Two typos on the website
Hello, while going through the upgrade guide for 5.5 I found two typos on the website: In upgrade55.html it shoud read and remove them from /etc/inetd.conf instead /etc/identd.conf In faq4.html in section 4.3.4 (creating a bootable install flash drive) I found another typo. The raw device in the dd command shoud read /dev/rsd6c instead of rsd4c, as in the text the example is sd6. have a nice day guido Here are the diffs: upgrade55.html: --- upgrade55.html 2014-05-07 04:48:08.0 +0200 +++ upgrade55.html.new 2014-05-10 13:57:40.608551035 +0200 @@ -182,7 +182,7 @@ The new version runs as a daemon, rather than from a href=http://www.openbsd.org/cgi-bin/man.cgi?query=inetdamp;sektion=8;inetd(8)/a. So, you will need to set your desired flags in tt/etc/rc.conf.local/tt -and remove them from tt/etc/identd.conf/tt. +and remove them from tt/etc/inetd.conf/tt. p a name=pfqueue/a faq4.html: --- faq4.html 2014-05-02 22:30:31.0 +0200 +++ faq4.html.new 2014-05-10 14:20:14.011095639 +0200 @@ -487,7 +487,7 @@ p Here is an OpenBSD example, assuming the device was recognized as sd6: table border=0 width=90%trtd nowrap bgcolor=#EEpre - # dd if=/location/install55.fs of=/dev/rsd4c bs=1m + # dd if=/location/install55.fs of=/dev/rsd6c bs=1m /pre/td/tr/table Details of this will vary on other platforms -- the important things are: ul
Re: OpenBSD changes virtual nic driver in vmware workstation?
Am 13.08.2012 09:42, schrieb C. L. Martinez: Hi all, I am trying to do some tests with OpenBSD 5.1 and FreeBSD 9.1 beta in my laptop virtual lab based on vmware workstation 8. But I have found a problem when I try to configure OpenBSD vms: I can't use e1000 driver with these OpenBSD vms. I have tried to setup these OpenBSD vms as FreeBSD virtual guests, as Other, as RHEL, etc ... (and yes, I have changed .vmx config file to ethernetX.virtualDriver = e1000 every time) but when OpenBSD boots, every time change virtual nic driver to vicX (in .vmx config appears as a vlance, the worst driver possible)... After doing several tests, like installing FreeBSD to see if same problem occurs, I conclude that the problem may be with OpenBSD ifself making the change, is it right?? Curiously, I have five OpenBSD vms under two ESXi servers, and this problem doesn't appears: I can use e1000 configuring OpenBSD vms as FreeBSD guest or Other ... Any idea?? Hmm, I have some OBSD 5.1 Testmachines running under vmware Workstation 8.0.4 on a linux host. They work all with Network-Driver e1000. I did not do any configuration, it just worked out of the box. But I think, if your system puts it back to vlance instead of e1000, it is a problem of vmware and not of Openbsd. guido
Re: pf and includes
Am 30.11.2011 09:22, schrieb Peter Hallin: Hello, I have some issues with pf.conf and includes that perhaps someone could shed some light on. Where I work, we use bridging firewalls with multiple tagged vlans passing the bridges, and filtering is done on the vlan interfaces. Normally we have around 10-20 vlans on each machine, and we have a LOT of rules in pf.conf. To make configuration a little easier I'm beginning to look at how to separate the vlans into multiple configs, one for each vlan, and then include them all from pf.conf. I would want to have all macros, options and rules for each vlan in a separate file, but also i would like to use macros from one config in rules in another file. To clarify what I'm getting at, here's an example: ## /etc/vlan500.conf: DB=192.168.0.10/32 block log on vlan500 pass in quick on vlan500 from $Webserver to $DB port 3306 pass out on vlan500 ## /etc/vlan1000.conf: Webserver=192.168.1.20/32 block log on vlan1000 pass in quick on vlan1000 from any to $Webserver port 80 pass out on vlan1000 ## /etc/pf.conf include /etc/vlan500.conf include /etc/vlan1000.conf ## The above example would not work, as pfctl will look at the rules in vlan500.conf before looking at the macros in vlan1000.conf and it will throw an error that the $Webserver macro is not defined. If I change the order of the includes in pf.conf, it will work, but of course of I try to use macros from vlan1000.conf for rules in vlan500.conf, the problem will arise again. One way to solve it would be to put all the macros in, say, /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure they are included before the rules in pf.conf, but that seems inconvenient to me. What is the common practice for using includes? Is there a way to get pfctl to read ALL macros from ALL files before looking at the rules? I would be happy to hear some suggestions. Thanks, Peter How about a definition.conf with all your (Name,IP-Adress)-Pairs which is included first in your pf.conf, so your vlan.confs only include the rules but no definitions. guido
Re: Bridging and ESXi
Am 24.11.2011 05:16, schrieb Brian Hechinger: On Nov 23, 2011, at 19:45, Josh Grosse j...@jggimi.homeip.net wrote: On Wed, Nov 23, 2011 at 04:41:09PM -0500, Brian Hechinger wrote: Anyone know where I should be looking here to figure out why this isn't working? Brian, I don't know if you've received other advice yet, but the key here is to -post- configuration information. For example, your dmesg and your hostname.bridge0 config file. That way, people can look at your configuration rather than guessing. You are correct. I was rushing out the door and in turn rushed my email. That was wrong of me. I'll guess your configuration is missing an up ifconfig setting, which I recall is explictly required for the bridge to forward packets. See the BRIDGE section in the ifconfig(8) man page. Unfortunately you would be wrong. I should have prefaced my email at the very least with the fact that I have setup bridging openbsd boxes before and do know how to do it as well as the fact that we beat all the basics to death in #openbsd on FreeNode. hostname.em1: up hostname.em2: up hostname.bridge0: add em1 add em2 up Stock pf.conf. I can copy and paste the output of ifconfig tomorrow but you won't see anything unusual there. Playing around a bit more by putting logging on pf it looks like the packets aren't making it to the openbsd box so this could very well be a VMware issue. Unless openbsd is dropping them before pf gets them but that strikes me as rather unlikely. -brian Hello, I don't think it's a OpenBSD Problem. How does the vswitch configs look? I believe (I don't know because you tell not exactly) you have 2 vswitches, both connected with your OpenBSD machine. Do you have 2 other machines, one connected vswitch0 and the other one with vswitch1? Also I believe, that you use the same IP-Range on both vswitches. Have you defined the IP-Range on both switches? Vswitches are normally really stupid, but VmWare has put some sort of intelligence in them, so maybe the vswitches work together, if both have the same ip range defined and packets go direct from one machine to another without passing your bridge. To be honest. I think this question is for a vmware mailing list. guido
Driver vmt having trouble with automated snapshots in vSphere
Hello, 2 weeks ago I updated a virtual openbsd test machine from 4.8 to 4.9. It came with the new vmt driver from dlg@ which is is a nice and useful feature. But now I saw that it does not work properly with functions in vSphere which uses automated snapshots. (I testet it with VMware Data Recovery and cloning) In both cases I get Protocol error from VMX. Disabling vmt in the kernel is a workaround for the problem. I saw that there was no further development in the driver (looked at http://openbsd.org/plus.html) but maybe someone is interested to have a deeper look as I am not the only person having this issue ( http://communities.vmware.com/thread/317068 ) For now (and maybe until the end of computers ;-) ) I will live without this driver as it is a nice to have and not a must have. thanks guido Here comes the dmesg with diabled vmt: OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz (GenuineIntel 686-class) 2.27 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT real mem = 267939840 (255MB) avail mem = 253427712 (241MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/13/09, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (98 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 10/13/2009 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P1(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P2(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P3(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) PE40(S3) S1F0(S3) PE50(S3) S1F0(S3) PE60(S3) S1F0(S3) PE70(S3) S1F0(S3) PE80(S3) S1F0(S3) PE90(S3) S1F0(S3) PEA0(S3) S1F0(S3) PEB0(S3) S1F0(S3) PEC0(S3) S1F0(S3) PED0(S3) S1F0(S3) PEE0(S3) S1F0(S3) PE41(S3) S1F0(S3) PE42(S3) S1F0(S3) PE43(S3) S1F0(S3) PE44(S3) S1F0(S3) PE45(S3) S1F0(S3) PE46(S3) S1F0(S3) PE47(S3) S1F0(S3) PE51(S3) S1F0(S3) PE52(S3) S1F0(S3) PE53(S3) S1F0(S3) PE54(S3) S1F0(S3) PE55(S3) S1F0(S3) PE56(S3) S1F0(S3) PE57(S3) S1F0(S3) PE61(S3) S1F0(S3) PE62(S3) S1F0(S3) PE63(S3) S1F0(S3) PE64(S3) S1F0(S3) PE65(S3) S1F0(S3) PE66(S3) S1F0(S3) PE67(S3) S1F0(S3) PE71(S3) S1F0(S3) PE72(S3) S1F0(S3) PE73(S3) S1F0(S3) PE74(S3) S1F0(S3) PE75(S3) S1F0(S3) PE76(S3) S1F0(S3) PE77(S3) S1F0(S3) PE81(S3) S1F0(S3) PE82(S3) S1F0(S3) PE83(S3) S1F0(S3) PE84(S3) S1F0(S3) PE85(S3) S1F0(S3) PE86(S3) S1F0(S3) PE87(S3) S1F0(S3) PE91(S3) S1F0(S3) PE92(S3) S1F0(S3) PE93(S3) S1F0(S3) PE94(S3) S1F0(S3) PE95(S3) S1F0(S3) PE96(S3) S1F0(S3) PE97(S3) S1F0(S3) PEA1(S3) S1F0(S3) PEA2(S3) S1F0(S3) PEA3(S3) S1F0(S3) PEA4(S3) S1F0(S3) PEA5(S3) S1F0(S3) PEA6(S3) S1F0(S3) PEA7(S3) S1F0(S3) PEB1(S3) S1F0(S3) PEB2(S3) S1F0(S3) PEB3(S3) S1F0(S3) PEB4(S3) S1F0(S3) PEB5(S3) S1F0(S3) PEB6(S3) S1F0(S3) PEB7(S3) S1F0(S3) SLPB(S4) LID_(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 65MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibat0 at acpi0: BAT1 not present acpibat1 at acpi0: BAT2 not present acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: LID_ bios0: ROM list: 0xc/0x8000 0xc8000/0x1e00! 0xca000/0x1000 0xdc000/0x4000! 0xe/0x4000! 0xee200/0x1e00! vmt at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01:
Re: OpenBSD bridge setup
Am 06.11.2010 03:23, schrieb James A. Peltier: Problem Description: I'm trying to filter VLANs on the bridge. However, when enabling VLAN devices on the em1 interface the bridge does not work. Hello Test Setup: The 2910AL-24G port 19 has its ports configured as TAGGED for VLAN 300 and VLAN 302 with no other VLANs are enabled on this port. This cable enters the bridge via em0 of the bridge and em1 connects to port 1 on the HP5304XL which is configured for TAGGED VLAN 300 and VLAN 302. Port two is configured as VLAN 300 UNTAGGED. HP2910AL-24G (port 19) --- OpenBSD Bridge --- HP 5304XL (port 1) OS - OpenBSD 4.8-beta (GENERIC.MP) #259: Tue Aug 3 09:06:37 MDT 2010 (no difference with newer versions) PF - Disabled Two physical interfaces em0 em1 VLAN devices # cat /etc/hostname.vlan300 vlan 300 vlandev em1 # cat /etc/hostname.vlan302 vlan 302 vlandev em1 cat /etc/hostname.em0 up cat /etc/hostname.em1 up Make also 2 corresponding vlan devices on em1 (they must have different names then vlan300 and vlan302, but the same vlan tag ) hostname.vlan300: vlan 300 vlandev em0 hostname.vlan302: vlan 302 vlandev em0 hostname.vlan1300: vlan 300 vlandev em1 hostname.vlan1302: vlan 302 vlandev em1 Working configuration but without filtering. = cat /etc/hostname.bridge0 add em0 add em1 up Make 2 bridges, one for vlan tag 300 and one for tag 302. Bridge0: add vlan300 add vlan1300 up Bridge1: add vlan302 add vlan1302 up Now you should be able to filter on bridge0 (vlan 300) and bridge1 (vlan 302). guido With this configuration and no VLAN devices created the bridge works and the tags are passed appropriately, however I am unable to filter the traffic on the VLANs. dhclient eth0 on client works fine pinging out works fine Non-Working configuration with hopes of filtering == However, as soon as I create the vlan300 devices with a parent of em1 the bridge stops functioning and the client on HP5304XL Port 2 (UNTAGGED VLAN 300) stops functioning. This remains the same even if I add the vlan300 and vlan302 devices to the bridge. dhclient stops working ping is dead I'm stumped here. Any ideas? -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: HA: pair of firewalls, 2 switches and 1 server
Axel Rau schrieb: Am 18.05.2010 um 14:11 schrieb Guido Tschakert: I would say your Server is __the__ single point of failure (sure the switch is also a spof but normally I'm more worried about servers then switches) Yes, but it has 2 power supplies and redundant disks. If the mini pwr supply of the single switch dies, I'm loosing. Oh, yes and it has two mainboards and you have two ups for all the things. ;-) Have you thought of two internet connections from two different providers? Sorry I don't want to bother you, I just want to say that achieving redundancy is not that easy like you described it in your first message. The first question is: What problem are you trying to resolve? Or in your case: How much redundancy do you want/need? Also a 2nd server is in the pipeline... Ok, that's fine. guido Btw: it would be great for the archive, if you got it working, that you send a message to the list, describing your configuration.
