropriate there (such as picking up the phone). The only thing I can think of off the top of my head is port scanning and getting meaningful results through inetd is slower right? If you could provide some reading material on that I'd probably read it. Best wishes.
inetd_flags in rc.conf
Hey folks. I installed a snapshot from a day or so ago: OpenBSD 5.0 GENERIC#39 So things change but this doesn't seem to work any more for inetd ... http://www.openbsd.org/cgi-bin/cvsweb/src/etc/rc.conf.diff?r1=1.141;r2=1.142 This doesn't look right: # set these to "NO" to turn them off. otherwise, they're used as flags inetd_flags="" # for normal use: "" inetd is definitely running on this machine with that flag set NO. Sad to say I don't understand the new rc.conf well enough to figure this out on my own. I'm sure I could add inetd_flags=NO to my rc.conf.local and everything would work ... Yep that works. BTW, maybe it could be: # Set these to "NO" to turn them off. Otherwise they're used as flags. Best wishes.
Re: fat32 interoperatibility issue
Daniel Gracia wrote: This is more accurate than the thread title: > fat32 stack on OBSD would allow to create illegal file entries for > Micro$oft machines, like: The naming of special devices is abstracted a little higher in the food chain: http://msdn.microsoft.com/en-us/library/aa365247.aspx#namespaces > Is this on purpose, or do you feel like applying a patch to throw an > error on these cases? Even if that was desirable how far do you go ... Read also? Rename? Remove? How would people examine Windows special device name issues under OpenBSD ... Extend it to any other naming isues that may arise when mounted under another operating system ... Disregarding any patent issues vis-a-vis FAT32 there's no reason not to use it and leave Windows out of the equation altogether, e.g. I want to make a file called prn on a FAT32 partition under OpenBSD ... Best wishes.
Re: NTP driftness oddity
FRLinux wrote: > NTP is slowly drifting back the time to normal but I am > wondering if anyone has seen this. >From adjtime(2): "The skew used to perform the correction is generally a fraction of one percent." Every adjustment brings the local clock closer to the desired time - the immediately subsequent delta (difference) becomes concommitantly smaller and the next adjustment (the fraction of one percent of the remaining difference) is ... therefore smaller. Surely this is not an oddity though but very much desired - the jumps should be as small as possible to keep time dependent functions happy, logs readable, etcetera. So the resultant smaller difference after the 321s adjustment is taken advantage of as soon as possible - at the very next jump - using a value of 320s ... That's how I read it and it fits with what would seem to be a reasonable goal. http://marc.info/?l=openbsd-misc&m=121638309016429&w=2 Best wishes.
Re: OpenSMTPD and aliases.
Gilles Chehade scrivere: > Care to do some testing now that envelope expansion code has been > updated ? Hi Gilles, I've used the snapshot from 20th May: 4.9 GENERIC#76 i386 Everything looks great. A simple smtpd.conf: listen on if0 map "aliases" { source plain "/etc/mail/aliases" } accept from all for my.domain alias aliases deliver to mbox Aliases file: test:root Mail to test@my.domain and root@my.domain work. Mail to before@ and after@ also work and end up in roots mbox: before:postmaster postmaster:root after:postmaster The logs look great. I have a web server with a few clients ... and no SLA ... I'll update that soon and use them as lab rats. :] Thank you. > Gilles Best wishes.
Re: i386 snapshots and index.txt
David Walker wrote: > snapshots The important bits of that have already been asked and answered on misc@ ... http://marc.info/?l=openbsd-misc&m=128720598526842&w=2 Best wishes.