Re: HA: pair of firewalls, 2 switches and 1 server
Axel Rau schrieb: Hi all, I have a pair of redundant firewalls (obsd 4.6) and a server (fbsd 8.0): +---+ +--+ | | | | +fw1+--+ +-+ | carp0| |carp1 | | em0| | | | | | | | +-+-++-+-+-+ | | | | sw | |Server| +-+-++-+-+-+ | fbsd | | | | | | | +fw2+--+ +-+ | carp0| |carp1 em1| | | | | | +---+ DMZ +--+ We all know, the switch is the sigle point of failure. Hi, I would say your Server is __the__ single point of failure (sure the switch is also a spof but normally I'm more worried about servers then switches) guido Even worse, when it fails the carp0 pair starts flapping, disturbing other firewall traffic. So, how to resolve this? Trunking would only be possible between 2 boxes, not 3. Carp on top of trunk? 2 Carp pairs on the firewalls and 1 pair at the server? If I get it right, the physical LAN should look like this: +---+ +--+ | |+-+ | | +fw1++ sw1 +---+ | carp0| +--+ +-+-+-+em0| | | | | | | | +-+-+ | ++ | | || ||Server| +-+-+ +--|--+ | fbsd | | | | | | | | +-+ +-+-+-+ | | +fw2++ sw2 +---+ | carp0| |+-+em1| | +---+ +--+ Switches must have Spanning Tree support (RSTP), so I hope a pair of Netgear GS108T can do this. Any proposals highly appreciated, Axel --- axel@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @ chaos claudius
Re: Padlock accelerated SHA on Via C7
Guido Tschakert schrieb: John Arnold schrieb: It isn't worth using it. The overhead is too high. OK, thanks for the response. That being the case, can anybody give me any advice on what hardware I would need to achieve gigabit VPN throughput (aes/3des md5/sha1) with ipsec? And yes I forgot a few things: what I use is described in man brconfig (how I love the faqs and manuals) and we use hmac-sha2-256 and aes128 (the default) Hi, my max throughput with ipsec is around 218 Mbit/s with the following hardware: 3Ghz Intel Dual Core and Intel EM-Network Devices. This is a building to building tunnel with ipsec-bridge and the two boxes are directly connected. Without any dedicated crypto hardware you need a single core cpu as fast a possible (dual/quad core is also possible but won't help you, as the encryption/decryption is done by the kernel which uses only one kernel) dmesg: OpenBSD 4.3 (GENERIC) #1368: Wed Mar 12 11:05:31 MDT 2008 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1071693824 (1022MB) avail mem = 1028931584 (981MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x3fee (38 entries) bios0: vendor Phoenix Technologies LTD version 1.1a date 04/03/2008 bios0: Supermicro X7SBi acpi0 at bios0: rev 2 acpi0: tables DSDT FACP _MAR MCFG HPET APIC BOOT SPCR SSDT SSDT SSDT SSDT acpi0: wakeup devices PXHA(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5) USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5) USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PXHA) acpiprt2 at acpi0: bus 3 (PEX_) acpiprt3 at acpi0: bus 5 (EXP1) acpiprt4 at acpi0: bus 13 (EXP5) acpiprt5 at acpi0: bus 15 (EXP6) acpiprt6 at acpi0: bus 17 (PCIB) acpicpu0 at acpi0: C1, FVS, 3000, 2667, 2333, 2000 MHz acpibtn0 at acpi0: PWRB cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.90 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x29f0 rev 0x01 ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x29f1 rev 0x01: irq 5 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci0 dev 6 function 0 vendor Intel, unknown product 0x29f9 rev 0x01: irq 5 pci3 at ppb2 bus 3 em0 at pci3 dev 0 function 0 Intel PRO/1000 PF (82572EI) rev 0x06: irq 5, address 00:15:17:57:8a:f5 ppb3 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 5 pci4 at ppb3 bus 5 ppb4 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 5 pci5 at ppb4 bus 13 em1 at pci5 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: irq 5, address 00:30:48:64:eb:48 ppb5 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: irq 10 pci6 at ppb5 bus 15 em2 at pci6 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 10, address 00:30:48:64:eb:49 ppb6 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci7 at ppb6 bus 17 vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci7 dev 4 function 0 vendor ITExpress, unknown product 0x8213 rev 0x00: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using irq 10 for native-PCI interrupt pciide0: channel 0 ignored (not responding; disabled or no drives?) pciide0: channel 1 ignored (not responding; disabled or no drives?) pcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02 ahci0 at pci0 dev 31 function 2 Intel 82801I AHCI rev 0x02: irq 10, AHCI 1.2 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, ST380815AS, 4.AA SCSI3 0/direct fixed sd0: 76319MB, 9729 cyl, 255 head, 63 sec, 512 bytes/sec, 156301488 sec total ichiic0 at pci0 dev 31 function 3 Intel 82801I SMBus rev 0x02: irq 10 iic0 at ichiic0 lm1 at iic0 addr 0x2d: W83627HF wbng0 at iic0 addr 0x2f: w83793g iic0: addr 0x48 00=7d 02=4b 03=50 04=7d 06=4b 07=50 08=7d 0a=4b 0b=50 0c=7d 0e=4b 0f=50 10=7d 12=4b 13=50 14=7d 16=4b 17=50 18=7d 1a=4b 1b=50 1c=7d 1e=4b 1f=50 20=7d 22=4b 23=50 24=7d 26=4b 27=50 28=7d 2a=4b 2b=50 2c=7d 2e=4b 2f=50 30=7d 32=4b 33=50 34=7d 36=4b 37=50 38=7d 3a=4b 3b=50 3c=7d 3e=4b 3f=50 40=7d 42=4b 43=50 44=7d 46=4b 47=50 48=7d 4a=4b 4b=50 4c=7d 4e=4b 4f=50 50=7d 52=4b 53=50 54=7d 56=4b 57=50 58=7d 5a=4b 5b=50 5c=7d 5e=4b 5f=50 60=7d 62=4b 63=50 64=7d 66=4b 67=50 68=7d 6a=4b 6b=50 6c=7d 6e=4b 6f=50 70=7d 72=4b 73=50 74=7d 76=4b 77=50 78=7d 7a=4b 7b
Re: European orders
Hello everybody, Just want to put my 2 cents in this discussion: some weeks ago, I thought that it would be time to pre-order 4.5. But then the following comes to my mind: in the last years I seldom used the CDs, most time I used ftp. The CDs themself were lying on the shelf. Actually I do not need these CDs: but a lot of resources are needed to produce CDs and bring them to me, for me this is some kind of environmental pollution which is not necessary and I would like to avoid. (I'm talking about raw materials and fuel) Then I started to look what other possibilities I have to support OpenBSD. Sure there are donations, but will I remember every 6 month to make a donation: No, I'm just a human being (me thinks so). But here in Germany we have a thing called standing order (in German: Dauerauftrag) where I can put a monthly amount of money to the project (for me this is very easy as Theo has a bank account in Germany). The European orders discussion brought it back to my mind and half an hour ago I started my standing order with 12,50 per Month (150/year). This Is not much, but more as if I would buy the CDs twice a year. guido
Re: openbsd in virtualization
Markus Hennecke schrieb: Guido Tschakert wrote: the question is: do you use the vmware-tools from server 2.0 and if you do so, how did you manage it? No, we are running server 1.0.8 for our OpenBSD vmware installations. We have some laptops with our Windows client software that needs fast access to a database on an OpenBSD server. All setup for evaluation of the whole packet. So we need the ability to gracefully shutdown the vm if the laptop is powered down. The vm must start when the laptop is started. It is a setup for users with low skills on computers (medical personel mostly), so the ability to start and shut down a vm is not something I can expect. OpenBSD 4.4 or newer will run happily with the vmware server 2.0, but no automatic shutdown is a real show stopper. Kind regards Markus Hello Markus, as I wrote earlier, you can use VmServer 2.0 with the old tools. Shutdown works well. I have the feeling that 2.0 is faster then 1.0 (except the management interface which can be very annoying), but I have no measurements ;-) guido
Re: openbsd in virtualization
Markus Hennecke wrote: On Wed, 18 Mar 2009, Markus Hennecke wrote: Laurens Vets wrote: Markus Hennecke wrote: On Wed, 18 Mar 2009, Laurens Vets wrote: Laurens Vets wrote: Doesn't work for me. Vmware-guestd doesn't want to run and the message Abort trap is printed... Btw, this is on OpenBSD 4.4 i386 and VMware Server 2.0 This works no longer with VMWare Server 2.0. With 1.0.8 you were fine with that method. Any specific reason why? Did they change the FreeBSD binary too much or...? I think that the vmware tools were statically linked in the previous versions, now they are dynamically linked and I was missing most of the libs. But I will check that tomorrow when I'm back at work. So here is the information, it is indeed dynamically linked in the server 2.0 version: vmware tools server 2.0: $ pwd /home/markus/vmware-tools-distrib/lib/sbin32 $ ls -la total 1228 drwxr-xr-x 2 markus users 512 Sep 11 2008 . drwxr-xr-x 21 markus users 512 Sep 11 2008 .. -r-xr-xr-x 1 markus users 42900 Sep 11 2008 vmware-checkvm -r-xr-xr-x 1 markus users 505384 Sep 11 2008 vmware-guestd -r-xr-xr-x 1 markus users4862 Sep 11 2008 vmware-guestd-wrapper -r-xr-xr-x 1 markus users 49412 Sep 11 2008 vmware-rpctool $ file vmware-guestd vmware-guestd: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped - Hello Markus, the question is: do you use the vmware-tools from server 2.0 and if you do so, how did you manage it? guido vmware tools server 1.0.8; $ ls -la /emul/freebsd/sbin/ total 584 drwxr-xr-x 2 root wheel 512 Sep 2 2008 . drwxr-xr-x 3 root wheel 512 Dec 17 2007 .. -r-xr-xr-x 1 root wheel 270236 Sep 2 2008 vmware-guestd $ file vmware-guestd vmware-guestd: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped Kind regards, Markus