i386 snapshots and index.txt
Hello. I'm looking to get a snapshot (i386) post 17th May and I've been looking for a couple of days now. I have minimal experience using snapshots and I have a few questions. First, I've searched the FAQ and notice these: "The snapshots available on the FTP mirrors are generated daily ..." "Some platforms have snapshots built on an almost daily basis, others will be much less frequent." "On fast platforms, several snapshots may be released in one day." "Remember, on some platforms, it may be DAYS before the snapshot build is completed and put out for distribution." I've checked all architectures and there are no snapshots later than the 17th. Does the information in the FAQ vis-a-vis snapshot regularity "depends" on various other factors (amount of development, amount of alcohol, whatever) and should I expect this? Is there a "usual" time frame for an i386 snapshot? Second, all architectures have an index.txt file which appears to be the immediately previous (time wise) directory listing - I notice that all architectures are rolling this over on what appears to be a daily schedule. So even though some architectures contain files from a week or more ago they have an index.txt file from the 19th which contains as one of the entries a listing for the index.txt from the previous day. Can I use this other than seing the directory listing for the previous snapshot? I guess wildly it's some automatic feature that I can safely forget about ... Use your cluestick if you like. Best wishes.
Re: OpenSMTPD and aliases.
On 18/05/2011, Gilles Chehade wrote: > Hi, > > Care to do some testing now that envelope expansion code has been > updated ? > > Gilles Try and stop me. :] I'm looking now at CVS now - bugfixing, authentication, envelopes, "in the process lots of code got simplified" ... I don't grok the code ... but the commit messages are great. :] I'll do a snapshot. Thank you. Best wishes.
Re: OpenSMTPD and aliases.
Hi Gilles. On 11/05/2011, Gilles Chehade wrote: > I got a bad and a good news though. > > The bad news is that smtpd's aliases have been broken for a long time. > > The good news ... well, I've rewritten aliases support recently. Thanks. While somebody capable is working on smtpd in some way I'm pretty happy about that. > I'll look at your issue to try to understand it but I'm not sure it's even > worth > trying to fix the broken aliases knowing they will be gone in a few days. Absolutely. Don't even consider it and get back to your real work. :] Best wishes.
OpenSMTPD and aliases.
Bonjour. I installed 4.9 today and found that aliasing doesn't work as per included sendmail files and so on but there's a workaround available from the archives that get's me where I want to be. So, notification (hi Gilles) of a continuing issue from 4.8 with a slightly different log entry and a nudge for anyone else that's struggling with aliases to local from outside. For the speed readers: This won't work in aliases ... postmaster:root This will work in aliases ... postmaster:root@your.domain In the first instance, mail to postmaster@ won't get rejected and it won't get to root's account ... it will get caught in a local loop (reported in the logs) and get nowhere. In the second instance, mail to postmaster@ will get to root's account. Problem: http://marc.info/?l=openbsd-misc&m=129656834314699&w=2 Workaround: http://marc.info/?l=openbsd-misc&m=129437721417326&w=2 cat smtpd.conf: server="my.domain" listen on lo0 listen on external_if map "aliases_local" { source plain "/etc/mail/aliases_local" } accept from all for domain $server alias aliases_local deliver to mbox accept from local for all relay cat aliases_local: postmaster:root@my.domain No cats were harmed. Caveat ... I'm getting my feet wet with mail on smtpd so if this is expected behaviour ... have a larf and some vino and let me know. Best wishes.
Re: Keyboard bell and attach.
Jacob Meuser wrote: > On Thu, Jan 27, 2011 at 12:55:51AM +1030, David Walker wrote: >> I have a machine at work, beige box with 4.8 on it that doesn't like >> hotplugd. >> I thought it might be the issue with 16 USB devices failing attach so >> Any ideas welcome. > try -current Thanks Jacob. I finally got my gear together and installed a snapshot: OpenBSD 4.9 GENERIC#644 The KVM works fine. Also adding the bell to the attach script fixes that. I sent a dmesg also. Best wishes.
Re: is SHA256 file used or not ?