Re: openbsd in virtualization
sonjaya schrieb: what virtualization you use (vmware , openvz , etc )? Hi, as Michiel wrote, he uses kvm (this is something in the linux kernel) OpenVZ will not work. (Its up to you to find out why ;-) ) I use OpenBSD in Vmware Server 2.0 and if you search the archives you will find a lot of people asking questions regarding vmware and xen. But you should really search the archives as you will find a lot of things about security, stability and so. guido On Wed, Mar 18, 2009 at 3:34 PM, Michiel van Baak mich...@vanbaak.info wrote: On 15:13, Wed 18 Mar 09, sonjaya wrote: Hi... My boss ask how to move current obsd server to virtualiaztion ( such as openvz, vmare , etc ) . anyone in here sucsess moving obsd to Environment virtualization ( openvz , vmware etc ) , may be want share to me ? So obsd become guest OS ? ps: i'm so sory to ask this because Efficiency and reduce IT cost . thank's I'm running OpenBSD 4.4 and -current under KVM here at home. I wont run it in production tho. Real hardware is much more stable. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users? -- sonjaya http://sicute.blogspot.com http://www.pojokdomain.com(sell buy domain with free )
Re: openbsd in virtualization
Linus Swdlas schrieb: On Wed, 18 Mar 2009 14:45:44 +0100, Laurens Vets laur...@daemon.be wrote: Laurens Vets wrote: Alexandre Verriere wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Laurens Vets a icrit : My boss ask how to move current obsd server to virtualiaztion ( such as openvz, vmare , etc ) . anyone in here sucsess moving obsd to Environment virtualization ( openvz , vmware etc ) , may be want share to me ? So obsd become guest OS ? ps: i'm so sory to ask this because Efficiency and reduce IT cost . thank's Works great for me under VMware. / L How are you shutting down the OpenBSD guest when you stop VMware? Manually? This can be achieved with FreeBSD compt turned on this way: halt the obsd guest then set his type to freebsd and back up install the vmware tools: mount /dev/cd0c /mnt tar -xzf /mnt/vmware-freebsd-tools.tar.gz -C /tmp mkdir -p /emul/freebsd/sbin install -m 555 -o root -g wheel /tmp/vmware-tools-distrib/lib/sbin32/vmware-guestd /emul/freebsd/sbin cp -r /tmp/vmware-tools-distrib/etc /etc/vmware-tools then tune your sysctl.conf kern.emul.freebsd=1 Add this one to your rc.local: if [ -x /emul/freebsd/sbin/vmware-guestd ]; then echo -n ' vmware-tools' /emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command /sbin/shutdown -p -h now fi Now you can use vmware scripts to automate power management of your vm. Hope this helps. Doesn't work for me. Vmware-guestd doesn't want to run and the message Abort trap is printed... Btw, this is on OpenBSD 4.4 i386 and VMware Server 2.0 I use VMWare Workstation 6.5.1 which, as far as I know, uses the same hw-compat as Server 2.0 and it sometimes bring my whole machine down when running OpenBSD 4.4. The crashes are quite random. Difficult to determine the problem for me though as I changed hardware, and thus OS, and changed from Workstation 6.0 to 6.5 and OpenBSD-version to 4.4 at the same time. =) Previous versions has worked wonders. I'm kinda curious on if it would be possible to figure out what the changes are and write a DoS-sploit for VMware/host-OS from it. =) Host OS would be a Linux 64-bit on Core2Duo if anyone wondered. Hello Again, I can confirm that using the tools from 1.0.8 in a virtual machine with hardware version 7 on VmServer 2.0 works. (and vmware tells you to upgrade the tools, what you shouldn't do) So the wiki http://openbsd-wiki.org/index.php?title=HowTo_install_VMWare_tools could be updated. The freebsd.iso can be found in (/usr)/lib/isoimages from an 1.0.8 installation or in the tar.gz. next step would be to use the new tools and find out which libs are needed. Maybe Markus has some news tomorrow. guido
Re: openbsd in virtualization
Linus Swdlas schrieb: On Wed, 18 Mar 2009 14:45:44 +0100, Laurens Vets laur...@daemon.be wrote: Laurens Vets wrote: Alexandre Verriere wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Laurens Vets a icrit : My boss ask how to move current obsd server to virtualiaztion ( such as openvz, vmare , etc ) . anyone in here sucsess moving obsd to Environment virtualization ( openvz , vmware etc ) , may be want share to me ? So obsd become guest OS ? ps: i'm so sory to ask this because Efficiency and reduce IT cost . thank's Works great for me under VMware. / L How are you shutting down the OpenBSD guest when you stop VMware? Manually? This can be achieved with FreeBSD compt turned on this way: halt the obsd guest then set his type to freebsd and back up install the vmware tools: mount /dev/cd0c /mnt tar -xzf /mnt/vmware-freebsd-tools.tar.gz -C /tmp mkdir -p /emul/freebsd/sbin install -m 555 -o root -g wheel /tmp/vmware-tools-distrib/lib/sbin32/vmware-guestd /emul/freebsd/sbin cp -r /tmp/vmware-tools-distrib/etc /etc/vmware-tools then tune your sysctl.conf kern.emul.freebsd=1 Add this one to your rc.local: if [ -x /emul/freebsd/sbin/vmware-guestd ]; then echo -n ' vmware-tools' /emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command /sbin/shutdown -p -h now fi Now you can use vmware scripts to automate power management of your vm. Hope this helps. Doesn't work for me. Vmware-guestd doesn't want to run and the message Abort trap is printed... Btw, this is on OpenBSD 4.4 i386 and VMware Server 2.0 I use VMWare Workstation 6.5.1 which, as far as I know, uses the same hw-compat as Server 2.0 and it sometimes bring my whole machine down when running OpenBSD 4.4. The crashes are quite random. Difficult to determine the problem for me though as I changed hardware, and thus OS, and changed from Workstation 6.0 to 6.5 and OpenBSD-version to 4.4 at the same time. =) Previous versions has worked wonders. I'm kinda curious on if it would be possible to figure out what the changes are and write a DoS-sploit for VMware/host-OS from it. =) Host OS would be a Linux 64-bit on Core2Duo if anyone wondered. Ok, I think I've got an idea regarding our problem with installing the vmware-tools in OpenBSD 4.4 on VmServer 2.0 and Workstation 6.5.1. Someone wrote that it works with OpenBSD 4.4 and VmServer 1.0.8, so OpenBSD 4.4 isn't the problem (as mostly ;-) ) I think we (Laurens, Linus and myself) have started with creating a new vm in VmServer 2.0 or WS 6.5 and then installed the tools via cd-emulation. The problem might be the hardware version/product compability: We have version 7 and Vmserver 1.0 uses version 4. Another point would be to try the vmware-tools.tar.gz from server 1.0 (Markus wrote they are statically linked, so maybe we can use them also in our new vm) guido
Re: OpenBSD 4.4 pf+vlan+bridge problem
Key Aavoja schrieb: Hello, Hello, first thing: I do not have any experience with multicast traffic. But what you have build seems very strange to me. First you use vlan to separate the networks an then you put them alltogether with a bridge. I do not see the use of the vlans. Wouldn't it be better to not use the bridge and use (multicast-)routing and pf to solve your problem? As I said, I have no experience with multicast traffic, but that is how I would start digging. guido I have a problem with pf+bridge+vlan (multicast traffic) and I googled a lot, read the manuals and so on - no help. Finally I posted on wrong place :( sorry. Hopefully this time I'm writing to right place. Following setup is made for multicast traffic separation from one lan to multiple vlans. Setup: Two physical interfaces bnx0 bnx1 interfaces bnx0 and bnx1 has vlans: bnx0 vlan1100 bnx1 vlan1101 vlan1102 vlan1103 vlan1104 vlan1105 vlan1106 vlan1107 vlan1108 Bridge setup: bridge0 has all vlans as bridge members (vlan1100, vlan1101 ... vlan1108) PF config: block out on bnx1 all block out on vlan1100 all block out on vlan1101 all block out on vlan1102 all block out on vlan1103 all block out on vlan1104 all block out on vlan1105 all block out on vlan1106 all block out on vlan1107 all block out on vlan1108 all pass out quick on vlan1101 proto udp from any to 239.16.1.1 pass out quick on vlan1102 proto udp from any to 239.16.1.2 pass out quick on vlan1103 proto udp from any to 239.16.1.3 Wishful thinking, what the result should be: All multicast streams are available on vlan1100 and recieved via bnx0/vlan1100. Bridge should stream the multicast packets to what ever vlan - its the place where pf should help. Stream: 239.16.1.1 should be available only on vlan1101, and 239.16.1.2 avialable on vlan1102 and so on. . Real Result: Stream 239.16.1.1 is available on all three vlans: 11101,1102,1103 - same thing happens with other two streams (239.16.1.2, 239.16.1.3) It's really weird what's going on or did I understood something wrong and configuration is not correct? Thank you. -
Re: cryptographic accelerator for a laptop
ro...@cs.wisc.edu schrieb: I recently started using a VPN with my laptop for when I travel(which is quite often) and I have noticed a detectable degradation when going through the VPN especially when using streaming video. My laptop is a few years old and the problem isn't that big a deal but I was wondering if there is a card I could buy that I could offload the work to. Hopefully one that isn't very expensive would be nice. Just wondering if anybody has any suggestions. roger Hello, you forgot to mention a lot of information: what kind of vpn you are using? what kind of laptop you are using? As you want to add hardware, where is the mesg? btw: I am not aware of any pcmcia device, usb device or pci express card doing cryptographic acceleration, but i am not that expert. But I think if you find such a thing, it is cheaper to buy a new laptop ;-) and another thing: maybe it would help to tweak your vpn config, but therefore it is needed! guido
Re: cryptographic accelerator for a laptop
Guido Tschakert schrieb: ro...@cs.wisc.edu schrieb: I recently started using a VPN with my laptop for when I travel(which is quite often) and I have noticed a detectable degradation when going through the VPN especially when using streaming video. My laptop is a few years old and the problem isn't that big a deal but I was wondering if there is a card I could buy that I could offload the work to. Hopefully one that isn't very expensive would be nice. Just wondering if anybody has any suggestions. roger Hello, you forgot to mention a lot of information: what kind of vpn you are using? what kind of laptop you are using? As you want to add hardware, where is the mesg? btw: I am not aware of any pcmcia device, usb device or pci express card doing cryptographic acceleration, but i am not that expert. But I think if you find such a thing, it is cheaper to buy a new laptop ;-) and another thing: maybe it would help to tweak your vpn config, but therefore it is needed! guido Another question comes to my mind. What speed do you get through your VPN and what speed do you expect/need (specially for streaming video). Another problem might be that your CPU cannot handle vpn and video at the same time. (so the speed of the vpn is not your problem) If this is your problem, maybe a new graphic card is a solution (which also isn't quiet easy to change in a laptop) guido
Re: FreeBSD emulation of VMware Tools
Laurens Vets schrieb: Laurens Vets wrote: Good morning, Hello have you read man compat_freebsd and tried the suggestions (i.e. download libc.so.1 from somewhere and also ldd and some other files) I was not aware of that man page... I've been trying to set things up using it as a guide, but I'm unsuccesfull at the moment. The man page mentions FreeBSD 5.0-RELEASE, yet the port freebsd_lib seems to be compiled for FreeBSD 4.1.1. Any idea on what FreeBSD version is supported by OpenBSD? Some more information: - VMware Server 2.0 - OpenBSD 4.4 Hmm, thats also my configuration I've gotten the FreeBSD emulation working now: # ldd-freebsd /emul/freebsd/usr/bin/ldd /emul/freebsd/usr/bin/ldd: libc.so.4 = /usr/lib/libc.so.4 (0x4fa23000) Can you exactly tell what you've done and where you got the binaries from. I'm trying to also solve this problem... However, while running it on vmware-guestd I still receive an error: # ldd-freebsd /emul/freebsd/sbin/vmware-guestd /emul/freebsd/sbin/vmware-guestd: /emul/freebsd/sbin/vmware-guestd: signal 6 according to man signal signal 6 is SIGABRT create core image abort(3) call (formerly SIGIOT) Is vmware-guestd running anymore after signal 6? Any idea on how I can proceed from there? Laurens Vets schrieb: Hi list, I'm trying to get the FreeBSD version of the VMware Tools installed in OpenBSD 4.4 under VMware Server 2.0 following the guide posted at http://www.openbsd-wiki.org/index.php?title=HowTo_install_VMWare_tools. I've had to install the freebsd_lib-4.11p0.tgz package and had to add some additional symbolic links to /emul/freebsd/usr/lib. However, vmware-guestd segfaults upon trying to start it: # ktrace /emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command /sbin/shutdown -p -h now Segmentation fault (core dumped) # ktrace -C # kdump 6020 ktrace RET ktrace 0 6020 ktrace CALL execve(0xcfbdabb3,0xcfbdaa60,0xcfbdaa78) 6020 ktrace NAMI /emul/freebsd/sbin/vmware-guestd 6020 ktrace NAMI /emul/freebsd/usr/lib/libc.so.1 6020 ktrace NAMI /emul/freebsd 6020 vmware-guestd NAMI /emul/freebsd/usr/lib/libc.so.1 6020 vmware-guestd EMUL freebsd 6020 vmware-guestd RET execve 0 6020 vmware-guestd PSIG SIGSEGV SIG_DFL code 1 addr=0x85fa8 trapno=1 6020 vmware-guestd NAMI vmware-guestd.core # I'm not sure how to proceed from here. Can anyone help me further? Thanks in advance!
Re: FreeBSD emulation of VMware Tools
Hi, have you read man compat_freebsd and tried the suggestions (i.e. download libc.so.1 from somewhere and also ldd and some other files) guido Laurens Vets schrieb: Hi list, I'm trying to get the FreeBSD version of the VMware Tools installed in OpenBSD 4.4 under VMware Server 2.0 following the guide posted at http://www.openbsd-wiki.org/index.php?title=HowTo_install_VMWare_tools. I've had to install the freebsd_lib-4.11p0.tgz package and had to add some additional symbolic links to /emul/freebsd/usr/lib. However, vmware-guestd segfaults upon trying to start it: # ktrace /emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command /sbin/shutdown -p -h now Segmentation fault (core dumped) # ktrace -C # kdump 6020 ktrace RET ktrace 0 6020 ktrace CALL execve(0xcfbdabb3,0xcfbdaa60,0xcfbdaa78) 6020 ktrace NAMI /emul/freebsd/sbin/vmware-guestd 6020 ktrace NAMI /emul/freebsd/usr/lib/libc.so.1 6020 ktrace NAMI /emul/freebsd 6020 vmware-guestd NAMI /emul/freebsd/usr/lib/libc.so.1 6020 vmware-guestd EMUL freebsd 6020 vmware-guestd RET execve 0 6020 vmware-guestd PSIG SIGSEGV SIG_DFL code 1 addr=0x85fa8 trapno=1 6020 vmware-guestd NAMI vmware-guestd.core # I'm not sure how to proceed from here. Can anyone help me further? Thanks in advance!
Re: OpenBSD4.4 can ping ip but can't resolv Doname
Hello, what about /etc/resolv.conf on your OpenBSD System. Have you configured which DNS to use? guido Linyin schrieb: Installed openbsd,configure network.When I try ping ip address its ok,but use the doname is looks down. The dns server is ok,i try ping doname under winxp: C:\Documents and Settings\linyinping www.openbsd.org Pinging www.openbsd.org [129.128.5.191] with 32 bytes of data: Reply from 129.128.5.191: bytes=32 time=251ms TTL=238 Reply from 129.128.5.191: bytes=32 time=281ms TTL=238 Reply from 129.128.5.191: bytes=32 time=280ms TTL=238 Reply from 129.128.5.191: bytes=32 time=280ms TTL=238 Ping statistics for 129.128.5.191: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 251ms, Maximum = 281ms, Average = 273ms But under OpenBSD,it's not any reponse. # uname -a OpenBSD linyin.8800.org 4.4 GENERIC#1021 i386 # ping www.openbsd.org ping: unknown host: www.openbsd.org # more /etc/hosts # $OpenBSD: hosts,v 1.11 2002/09/26 23:35:51 krw Exp $ # # Host Database # # RFC 1918 specifies that these networks are internal. # 10.0.0.0 10.255.255.255 # 172.16.0.0172.31.255.255 # 192.168.0.0 192.168.255.255 # ::1 localhost.8800.org localhost 127.0.0.1 localhost.8800.org localhost ::1 linyin.8800.org linyin 127.0.0.1 linyin.8800.org linyin # more /etc/hostname.rl0 inet 192.168.1.5 255.255.255.0 NONE # ping 129.128.5.191 PING 129.128.5.191 (129.128.5.191): 56 data bytes 64 bytes from 129.128.5.191: icmp_seq=1 ttl=238 time=1350.464 ms 64 bytes from 129.128.5.191: icmp_seq=2 ttl=238 time=1201.868 ms --- 129.128.5.191 ping statistics --- 4 packets transmitted, 2 packets received, 50.0% packet loss round-trip min/avg/max/std-dev = 1201.868/1276.166/1350.464/74.298 ms Im not using PF,and other firewall.Dose anyone can give me some advise?THANKS!
Re: softraid(4) in production environment
Jordi Espasa Clofent schrieb: Hi all, As post subject says, it's a clear question ?Is it softraid(4) ready for a production system? I have to build a authentication (with OpenLDAP) system and I want to do it with OpenBSD; I absolutely tust on Marco's good job, but I must to know if softraid(4) is ready for a real and critical production system. I've used softraid(4) solution in the past without problems, but I think softraid(4) it's better designed and coded, so the logical way is trust on it. If it is that critical wouldn't it be better to have two simple ldap server and replicate with slurpd. You know: keep the systems simple. This remember me on the discussions on having raid in a firewall and the answer is ever use carp and make it redundant. So I suggest: use slurpd and make it redundant ;-) guido
Re: Packet Filter: how to keep device names on hardware failure?