Howdy. Mihai Popescu wrote: > So the process I thought about it's not true. Better to remove the > SHA256 then, what purpose can it serve if it is not syncronised? Some guy said ... Do you not want it to be there for official releases? How about if I remove the code now. Then 10 minutes before we make a release, we put it back in, find out that it makes the media not fit or some other issue has showed up http://marc.info/?l=openbsd-misc&m=128719219216740&w=2 > I still don't figure out why this checksum missmatch is ( on the same > server, not among servers). Some other guy said ... > This file is provided for you to be able to check that you downloaded > the files correctly. The installation media uses an internal source for > the checksum information. http://marc.info/?l=openbsd-misc&m=129701893809304&w=2 Yet another guy said ... > and the mirroring process isn't atomic. http://marc.info/?l=openbsd-misc&m=129702183711918&w=2 Some 'yahoo' said ... > You can compare a SHA256 from various servers that you trust whilst > getting the .iso from any mirror, bearing in mind that they aren't all > in sync as the snapshots are released so often and even one server might > have it's SHA256 out of sync with it's own .iso when you happen to > come along. http://marc.info/?l=openbsd-misc&m=129707462918858&w=2 So on and so forth. Best wishes.
Re: is SHA256 file used or not ?
Hello. Mihai Popescu wrote: > Hello > I'm installing ... from snapshots. > SHA256 invalid checksums ... > ... SHA256 from ftp.openbsd.org ... Some good search terms there. http://www.bing.com/search?q=site%3Aopenbsd.org+snapshot+install+sha256 http://www.bing.com/search?q=site%3Aopenbsd.org%2Ffaq+sha256 > Can someone please, make some light in this matter. Is this SHA256 > used anymore ? Maybe a FAQ entry will be useful. http://www.openbsd.org/faq/faq4.html 4.13.7 - I got an SHA256 mismatch during install! Checksums are embedded in the install kernels for the file sets that are used for the system install. Actual -release file sets should all match their stored checksums. At times, snapshots may not have proper checksums stored with the install kernels. This will happen for various reasons on the building side, and is not reason to panic for development snapshots. If you are concerned about this, wait for the next snapshot. > Thanks Kevin Chadwick wrote: > There was a thread recently about this ... Yup. http://marc.info/?t=12871766371&r=1&w=2 Best wishes.
Re: Security List
Howdy. Alessandro Baggi wrote: > Hi List, i had registered me to the security list: > security-annou...@openbsd.org since 9 Genuary 2011, but any email come > on my account. Some that had security list subscribtion, can tell me if > since 09/01/2001 at today there are mails? >From http://www.openbsd.org/mail.html ... Your membership to the OpenBSD mailing lists can also be managed via a web interface at: http://lists.openbsd.org/ ... log in and read the archives or ... Mailing List Archives: These mailing list archives are not managed by the OpenBSD project. Take the time to look at more than one -- each is a little different, and has different search abilities. If you don't find an answer in one, check another. List of Archives http://www.openbsd.org/mail.html Alessandro Baggi wrote: > Ah ok. But the security list concernes the bugs only for OpenBSD Set, or > also for ports? security-announce Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available. ports-security Security announcements for ports and packages. This low volume list receives OpenBSD security advisories concerning the ports tree and packages with more information about the vulnerabilities and patches. http://www.openbsd.org/mail.html Best wishes.
Re: smtpd.conf syntax.
Hi Gilles. I noticed something that might be unexpected, in the works, maybe worth documenting. Maybe all the old sendmail hands expect this. :] If I have this ... listen on external_if map "aliases" { source plain "/etc/mail/aliases" } accept from all for domain example.org alias aliases deliver to mbox ... and I use the default aliases file (with postmaster to root) and I send mail from outside to r...@example.org it is accepted and goes straight to root's mbox. No drama. If, however, I send mail to postmas...@example.org it gets accepted by smtpd but never sent to the mbox with log entries such as (handtyped): aliases_exist: 'postmaster' exists with 1 expansion nodes aliases_get: returned 1 aliases lka_resolve_node: node is local username: root Etcetera. So the aliasing works great. However, the ultimate log entry is: mta: new status for r...@example.org: 110 connect error: Operation timed out The mail never gets to root's mbox and if I run smtpctl show queue I can see the messages in the queue. If I add this ... listen on lo0 accept from all for local deliver to mbox ... and resend another mail to postmaster it gets to root's mbox. So for aliasing is working but once the alias is resolved smtpd apparently considers the mail to be part of a new transaction that looks for a "for local" (with "from local" as a minimum) rule. Yep, I'm not a programmer. Best wishes.
Re: smtpd.conf syntax.
Hi Gilles. I've installed a snapshot from January 29 (first time ever - very painless): uname -rvm 4.9 GENERIC#644 i386 An issue I had looks okay. That is ... accept for domain example.org relay ... and the explicit ... accept from local for domain example.org relay ... both now work. As far as smtpd -n go anyway. The other issue I had has changed. Now neither of these work (with or without quotes): accept from all deliver to maildir /var/mail/%d/%u accept from all deliver to maildir "/var/mail/%d/%u" Looking at the man page again there isn't a default "for" and perhaps this is why all of those fail now - there needs to be an explicit "for". Checking that, these work ... accept for all deliver to maildir "/var/mail/%d/%u" accept for local deliver to maildir "/var/mail/%d/%u" ... either explicitly mentioning "from all" or "from local" or omitting "from". In other words as long as I include a "for" it's all good and consistent with the man page. As far as the quotation marks go ... This works: accept for all deliver to maildir "/var/mail" This doesn't work: accept for all deliver to maildir /var/mail All of those were checked with the only other uncommented line being: listen on lo0 Best wishes.
Re: smtpd.conf syntax.
Hi Gilles. On 31/01/2011, Gilles Chehade wrote: > On Mon, Jan 31, 2011 at 06:04:12PM +1030, David Walker wrote: > > bug, it is the default indeed but "from local" should work > > should work, if it doesnt it's a bug > > Will let you know when it's fixed > > Gilles Chehade Thanks for looking at these. I've had some issues with aliases and virtuals (using "plain" format) - comparing with the sendmail documentation and the examples provided in the default /etc/mail maps. AFAIU there are known issues with maps on 4.8 but I'll make some time and document that stuff anyway. The pf syntax is very encouraging to someone who's never done mail before. Thanks for your cool work. Best wishes.
Re: smtpd.conf syntax.
I should have mentioned this is on 4.8 and of course it could be user error which wouldn't surprise me overly. Best wishes.
smtpd.conf syntax.
Howdy. I was setting up smtpd on a machine today and I noticed a couple of issues. This does not work: accept from local for domain example.com relay This does: accept for domain example.com relay I realize "from local" is the default. This does not work: accept from all deliver to maildir /var/mail/%d/%u This does: accept from all deliver to maildir "/var/mail/%d/%u" Apparently quotations should only be needed for whitespace. Bugs? Features? Documentation bugs? Best wishes.
Keyboard bell and attach.
I have a machine at work, beige box with 4.8 on it that doesn't like hotplugd. It's on a kvm. When it boots it uses the keyboard encoding from /etc/kbdtype but after switching the kvm and back it goes to default encoding - qwerty. This machine also has the keyboard bell muted but it beeps from boot. Anyway I installed 4.8 on another machine at home the other day and the same deal. It beeps from boot and although the encoding is fine initially after switching the kvm and back it goes to default encoding - qwerty. I thought it might be the issue with 16 USB devices failing attach so I've removed the kvm (plugging into a MOBO USB port) to no avail and the beep is an issue anyway. Here is wsconsctl.conf grepped: keyboard.bell.volume=0 # mute keyboard beep Contents of kbdtype: us.dvorak Here is rc.conf.local grepped: hotplugd_flags="" Log of hotplugd at debug level - 12:46 is boot, 13:04 is unplug, 13:05 is plug: Jan 27 12:46:12 server hotplugd[2262]: started Jan 27 12:46:12 server hotplugd[2262]: uhub1 attached, class 0 Jan 27 12:46:12 server hotplugd[2262]: wskbd1 attached, class 5 Jan 27 12:46:12 server hotplugd[2262]: ukbd0 attached, class 0 Jan 27 12:46:12 server hotplugd[2262]: uhidev0 attached, class 0 Jan 27 12:46:12 server hotplugd[2262]: uhid0 attached, class 0 Jan 27 12:46:12 server hotplugd[2262]: uhidev1 attached, class 0 Jan 