Peter N. M. Hansteen schrieb: Harald Dunkel [EMAIL PROTECTED] writes: maybe you can use something like this in your script: int_if=xx:xx:xx:xx:xx:xx ext_if=yy:yy:yy:yy:yy:yy int_if=`ifconfig|grep -e $int_if|awk '{print $1}'` ext_if=`ifconfig|grep -e $ext_if|awk '{print $1}'` This will not directly work on OpenBSD as the output of ifconfig is not the same as on Linux and I used it on Linux as some linux kernels doesn't enumerated the network interfaces in the same order at each boot and they were all called ethx, so rebooting without scanning for mac-adresses was a real mess. Surely we assume that nobody fakes the mac. guido
Re: PCI-Express Crypto Hardware
Sylvain MAURIN schrieb: Hello, I am looking to upgrade our lab's ssh gateway[1] but I haven't been able to find one hardware crypto accelerator with PCIe bus. What about SUN? At Sun you can find a X6000A for 1150 But I really do not know if the card will work with OpenBSD. guido BTW: You have a lot of traffic through your ssh-Gateway, don't you? Alas, my new serverboard[2] does not provide PCI nor PCI-X slots. Do you have any tips about an openbsd compatible product ? I have a budget of about 1K EUR to purchase some crypto hardware next week and I think my lab could support[3] your project. Thanks for any help, Sylvain MAURIN 1. Soekris 1401 on SunBlade 150 http://www.isc.cnrs.fr/informatique/public_notice/OpenBSD-sshchrooted 2. Sun T1000, sparc64 arch. 3. Aka hosting and opening an access to some BSD developers agreeing our security charts, time to polish any drivers before I put T1000 server in exploitation setup, probably around mid-2009 and keeping running the old SunBlade for your project until she die. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] -- Mit freundlichen Gr|_en, Guido Tschakert _ SRC Security Research Consulting GmbH Graurheindorfer Str. 149 a Tel: +49-228-2806-138 53117 Bonn Fax: +49-228-2806-199 http://www.src-gmbh.de Mob: +49-160-3671422 Handelsregister Bonn: HRB 9414 Geschdftsf|hrer: Gerd Cimiotti
Re: new home box for secure data storage
Douglas A. Tutty schrieb: On Wed, Oct 29, 2008 at 09:09:20PM -0500, patric conant wrote: I'm confused, the encrypted volume cannot be backed up without a key? Sure, I could backup the encrypted volume. However, I'd rather back the data up as an unencrypted directory along with everything else. And then someone steals your backup. Wouldn't it be more sophisticated, to secure the physical access (lock up the door, some security on the windows (the real one, not that crap from MS), if any) to the system and encrypt the backup (public-key comes to my mind). As mostly backup will be done on external media (DVD, CD, Tape, USB-Harddrives) It always depends on how paranoid you are (and as I remember you are more paranoid then the average ;-) ), how secret your data is. guido I don't know what's involved in e.g. restoring an accidentally deleted file from within an encrypted volume. I guess I'd treat it like a tarball in that its a file, mount it somewhere using the usual key and retreive the file, mount the user's encrypted volume and copy the file back where it belongs. Its likely that its me that's confused. Since what I'm contemplating doesn't seem to be mainstream, I'm assuming that backup and restore procedures aren't mainstream (e.g. have the kinks worked out) either. That assumption could be invalid. Doug. -- Mit freundlichen Gr|_en, Guido Tschakert _ SRC Security Research Consulting GmbH Graurheindorfer Str. 149 a Tel: +49-228-2806-138 53117 Bonn Fax: +49-228-2806-199 http://www.src-gmbh.de Mob: +49-160-3671422 Handelsregister Bonn: HRB 9414 Geschdftsf|hrer: Gerd Cimiotti
Re: Longest Uptime?
new_guy schrieb: I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks Hmm, what about 180-190 days uptime max? Afaik you need to reboot your OpenBSD when you upgrade in May and November... guido
Re: what exactly is enc0?
J.C. Roberts schrieb: On Wednesday 15 October 2008, ropers wrote: I don't know if it is possible to use --surrounding physical space permitting-- 64bit cards in 32 bit slots (and have them run w/ reduced performance). IIRC, something like that used to be possible back when it came to the transition from 8bit ISA to 16bit ISA slots; back then, some 16bit ISA cards could be used in 8bit slots at reduced speeds. Whether something like that is possible now with 64bit PCI cards I don't know. Maybe someone else knows. Of course it depends on the design of the specific card, but yes, at least *some* 64-bit cards can be used in 32-bit slots. I've seen early 64-bit PCI SCSI controller cards that were built this way. -- JCR Not that I would recommend them anymore, but the D-Link DGE-550T/SX (64bit/66MHz) worked in an Asus P4P800-VM (PCI 32bit) for me (with OpenBSD of course). I think it depends on the card __and__ the mainboard if it works or not. guido
Re: ral(4) stops generating traffic
Stuart Henderson schrieb: I think I probably see the same thing on RT2860, but you've got further tracking down what's happening than me (my debugging is hampered by the AP being about 2 hour's drive away..) In gmane.os.openbsd.misc, you wrote: Hi, I 'm running OpenBSD 4.4-current (RALDBG) #0: Fri Oct 10 16:56:50 CEST 2008, which is GENERIC with RAL_DEBUG, but I've seen this problem with previous kernels and without RAL_DEBUG, too. # dmesg | grep ral ral0 at pci0 dev 14 function 0 Ralink RT2860 rev 0x00: irq 10EEPROM rev=1, FAE=1 ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (2T3R) This is a pci Edimax EW-7728IN, which I believe is the same card that was donated to damien@ (?) and that led to 28xx support. After an unfixed amount of time, from a few minutes up to a few days, the interface simply stops respoding to probe requests: # tcpdump -nvvvs 1000 -i ral0 -y IEEE802_11_RADIO not subtype beacon 14:17:40.761912 CLI1-MAC ff:ff:ff:ff:ff:ff, bssid ff:ff:ff:ff:ff:ff (seq 16): 802.11: probe request, radiotap v0, 1Mbit/s, chan 6, 11g, sig -19dBm, antenna 2, signal 17dB 14:17:40.963338 CLI1-MAC ff:ff:ff:ff:ff:ff, bssid ff:ff:ff:ff:ff:ff (seq 32): 802.11: probe request, radiotap v0, 1Mbit/s, chan 6, 11g, sig -17dBm, antenna 2, signal 15dB 14:21:03.860025 CLI2-MAC ff:ff:ff:ff:ff:ff, bssid ff:ff:ff:ff:ff:ff (seq 1120): 802.11: probe request, radiotap v0, 1Mbit/s, chan 6, 11g, sig -27dBm, antenna 1, signal 25dB 14:21:04.306901 CLI2-MAC ff:ff:ff:ff:ff:ff, bssid ff:ff:ff:ff:ff:ff (seq 1520): 802.11: probe request, radiotap v0, 1Mbit/s, chan 6, 11g, sig -23dBm, antenna 1, signal 21dB Whereas normally you'd see the probe req, probe resp, auth req, auth resp, assoc req, assoc resp, wpa dance. # tcpdump -nvvvs 1000 -i ral0 -y IEEE802_11_RADIO | grep beacon | grep AP-MAC Shows that it stops sending beacon frames. It's still picking up the beacons from the 5 other wlans it can see, so rx seems to work fine. # ifconfig ral0 down ifconfig ral0 up Fixes everything, until it happens again after a seemingly random interval. The kernel doesn't log anything unusual even with RAL_DEBUG. I suppose I should sendbug, but I think lots of people have these cards so I'd like to know if anyone else is seeing this. Any ideas? Thanks and please cc, bbee After reading this, I think I have a similar problem (But sorry, I did not dig any deeper) First the part of the dmesg: ral0 at pci0 dev 20 function 0 Ralink RT2860 rev 0x00: irq 15, address xx:xx:xx:xx:xx:xx ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (2T3R) and my /etc/hostname.ral0 contains: inet x.y.z.w a.b.c.d NONE media autoselect mode 11g mediaopt hostap nwid abc wpa wpapsk 0xa0101010101010101010101010101010101010101010101010101010101010101 wpaprotos wpa1 chan 11 description WLAN WPA From time to time I could not connect any more so I had to restart ral0 which leads to my (quick'n'dirty) workaround. In my /etc/crontab is the following line: 30 4 * * * root /bin/sh /etc/netstart ral0 Up to now this worked for me and I have forgotten about the problem :-( until I read this thread... guido
OpenBSD 4.4 CDs have arrived in Bonn/Germany
Hi Folks, just a few minutes ago a packet from Wim arrived in my office. may the source be with us guido
Re: recommendation for router (COMMELL)
Juan Miscaro schrieb: 2008/9/17 Diana Eichert [EMAIL PROTECTED]: On Wed, Sep 17, 2008 at 08:56:07AM +, Stuart Henderson wrote: On 2008-09-17, Juan Miscaro [EMAIL PROTECTED] wrote: Has anyone any experience running OpenBSD on this puppy: http://www.commell-sys.com/Product/IPC/EMB-564.htm I'm looking for a replacement for my tower that is currently acting as router, anti-spam, mail server for a small network/domain. They should run OpenBSD fine. But disk storage might be a problem. Continuously running 2.5 drives in fanless cases don't tend to last very long; the alternatives (DOM or compactflash) would not be great choices for a typical mail server. I have one, it's okay, but like all PC based system it suffers from crappy BIOS serial port redirection. I second Stuart's opinion regarding not running a mail server on it. Thanks everyone for your comments. I guess I'll look elsewhere. Now how about the inverse question? What *would* you recommend? In addition to the listed duties, I am looking for stability, quietness, and low power (in that order). Don't need 4 lan ports (at least 2) but 3 would be nice. /juan Hm, I also always thougt I needed 2 or 3 NICs (DMZ, int, ext...). But then I replaced my network switch with the Netgear GS108T (8Port, 1000MBit __and__ vlan for around 100b, ) and then I started using vlans. guido
Re: BIND workaround for older versions?
Stuart Henderson schrieb: On 2008-07-24, Mike Shaw [EMAIL PROTECTED] wrote: Regarding the cache poisoning patch (which I see for 4.3). Are there any effective workarounds for OpenBSD 4.0/4.1? The 4.2 patch should also work for 4.1 I can confirm that the 4.2 patch works with 4.1 (at least for me). guido
Re: This is what Linus Torvalds calls openBSD crowd
Duncan Patton a Campbell schrieb: On Thu, 17 Jul 2008 21:37:27 +0200 Marc Balmer [EMAIL PROTECTED] wrote: * Shizzle Cash wrote: On Jul 17, 2008, at 8:42 AM, Giancarlo Razzolini wrote: agreed. I barely can wait to see Ty Semaka artwork for 4.4. Definitively it should include monkeys. And amoebas too. I agree, monkeys should definitely be somehow incorporated into the artwork for the next release. ty draws openbsd developers as fish. and I think that we, the openbsd developers, did enough to warrant a nice topic for the next release. no need to resort to that strange monkey business. or do you want to honour a stupid remark made by l. by making him the main theme of our next release? I don't think so. we have more substantial work that goes into our next release than the stupid remark of a wanking fat penguin that all to obviously does not understand what we do. Wanking Sea Monkeys, then: the oceanic analogue of fleas, at least in the area of genital proportion ;-) Dhu Sea Monkeys? I feed my fishes with sea monkeys! guido
Kernel panic with wpa (wpa2-personal)
Yes I know its experimental... ;-) I bought a ASUS WL-130N, installed the latest snapshot (from July 2nd) and tried WPA I build the pre-shared key # wpa-psk ZELDA start123 0x763b94d25e9800f80f926fcc26d7fdf52b3b565209456bd0aa31973fbd8d5ce2 and put it in my /etc/hostname.ral0 # cat /etc/hostname.ral0 inet 192.168.22.1 255.255.255.252 NONE media autoselect mediaopt hostap nwid ZELDA wpa wpapsk 0x763b94d25e9800f80f926fcc26d7fdf52b3b565209456bd0aa31973fbd8d5ce2 chan 11 description WLAN WPA I started the network an took my laptop (ubuntu 8.04) and made the following configuration: Network name (ESSID): ZELDA Password type: WPA Personal Network password: start123 I started and everything was fine. (Oh my god, wifi can be that easy?!? ;-) ) Then I tried with WPA2 Personal and boom: the kernel panics. (It can be reproduced without problems) Here are the panic message output from trace and ps and the dmesg. Maybe someone else but me understands that. guido panic: pool_do_get(mbpl): free list modified: magic=1b7448e5; page 0xd685b000; item addr 0xd685b500 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace Debugger(f10c0210,9d404f57,d68a4600,d685b500,d080fa60) at Debugger+0x4 panic(d06caee0,d06ccc04,1b7448e5,d685b000,d685b500) at panic+0x55 pool_do_get(d080fa60,0,0,d68a4600,7) at pool_do_get+0x2ea pool_get(d080fa60,0,12,60) at pool_get+0x1e m_gethdr(1,1,0,d9d2ad48,0) at m_gethdr+0x30 vr_encap(d10ba000,d10babd0,d685bb00,0) at vr_encap+0x18 vr_start(d10ba034,0,d68a4600,d678b0d8,0) at vr_start+0x90 nettxintr(23d6,0,d678b0d8,d037177b,0) at nettxintr+0x4e Xsoftnet() at Xsoftnet+0x6e --- interrupt --- 0x1: ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND 28305 21587 6778 1000 3 0x4082 ttyin more 21587 6778 6778 1000 3 0x4082 pause sh 6778 13844 6778 1000 3 0x4082 wait man 13844 22477 13844 1000 3 0x4082 pause ksh 22477 9376 9376 1000 3 0x180 selectsshd 9376 10701 9376 0 3 0x4180 netio sshd 23605 1 23605 0 3 0x40180 selectsendmail 21625 27808 27808 0 3 0x181 pause smbd 22674 1 22674 0 3 0x4082 ttyin ksh 6025 1 6025 0 3 0x4082 ttyin getty 29778 1 29778 0 3 0x4082 ttyin getty 9080 1 9080 0 3 0x4082 ttyin getty 10148 1 10148 0 3 0x4082 ttyin getty 16765 1 16765 0 3 0x4082 ttyin getty 28761 1 28761 0 30x80 selectcron 27808 1 27808 0 3 0x181 selectsmbd 17237 1 17237 0 30x81 selectnmbd 10701 1 10701 0 30x80 selectsshd 21179 1 21179 0 3 0x180 selectinetd 16226 1 16226 77 3 0x180 poll dhcpd 3955 8063 8063 83 3 0x180 poll ntpd 8063 1 8063 0 30x80 poll ntpd * 6753 18595 18595 70 7 0x100named 18595 1 18595 0 3 0x180 netio named 13456 5248 5248 74 3 0x180 bpf pflogd 5248 1 5248 0 30x80 netio pflogd 15110 1759 1759 73 3 0x180 poll syslogd 1759 1 1759 0 30x88 netio syslogd 18 0 0 0 30x100200 bored crypto 17 0 0 0 30x100200 aiodoned aiodoned 16 0 0 0 30x100200 syncerupdate 15 0 0 0 30x100200 cleaner cleaner 14 0 0 0 30x100200 reaperreaper 13 0 0 0 30x100200 pgdaemon pagedaemon 12 0 0 0 30x100200 pftm pfpurge 11 0 0 0 30x100200 usbevtusb4 10 0 0 0 30x100200 usbevtusb3 9 0 0 0 30x100200 usbevtusb2 8 0 0 0 30x100200 usbevtusb1 7 0 0 0 30x100200 usbtskusbtask 6 0 0 0 30x100200 usbevtusb0 5 0 0 0 30x100200 apmev apm0 4 0 0 0 30x100200 bored syswq 3 0 0 0 30x100200idle0 2 0 0 0 30x100200 kmalloc kmthread 1 0 1 0 3 0x4080 wait init 0 -1 0 0 3 0x80200 scheduler swapper dmesg: boot booting hd0a:/bsd: 6041600+1009204 [52+314832+297292]=0x74eef8 entry point at 0x200120 [ using
Re: Kernel panic with wpa (wpa2-personal)
giovanni schrieb: well, I'm not alone same behaviour as stated in: http://marc.info/?l=openbsd-miscm=121396323512149w=2 moreover if I do not use any wpa it does not panic. did you try this? Hi Giovanni, no, I did not really tested it, I only tried out wpa and saw that it worked with wpa at client site and crashed with wpa2 at client site. The crash with wpa2 directly occured when using it, with wpa I was able to surf the net and no crash happend. At the weekend I will configure it for daily use (firewall, dhcpd etc.). Then we will see if it also crashes with wpa1. BTW, as long as wpa2 leads to crashes I will disable it within ifconfig to avoid a possible Denial of service ;-) (option wpaprotos wpa1) guido
More then 1 dhcrelay process on 1 router
Hello folks short: will 2 (or more) dhcrelay work on one router without problems long: I have a router connected to 3 networks: a.b.1.0/24 connected to if1, a.b.2.0/24 connceted to if2, a.b.3.0/24 connected to if3. Lets say I have a dhcpd on a.b.1.1 Is it possible to start the two dhcrelay processes: dhcrelay /usr/sbin/dhcrelay -i if2 a.b.1.1 /usr/sbin/dhcrelay -i if3 a.b.1.1 or will they interfere? If no one knows an answer I will test it next week, as for now I don't have a spare machine with enough network cards ready ;-) thanks guido
Re: More then 1 dhcrelay process on 1 router
Guido Tschakert schrieb: Hello folks short: will 2 (or more) dhcrelay work on one router without problems long: I have a router connected to 3 networks: a.b.1.0/24 connected to if1, a.b.2.0/24 connceted to if2, a.b.3.0/24 connected to if3. Lets say I have a dhcpd on a.b.1.1 Is it possible to start the two dhcrelay processes: dhcrelay /usr/sbin/dhcrelay -i if2 a.b.1.1 /usr/sbin/dhcrelay -i if3 a.b.1.1 or will they interfere? If no one knows an answer I will test it next week, as for now I don't have a spare machine with enough network cards ready ;-) thanks guido Ok, If found some hardware to test it: it just worked out of the box. That is why I love OpenBSD: It just work! guido
Re: Updates for old releases
Antonio Lobato schrieb: Hi all! I read http://openbsd.org/security.html (and stable.html), but could not make sure about my question. If today I download old versions (say /pub/OpenBSD/4.0/i386/cd40.iso) of openbsd, does it already includes the fixes listed in http://openbsd.org/security.html#40 (or #41)? No If no, is there available the same cd40.iso but including these fixes or must I to apply the patches on original system? No, and don't use 4.0 as 4.2 is already available and supported. If there is some doc explaining it with more details, please give me the pointers. Thanks, You want to check http://www.openbsd.org/faq/faq5.html#Flavors Tom guido
Why does pf work with last matching rule wins
Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering and adress translation works the same (like first rule wins), but I think there are reasons to do it the pf way, but I don't see them. Any enlightment for me? thanks guido
Re: OT: Where to buy an appliance style case?
Steve B wrote: Has anyone seen a manufacturer that sells an appliance style chassis? I'd like to slim down my current 4U/OBSD box to a 1U form factor using a VIA C7 board. Ideally I'd like to have a chassis that has the Ethernet ports on the front, along with a serial port. Something like an old Symantec Firewall, Netscreen or Watchguard chassis. Alternatively has anyone hacked one of these type of devices and installed their own board and drive? Hello, Chenbro makes some small 1U Chassis like the RM13800 an RM 12500. I remember a Chassis like the RM12500 with ports on the front size but did not find it yet. But these chassis are not cheap and not every board will fit. cheers guido
Asus releases source-code for eeepc
Hello, for those of you who are interested, Asus has released the source code of their linux drivers for the EeePc. http://support.asus.com/download/Download.aspx?SLanguage=en-us Sorry, no direct link and I also don't know if it is blob free. Maybe someone of you wants to look deeper in the code. guido
Re: OT: OpenBSD on Asus eeePC
Marc Balmer schrieb: Jacob Winther wrote: On 14/11/2007, at 6:55 AM, Andreas Maus wrote: Did anyone try to run OpenBSD on Asus new small eeePC? Just fired up a flashboot image from usb running 4.1 bsd.rd: nice to see you have one. can you boot -current and mail the dmesg to [EMAIL PROTECTED] Does anybody know where I could buy such a machine, preferrably in .ch or .de? - Marc Hello, you might find this link useful: http://www.asus.de/news_show.aspx?id=8890 (sorry, its german) Asus will ship the EeePC to Germany and Austria in December2007. Mabye alternate.de will sell them. guido
Re: How can i boot a bsd.rd from windows 2000 ?
Gerald Thornberry schrieb: How about an external CDROM drive connected to a parallel port? Micro Solutions used to make one (called BackPack) that could connect via USB, PCCard, and Parallel Port. Once you loaded the drivers under Windows I'm pretty sure you could boot from it. Hmm, what does the windows driver has to do with the ability of the bios to boot from a device? Wasn't there, in the last century, a tool for windows to boot a linux kernel (yeah, I know this is OpenBSD) from windows, but I guess that was with win-dos. guido On 10/11/07, Christopher Bianchi [EMAIL PROTECTED] wrote: Peter N. M. Hansteen ha scritto: Christopher Bianchi [EMAIL PROTECTED] writes: Mmm i've tried qemu, but i wish install really OpenBSD on it. I've a pcmcia but this notebook can't boot from it. As Craig pointed out, if the machine has a USB port it's likely it can boot from USB floppy. really ? but in the bios i not see any voices about it...anyway i'll try.