27 12:46:12 server hotplugd[2262]: softraid0 attached, class 0 Jan 27 13:04:28 server hotplugd[2262]: wskbd1 detached, class 5 Jan 27 13:04:28 server hotplugd[2262]: ukbd0 detached, class 0 Jan 27 13:04:28 server hotplugd[2262]: uhidev0 detached, class 0 Jan 27 13:04:28 server hotplugd[2262]: uhid0 detached, class 0 Jan 27 13:04:28 server hotplugd[2262]: uhidev1 detached, class 0 Jan 27 13:04:28 server hotplugd[2262]: uhub1 detached, class 0 Jan 27 13:05:13 server hotplugd[2262]: uhub1 attached, class 0 Jan 27 13:05:15 server hotplugd[2262]: wskbd1 attached, class 5 Jan 27 13:05:15 server hotplugd[2262]: ukbd0 attached, class 0 Jan 27 13:05:15 server hotplugd[2262]: uhidev0 attached, class 0 Jan 27 13:05:15 server hotplugd[2262]: uhid0 attached, class 0 Jan 27 13:05:15 server hotplugd[2262]: uhidev1 attached, class 0 Here is wsconsctl -a before unplugging: keyboard.type=pc-xt keyboard.bell.pitch=400 keyboard.bell.period=100 keyboard.bell.volume=0 keyboard.bell.pitch.default=400 keyboard.bell.period.default=100 keyboard.bell.volume.default=50 keyboard.repeat.del1=400 keyboard.repeat.deln=100 keyboard.repeat.del1.default=400 keyboard.repeat.deln.default=100 keyboard.ledstate=0 keyboard.encoding=us.dvorak keyboard1.type=usb keyboard1.bell.pitch=400 keyboard1.bell.period=100 keyboard1.bell.volume=50 keyboard1.bell.pitch.default=400 keyboard1.bell.period.default=100 keyboard1.bell.volume.default=50 keyboard1.repeat.del1=400 keyboard1.repeat.deln=100 keyboard1.repeat.del1.default=400 keyboard1.repeat.deln.default=100 keyboard1.ledstate=0 keyboard1.encoding=us.dvorak display.type=vga-pci display.emulations=vt100 display.screentypes=80x25,80x25bf,80x40,80x40bf,80x50,80x50bf display.focus=0 display.screen_on=250 display.screen_off=30 display.vblank=off display.kbdact=off display.msact=off display.outact=off After re-plugging this is changed: keyboard1.encoding=us Oop, there's one reason to post to misc and read logs. It's pretty obvious now that the the keyboard is on keyboard1 and I've changed wsconsctl.conf to ... keyboard1.bell.volume=0 # mute keyboard beep ... and the beep is gone at boot. However after unplugging the keyboard and plugging it back in the beep is back and the keyboard encoding is wrong. I guess I'll have to put a mute into the attach script but I think that's the issue here - the attach script here and on the machine at work aren't firing. This is the attach script: #!/bin/sh DEVCLASS=$1 DEVNAME=$2 case DEVNAME in wskbd1) kbd us.dvorak ;; esac Any ideas welcome. Best wishes. OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class) 731 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE real mem = 266891264 (254MB) avail mem = 252567552 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/05/01, BIOS32 rev. 0 @ 0xfd87d, SMBIOS rev. 2.2 @ 0xe4010 (42 entries) bios0: vendor Phoenix Technologies Ltd. version "IP.01.08US" date 12/05/2001 bios0: Hewlett-Packard HP Vectra apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd810/0x7f0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa000 0xe/0x4000! 0xe4000/0xc000! cpu0 at mainbus0: (uniprocessor) pci
Re: pf and traceroute
Hi Mike. Mike wrote: > Yes, I know that Windows uses ICMP for traceroute (I use both the > Windows tracert command line utility and the SamSpade GUI utility). Cool. > However, I have found that troubleshooting is always easier if one can > eliminate Windows from the mix, that's why I reproduced the problem on > the FreeBSD box (and also an OpenBSD notebook, but I didn't show those > logs. Couldn't agree more. > Traceroutes were working here previously. I rewrote the rules > surrounding NAT when the new pf.conf syntax appeared, that's when I > started noticing the traceroute issues. What OS are we talking about now? uname -rsv OpenBSD 4.8 GENERIC#136 Not to throw curve balls but I had exactly the same problem as you initially during 4.7 then at some point it came good (so the opposite to your situation). I did change my pf on the odd occasion and thought little of it. This is a carbon copy of my 4.7 pf and it still works. So yes, that ruleset allowed trace during 4.7 and now during 4.8 ... >From a Windows host: C:\Documents and Settings\Administrator>tracert on.net Tracing route to on.net [150.101.140.197] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.1.250 238 ms39 ms39 ms lns21.adl2.internode.on.net [203.16.215.199] 344 ms43 ms77 ms 150.101.134.14 438 ms39 ms38 ms techgw.adl.internode.on.net [150.101.1.84] 547 ms36 ms37 ms pubweb.internode.on.net [150.101.140.197] >From an OpenBSD host: traceroute -P ICMP on.net 1 192.168.2.250 (192.168.2.250) 0.425 ms 0.290 ms 0.217 ms 2 lns21.adl2.internode.on.net (203.16.215.199) 36.698 ms 37.122 ms 34.950 ms 3 150.101.134.14 (150.101.134.14) 50.339 ms 45.852 ms 45.197 ms 4 techgw.adl.internode.on.net (150.101.1.84) 41.494 ms 39.724 ms 39.560 ms 5 pubweb.internode.on.net (150.101.140.197) 45.711 ms 44.618 ms 42.521 ms Mike wrote: > When I use that ruleset (changing nothing except the interface names), > traceroute using ICMP still does not work from the clients. Ouch. I've simplified it to this: # packet filtering block all # pppoe0:network pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) # vr1:network pass in on vr1 inet from vr1:network to any # vr2:network pass in on vr2 inet from vr2:network to any It all still works. From a Windows host and OpenBSD host. To re-iterate: uname -rsv OpenBSD 4.8 GENERIC#136 That's the router and the client. Not to be captain obvious but Windows (older versions) have a packet filter, of course now it's kernel mode all the way with Windows Firewall and obviously FreeBSD has something - pf is default now right? I know you said you could ping and trace from your router to your hosts but ... I'm probably the noob here but is that worth looking at? FYI, I obviously use pppoe, it's pppoe(4). I haven't made any manual adjustments to MTU or MSS or any other acronyms I don't know the full import of. Everything (everything) networking or otherwise is pretty much default. Best wishes.
Re: pf and traceroute
Hi Mike. Here's a couple of points. First, Windows uses ICMP only on traceroute (tracert) so there's consistency between your Windows and FreeBSD internal hosts - it's an ICMP blocked (in or out) issue. http://technet.microsoft.com/en-us/library/cc940128.aspx Can you ping and traceroute your router from your internal hosts? Can you go the other way? Second, and here we go into grey area, I'm no expert at the pf thing and I do it slightly different to you. However, I use a simple ruleset and don't explicitly allow ICMP ... and yet it works from internal Windows and OpenBSD hosts. Here is the basics (in case there's a clue there): # options set block-policy return set debug urgent set loginterface pppoe0 set optimization normal set reassemble no set require-order yes set ruleset-optimization basic set skip on lo #set state-defaults set state-policy if-bound #set timeout # traffic normalization antispoof quick for lo inet antispoof quick for vr1 inet antispoof quick for vr2 inet # packet filtering block all # pppoe0:network match in log on pppoe0 pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) #pass in on pppoe0 inet proto icmp from any to (pppoe0) icmp-type 8 code 0 # vr1:network pass in on vr1 inet from vr1:network to any pass out on vr1 inet from vr1 to vr1:network pass out on vr1 inet from vr2:network to vr1:network # vr2:network pass in on vr2 inet from vr2:network to any pass out on vr2 inet from vr2 to vr2:network pass out on vr2 inet from vr1:network to vr2:network Most or all of the "options" are default. The commented icmp line is to allow outsiders to icmp echo request this machine and get a reply. I've commented it to make sure it's not why mine works and yours doesn't. There's a few items in the pf.conf man page that lead me to guess that care needs to be taken with ICMP (as far as state and UDP and TCP being directly