Typo on http://www.openbsd.org/errata41.html
Hello Webmasters :-) Theres is a Typo on http://www.openbsd.org/errata41.html : Me thinks it should read 011:SECURITY FIX: October 10,2007 and not: 018:SECURITY FIX: October 10,2007 guido
Re: partioning for multiple OS's
stan schrieb: I have a new laptop. It came with Vista on it. I used gpartd to resize those partions, and added Ubuntu. Now I want to add OpenBSD, and FreeBSD. I'd like to do OpenBSD next. When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 How can I acomplish this? Hello, do you need to have dual (triple, quadruple) boot, or would you like to hear about other possibilities? I would say: use some kind of virtualization (vmware server, xen, virtual pc ) Doing that, you have not to worry about partitioning and boot loader configuration (which all is possible but will also likely end in a mess). You have the possibilities to play with network between the virtual machines and the host, you can eazy share data between them, and it is eazy to set up. Virtualization ist not a solution for everything but a solution for a lot of things (I'm sure a lot of people here would agree), especially if you want to play around with things. guido
Re: Zurich OpenBSD
Peter N. M. Hansteen wrote: Anton Karpov [EMAIL PROTECTED] writes: People who don't know each other but wears PUFFY, should salute each other. It's an OpenBSD thing. You wouldn't understand ;-) obviously the salute would need to be clearly specified or at least set to sensible defaults (for Monty Python values of) My coffee had just run out, so no keyboard harmed. Just say Humpaa to everyone wearing an OpenBSD-Shirt or other signs of lovely Puffy. guido -
Re: ifconfig pfsync0 down
Ronnie Garcia wrote: Hey, I was expecting to stop pfsync with : ifconfig pfsync0 down Hi pfsync is a pseudo-device (see man pfsync) To stop a pseudo-device you have to destroy it: ifconfig pfsync0 destroy (see man ifconfig and search for pseudo-device) hth guido But it did not. I could stop pfsync by down'ing the physical device, but is there any other way around ? I'm using 4.0 Rgds,
Re: vmware: detecting real interfaces?
Jacob Yocom-Piatt wrote: i am forced to use windows at work and am trying to get a vmware openbsd VM to recognize the non-virtual interfaces, so as to have openbsd as the router for the windows system. this is using the free vmplayer v1.0.3. i've read and followed http://www.cs.drexel.edu/~vp/VirtualFirewall/ and can only see the pcn0 interface under the VM (which is 3.8-release, btw) after following the suggestions contained therein. any clues about getting the VM to recognize the real physical interfaces would be great. cheers, jake Hello Jacob, some time ago there was an article in the german magazin ct' where they described the same situation as you have (with the different that they use ipcop (a linux firewall distro) instead of lovely openbsd to do the job). You need the following in your vmware-config: the real network card has to be used in bridged mode poimting to your virtual pcn0 interface. This is the external interface of your firewall pointing to the evil internet. Do not configure this card under windows (Sorry at the moment I don't know if you can easily disable the card in WIndows, but I may have a look in the article if you want) Next you need a virtual network beetween your virtual machine and your host. Then you have a second nic in your Windows System (vmware virtual something) and a second nic in your OpenbSD which points to your internal (virtual) network. hth guido
Re: vmware: detecting real interfaces?
Subcommander l0r3zz wrote: On 2/28/07, *Guido Tschakert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Jacob Yocom-Piatt wrote: i am forced to use windows at work and am trying to get a vmware openbsd VM to recognize the non-virtual interfaces, so as to have openbsd as the router for the windows system. this is using the free vmplayer v1.0.3. i've read and followed http://www.cs.drexel.edu/~vp/VirtualFirewall/ and can only see the pcn0 interface under the VM (which is 3.8-release, btw) after following the suggestions contained therein. any clues about getting the VM to recognize the real physical interfaces would be great. cheers, jake Hello Jacob, some time ago there was an article in the german magazin ct' where they described the same situation as you have (with the different that they use ipcop (a linux firewall distro) instead of lovely openbsd to do the job). You need the following in your vmware-config: the real network card has to be used in bridged mode poimting to your virtual pcn0 interface. This is the external interface of your firewall pointing to the evil internet. Do not configure this card under windows (Sorry at the moment I don't know if you can easily disable the card in WIndows, but I may have a look in the article if you want) This particular vmware product relies on the drivers of the host operating system to send packets to the outside world so if you disable the interface in windows, you also disable any virtuals nics that are bound to this interface. Next you need a virtual network beetween your virtual machine and your host. Then you have a second nic in your Windows System (vmware virtual something) and a second nic in your OpenbSD which points to your internal (virtual) network. Fine, but ultimately you must go outside. All vmware virtual mahines are standardized around this particular network interface, it is what enables us to do things like VMotion in the Enterprise products. So, unlike Xen, vmware VMs do not see the PCI buss or any other particulars of your underlying hardware. Hi, yes finally you must go outside, this is done with the bridged interface. The question is (I don't have the complete answer, but a strange feeling): How secure is your windows with a network interface enabled and nothing on it configured. guido
Re: Configuring nut for USB
James Blasius wrote: I have not been able to figure out (for months) how to attach configure NUT to find an UPS on a USB port. The dmesg shows it to be on uhidev0. Thanks. Hi, I have the same problem http://archives.neohapsis.com/archives/openbsd/2006-11/2133.html but unfortunely never received an answer, I am also very interested in a solution. thanks, guido
Spamassassin overwrites manual of OpenBSD spamd
Hello, while reading the discussion about spamd, I decided to learn a little bit about it and have a look in the manual, but man spamd yields to the manual of spamd - daemonized version of spamassassin what is not exactly what I was looking for. (I installed p5-Mail-SpamAssasin from ports/packages) apropos spamd shows: spamd (8) - spam deferral daemon spamd-setup (8) - parse and load file of spammer addresses spamd.conf (5) - configuration file read by spamd-setup(8) for spamd(8) spamdb (8) - spamd database tool spamlogd (8) - spamd whitelist updating daemon Mail::SpamAssassin::Client (3p) - Client for spamd Protocol spamc (1) - client for spamd spamd (1) - daemonized version of spamassassin spamd (8) - daemonized version of spamassassin The first and the last entry are both spamd (8), but spamassassin from ports has overwritten /usr/local/man/man8/spamd.8 from the system (which I am looking for) I don't know if there is an easy solution for this (I don't want to call it a problem), but I think this shouldn't happen. For now I go to http://www.openbsd.org/cgi-bin/man.cgi?query=spamdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html and read the manual online :-) thanks guido
Re: Spamassassin overwrites manual of OpenBSD spamd
Jason McIntyre wrote: On Tue, Feb 20, 2007 at 10:19:31PM +0100, Guido Tschakert wrote: The first and the last entry are both spamd (8), but spamassassin from ports has overwritten /usr/local/man/man8/spamd.8 from the system (which I am looking for) I don't know if there is an easy solution for this (I don't want to call it a problem), but I think this shouldn't happen. you can change the order man(1) looks for its pages in /etc/man.conf, i think. but probably best is to contact the port maintainer and ask them to rename the page to stop it squashing base spamd(8). jmc Hi, I already have send my mail to the maintainer of the port. I have looked in /etc/man.conf and read the manual: you can change the order of the subdirs with _subdir, but the order of how the sections are searched (with _default) seems to be alphabetically and /usr/local comes before /usr/share. (correct me, if I'm wrong) Digging in man (1) gives me the following help: $ man -w spamd /usr/local/man/man1/spamd.1 /usr/share/man/cat8/spamd.0 /usr/local/man/man8/spamd.8 $ more /usr/share/man/cat8/spamd.0 BTW, I was wrong with saying the port overwrites the manual of the system-spamd. The system manuals are stored in /usr/share/man while the port manuals go to /usr/local/man, as some guys told me privatly. Stupid me, thanks guido
Re: OpenBSD Wireless Router and Nintendo DS
Jan Izary wrote: Brian wrote: I'm having trouble connecting to my OpenBSD wireless router with my Nintendo DS handheld. http://nate.my-balls.com/reference/?content=wirelessmenu=network does have a working configuration with ural, try it's set up and of course, configure your ds to make sure it's got the connection information. Hello, this is a very nice description on how to configure ural, I have done this myself some month ago and it works, only one thing does __not__ works with my DS: WEP. (as I mentioned some month ago on this list). Maybe this is a firmware problem of my DS (or of the nintendo wifi-connector). But without WEP it works very well like it is described on the webpage mentioned above. guido
Problems using a Powerware 5110 (with nut 2.0.3)
Hello, I'm trying to connect to my Eaton Pwoerware 5110 with usb. I have installed OpenBSD 4.0 and nut-2.0.3. The dmesg part for the UPS reads: ugen0 at uhub0 port 2 ugen0: Powerware Powerware UPS, rev 0.20/0.50, addr 6 I tried to configure /etc/nut/ups.conf [UPS] driver = bcmxcp_usb port = /dev/ugen0.00 desc = Eaton PW 5110 like it is described on the nut homepage. Then I regocnized that there is no bcmxcp_usb driver in my system ;-( So i want to ask, if (why?) the usb device of such an ups isn't supported yet or if I can use the bcmxcp driver instead (which I tried but I was out of luck)? Another question come to me while looking through the ugen manual: /dev/ugenN.EE Endpoint EE of device N What is the endpoint EE compared to my dmesg? Port2 or addr 6 or something else? thanks for your time guido
Re: Nintendo Wifi Connector and Nintendo DS (WEP)