referenced but ICMP requests requiring special care). For ICMP, pass out/in ping queries. State matching is done on host addresses and ICMP ID (not type/code), so replies (like 0/0 for 8/0) will match queries. ICMP error messages (which always refer to a TCP/UDP packet) are handled by the TCP/UDP states. pass on $ext_if inet proto icmp all icmp-type 8 code 0 Furthermore, correct handling of ICMP error messages is critical to many protocols, particularly TCP. pf(4) matches ICMP error messages to the correct connection, checks them against connection parameters, and passes them if appropriate. For example if an ICMP source quench message referring to a stateful TCP connection arrives, it will be matched to the state and get passed. pass out inet proto icmp all icmp-type echoreq Etcetera. Like I said I'm guessing but it might be a state issue (a design feature) and something to do with the order of your match/block versus my block/pass - I notice in the man page that ICMP is treated as a special case (see "block") and also this: set block-policy The block-policy option sets the default behaviour for the packet block action: drop Packet is silently dropped. returnA TCP RST is returned for blocked TCP packets, an ICMP UNREACHABLE is returned for blocked UDP packets, and all other packets are silently dropped. So on. I'd try removing your "block in" for testing. Consider adding a rule (flavour as necessary): pass out inet proto icmp all icmp-type echoreq Best wishes.
Re: Newbie Network/PF Question
While we're piling on ... I have three interfaces, vr0 is my internet (pppoe), vr1 and vr2 are my internal networks. This gives me a good mental picture ... # packet filtering block all # pppoe0:network pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) # vr1:network pass in on vr1 inet from vr1:network to any pass out on vr1 inet from vr1 to vr1:network pass out on vr1 inet from vr2:network to vr1:network # vr2:network pass in on vr2 inet from vr2:network to any pass out on vr2 inet from vr2 to vr2:network pass out on vr2 inet from vr1:network to vr2:network ... add echo, port rules, etcetera as necessary. I think that does pretty much what you want - my setup is ziggactly the same. Best wishes.
Re: My trouble with BIND.
Hi Ollie. On 26/09/2010, Oliver Peter wrote: > On Sep 25, 2010, at 8:44 PM, Oliver Peter wrote: > >> You should have a look at dig(1). >> i.e. >> dig @127.0.0.1 example.com A > > Ah, and there's also: > > net/ldns/drill > drill is a tool ala dig from BIND. It was designed > with DNSSEC in mind and should be a useful > debugging/query tool for DNSSEC. > > ~ollie I think I'm a little way off from DNSSEC as yet. :] Best wishes.
Re: My trouble with BIND.
Hi Ollie. On 26/09/2010, Oliver Peter wrote: > Hey David, > > You should have a look at dig(1). > i.e. > dig @127.0.0.1 example.com A > > Which will query your local service for the A record > of example.com. Replace 'A' with 'any' to retrieve > all RRs, typically A, SOA, NS and MX. > > nslookup shouldn't be the tool of choice when debugging > DNS issues. > > Cheers > ~ollie Can you point me to a link. I've heard of dig. I know all the boffins use it. Nevermind found one: "Due to its arcane user interface and frequently inconsistent behavior, we do not recommend the use of nslookup. Use dig instead." http://www.isc.org/files/arm94_0.html Cheers. Best wishes.
Re: My trouble with BIND.
Howdy. I worked out what my problem was. Using kernel mode PPPoE with a wildcarded source address ... inet 0.0.0.0 255.255.255.255 ... for some reason BIND doesn't recognize that interface even though from the boot messages the interface is up and gets its address before named starts. Explicitly telling BIND to listen on the interface doesn't help. Explicitly using the IP address in the hostname.pppoe0 file does help, e.g.: inet 1.2.3.4 255.255.255.255 Other machines can access my RRs and my virtual hosts on Apache start working. Best wishes.
Re: My trouble with BIND.
On 25/09/2010, R0me0 *** wrote: > If I do interactive mode and try likewise, nslookup sits there and does > nothing.If I do interactive mode and try likewise, nslookup sits there and > does nothing. > > try it > > #nslookup >> server 127.0.0.1 >> example.com Thanks for that. Perhaps I'm understanding the man page incorrectly - nslookup(1): INTERACTIVE COMMANDS host [server] Look up information for host using the current default server or using server, if specified. I've tried it with some internet machines and can't get it to work: nslookup > on.net ns1.on.net ;; connection timed out; no servers could be reached # nslookup > server ns1.on.net Default server: ns1.on.net Address: 203.16.213.172#53 Default server: ns1.on.net Address: 2001:44b8:f020:ff00::80#53 > on.net Server: ns1.on.net Address:203.16.213.172#53 Name: on.net Address: 150.101.140.197 > by default, nslookup assume the first nameserver on resolv.conf > > Regards Now I need to figure out everything else. :] I forgot to mention earlier, this is 4.7 GENERIC#558 i386 with BIND 9.4.2-P2 Best wishes.
My trouble with BIND.
Hi. This is my first go at authoritive name serving and I'm finding it very difficult. All help appreciated. First off a small oddity (it could be pebkac). It appears my named.conf is okay and so are my master files. If I do a ... nslookup example.com 127.0.0.1 ... I get a result returned that looks as per normal wth the IP address I set in the master file. If I do interactive mode and try likewise, nslookup sits there and does nothing. I've tried appending a dot, using localhost instead of 127.0.0.1 and various combinations thereof. Am I missing something? Probably a bigger issue for me is getting other machines to pull down records from me. I've tried to eliminate the usual suspects (looking at my interface, pf, etcetera). Here's a whole bunch of stuff (mostly typed by hand): There's only one network card. All IP stuff seems to be fine and I can use the ISP resolvers (from resolv.conf) to surf the intarwebs (using lynx). ifconfig pppoe0: ... inet 1.2.3.4 --> ISP_ROUTER cat pf.conf #options set block-policy return set debug urgent set loginterface pppoe0 set optimization normal set reassemble no set require-order yes set ruleset-optimization basic set skip on lo set state-policy if-bound # block all pass out log on pppoe0 from (pppoe0) to any Note that the "block all" has been commented. cat resolv.conf lookup file bind nameserver ISP_DNS_1 nameserver ISP_DNS_2 I'm a little unsure about naming (especially the hosts file). The existing setup uses ns1.example.com as the NS. cat myname ns1.example.com cat hosts 127.0.0.1localhost 1.2.3.4ns1.example.com // that's the external interface cat named.conf options { recursion no; allow-query {any;}; allow-query-cache {none;}; }; #zones //snipped out the default loopbacks and the hints zone "example.com" { type master; file "master/example.com"; check-names fail; }; Here's the RRs. I used absolute domain names. cat example.com example.com. IN SOA ( ns1.example.com. email_address 723742424872 1h 1h 1h 1h ) example.com. A 1.2.3.4// that's the external interface NS ns1.example.com. ns1.example.com. A 1.2.3.4 named-checkconf and named-checkzone don't produce any output. A look at /var/log/daemon shows me (again hand typed and snipped): starting BIND loading configuration from /etc/named.conf listening on IPv4 interface lo0, 127.0.0.1#53 zone 127.in... loaded zone example.com/IN: loaded 747247242748 //my serial zone localhost/IN: loaded ... ns1 named: running Like I said if I do nslookup example.com 127.0.0.1 (or localhost) I get an accurate result. It concerns me above, from the log ("listening on IPv4 interface") that only the loopback is listed. The ARM tells me that by default I should be okay: "If no listen-on is specified, the server will listen on port 53 on all interfaces. ". Like I said though other machines aren't looking at the records. If I use a looking glass I can ping this machine by IP fine but if do anything that requires a name I get "protocol or service not working" and a reference to the DNS servers they use. I'm happy to post more stuff (nslookup set d2), tcpdump, whatever. Please let me know. In case it's something really obvious to someone, I've held off for now on setting up mail or USB or something on this machine. Best wishes.