Damian Wiest wrote: On Tue, Oct 31, 2006 at 11:08:15AM +0100, Guido Tschakert wrote: Hello, after reading through the ralink broken after last update thread and seeing that Bruno is using an Nintendo Wifi Connector I wonder if someone has connected a Nintendo DS via an OpenBSD Box and the Nintendo Wifi Connector as AP using WEP. Without WEP everything works fine for me (i put my /etc/hostname.ural0 at the bottom of this message) But I haven't worked out how to configure WEP. What worked was using WEP for a connection between the Wifi Connector as Accesspoint and my notebook. So if anybody know in which format I have to use the WEP Key on both the OpenBSD Box and the Nintendo DS, I really would like to know. thanks guido /etc/hostname.ural0 inet 192.168.22.1 255.255.255.252 NONE media DS2 mediaopt hostap mode 11b nwid zelda chan 12 -nwkey (btw the DS only works with 2Mbps) I've got a couple DS's (and a PSP :( ) at home and have been using them with various systems (FreeBSD and OpenBSD with Aironet and Prism cards and a Linksys 54WRTG) acting as access points. I don't seem to recall encountering any problems. What does the Nintendo wireless adapter attach as? Hello the dmesg of the adapter is: ural0 at uhub4 port 1 ural0: Nintendo Nintendo Wi-Fi USB Connector, rev 2.00/0.01, addr 2 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address xx:xx:xx:xx:xx:xx Is there some reason you're hardcoding the transmit speed on your AP? I had no end of trouble trying to connect when I tried this. I believe that if you specify the transmit speed, then all devices must use that speed. Meaning, you can't have one using DS2, one using DS11 and your AP doing autoselect. At least I couldn't get that sort of setup to function. the reason for hardcoding the transmit speed is because the (u)ral manual says: The ural driver supports automatic control of the transmit speed in BSS mode only. Therefore the use of a ural adapter in Host AP mode is discouraged. But that is no problem, I use this access point only for DS (and upcoming Wii ;-) ) But I haven't worked out to use the WEP key on the DS. I used the following line to configure the adapter: inet 192.168.22.1 255.255.255.252 NONE media ds2 mediaopt hostap mode 11b nwid zelda chan 12 nwkey mario As for the WEP key, you should enter it just like you did on your AP. Then I serached for Access Points with the DS and found zelda, encrypted with WEP. I typed mario as wep key and then the DS told me: cannot connect to access point. I tried 40 and 104 Bits, hexadecimal and ascii keys on both the Openbsd box and the DS, but nothing worked. (now that I know how the DS recognize if it is hexa or ascii (it's the length of the string), but after reading through the wifi website of nintendo I believe they are not really interested in security. They tell you to use an easy to remember wep key, e.g. your cellphone number) Connecting from a Laptop to the Adapter using wep works just without problems. thanks guido
Re: Transparent bridge rdr SSH traffic
Johan L wrote: Karsten McMinn skrev: On 9/27/06, Jason Dixon [EMAIL PROTECTED] wrote: Think about it. How would sshd communicate with you without an IP address? Seems to defy the laws of TCP/IP. I'd concede that its more akin to bending than defying laws (RFCs). with enough will and some legwork you might be able to get further with renumbering lo(4) and using rdr. it would be a fun feature to run a ethernet interface in half bridge mode, but in the meantime just get a third interface outside of the bridge group. Half bridge mode sounds cool :). So my only way out is to add a third interface to the OpenBSD server with a public ip address? Right? Wrong! You can give an interface a ip address and use the same interface in your bridge configuration. (I do not say that this is the best configuration) You can do very funny things with bridge configuration and ip configuration. At home I have one interface working as access point. This interface is also member of a bridge, the only member! I only use this bridge to filter mac adresses (ok, please no discussion about faking mac addresses) cheers guido
Re: Mail gateway behind MS Exchange
Stuart Henderson wrote: On 2006/09/06 13:19, Cedric Brisseau wrote: I think spamd can't help a lot since mails aren't received directly. oh, what do you mean by aren't received directly? I think he means, the mail are fetched from their provider with a mechanism similar to fetchmail and their provider also have a spam filter (and putthe keyword spam in the subject). So what you can do if this is the case, use fetchmail to fetch the mails feed the mails in a MTA (Postfix, sendmail) they can send them to a content filter (amavis with clamav and spamassassin for example) and after that, the mails are send to your MS-Crap. If you have time you can also build a mechanism to feed spam (and probably ham) to your content filter to train the content filter. But don't forget to tell your boss and colleagues that there is no 100% protection for spam ;-) guido
Re: Porting firewall/routing script to OpenBSD from linux?
Paul de Weerd schrieb: On Tue, Aug 15, 2006 at 02:20:05PM -0500, Matthew R. Dempsky wrote: | On Sun, Aug 13, 2006 at 01:19:31PM -0400, Nick Guenther wrote: | I think you're looking for ifconfig(8). Wait, doesn't linux have | ifconfig? What's ip for? | | ip is from the iproute2 package. From the lartc.org manual, ``Why | iproute2?''[1]: | | Most Linux distributions, and most UNIX's, currently use the | venerable arp, ifconfig and route commands. While these tools work, | they show some unexpected behaviour under Linux 2.2 and up. For | example, GRE tunnels are an integral part of routing these days, but | require completely different tools. | | With iproute2, tunnels are an integral part of the tool set. | | [1] http://lartc.org/howto/lartc.iproute2.html show some unexpected behaviour under Linux 2.2 and up... Why not fix that behaviour in stead of adding new and confusing tools ? KISS Paul 'WEiRD' de Weerd Oh, it was much more better than just adding a new tool. They forget to add a manual or info-page or something similar to this tool for more than 2 years. The only dokumentation was in the source code. That is, why I love OpenBSD. For almost everything there exist a man-Page and mostly with examples) guido
Re: smtp proxy
openbsd misc schrieb: Hello, I'm looking for a smtp proxy. The idea is, that the proxy checks the smtp session (if everything is valid and forward the information to an exchange-server). The forwards should happen step-by-step (the smtp proxy should be able to drop to be able to deny the recipient). The mail itself should be streamed (because the proxy should run in memory only). Does someone know such a solution? Regards Hagen Volpers Hi, use a standard smtp daemon (sendmail, postfix or whatever) and put the spooling directory in a ramdisk :-) guido -
Re: D-Link DUB-E100 new Revision does not work
finley_it schrieb: Hi Guido, Maybe you are interested in knowing that Suse 10.1 handle quit well asix ax88772, while previous 9.3 doesn't bue Finley Yeah, I know, (i also tested the D-Link Crap with SuSE10.1) and had a look in the sources of the usbnet driver. But it didn't work out of the box and I'm not that kernel guru to change the source code, so this crap is regocnized by usbnet I will wait till the next Versions (OpenBSD 4.0 and SuSE10.2) and see if some developer has had the time to support this crap. As mentioned before I do not need this thing to work under OpenBSD or Linux. guido
Re: D-Link DUB-E100 new Revision does not work
ello, I have searched the net and what I found isn't that good. From the linux people I found that AX88772 L should be supported by their usbnet driver. On the other side I found a guy (using linux) having the same device (and thus the same problem as I have) At asix I found the following site http://www.asix.com.tw/products.php?op=pItemdetailPItemID=86;71;101PLine=71 They say that their chip is supported under linux with the usbnet driver. The only difference I see between what I have and what I found in the net is the name of the chipset: everyone talks about AX88772 L and I have AX88772 LF (you see the F? ) I think, I write a email to D-LINK and Asix, cheers guido The letters are probably package sizes of the chip rather than revisions. More likely something like the gpio twiddling needs to be improved in the driver if the diff I sent is not working. Hello Jonathan, I must admit, I don't know what you exactly are talking about (gpio twiddling :-) I got an answer from axis, I think I can post it here: Dear Guido: Thank you for your question. AX88772 L and AX88772 LF are all support Linux driver. D-Link can't support Linux driver because they has different PID and VID at their new device. You should find out their PID and VID so that you can add it to Linux driver. As often, they only talk about linux. I think, that is exactly what your diff has done. The guy from axis included the source code of the usbnet.c driver, which contains a lot of functions with ax88772 in their names. If it helps, I can forward it to you. One thing, if you don't have the time to improve the driver: I really don't need it, better use your time for important things ;-) Nevertheless, thanks for your help guido
Re: D-Link DUB-E100 new Revision does not work
Guido Tschakert schrieb: ello, I have searched the net and what I found isn't that good. From the linux people I found that AX88772 L should be supported by their usbnet driver. On the other side I found a guy (using linux) having the same device (and thus the same problem as I have) At asix I found the following site http://www.asix.com.tw/products.php?op=pItemdetailPItemID=86;71;101PLine=71 They say that their chip is supported under linux with the usbnet driver. The only difference I see between what I have and what I found in the net is the name of the chipset: everyone talks about AX88772 L and I have AX88772 LF (you see the F? ) I think, I write a email to D-LINK and Asix, cheers guido The letters are probably package sizes of the chip rather than revisions. More likely something like the gpio twiddling needs to be improved in the driver if the diff I sent is not working. Hello Jonathan, I must admit, I don't know what you exactly are talking about (gpio twiddling :-) I got an answer from axis, I think I can post it here: Dear Guido: Thank you for your question. AX88772 L and AX88772 LF are all support Linux driver. D-Link can't support Linux driver because they has different PID and VID at their new device. You should find out their PID and VID so that you can add it to Linux driver. As often, they only talk about linux. I think, that is exactly what your diff has done. The guy from axis included the source code of the usbnet.c driver, which contains a lot of functions with ax88772 in their names. If it helps, I can forward it to you. One thing, if you don't have the time to improve the driver: I really don't need it, better use your time for important things ;-) Nevertheless, thanks for your help guido Ok, now i got an answer from dlink telling that the DUB-E100 contains the following: Asix AX88172 (as we already now) IC+ IP101 (the PHY what we can see from the dmesg) If someone is able to use this data... guido
Re: D-Link DUB-E100 new Revision does not work
Guido Tschakert schrieb: Guido Tschakert schrieb: Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work. A colleague has opened this box, the chipset is AX88772 LF. (The old one had AX88172). Hope that anyone can use this information. guido ello, I have searched the net and what I found isn't that good. From the linux people I found that AX88772 L should be supported by their usbnet driver. On the other side I found a guy (using linux) having the same device (and thus the same problem as I have) At asix I found the following site http://www.asix.com.tw/products.php?op=pItemdetailPItemID=86;71;101PLine=71 They say that their chip is supported under linux with the usbnet driver. The only difference I see between what I have and what I found in the net is the name of the chipset: everyone talks about AX88772 L and I have AX88772 LF (you see the F? ) I think, I write a email to D-LINK and Asix, cheers guido -- Mit freundlichen Gr|_en, Guido Tschakert _ SRC Security Research Consulting GmbH Graurheindorfer Str. 149 a Tel: +49-228-2806-138 53117 Bonn Fax: +49-228-2806-199 http://www.src-gmbh.de Mob: +49-160-3671422
Re: No Java in OpenBSD
Karel Kulhavy schrieb: I appreciate there is no Java in OpenBSD. I searched for java, jre, jdk, j2se, sun, blackdown and ibm in the packages and didn't find anything. I understand why - presumably because Java is not a free software. Hmm, go read the faqs http://www.openbsd.org/faq/faq13.html#javaflash Not everything in ports exist as a package (mostly due to license problems) guido This is very handy - I don't have to waste time with Java programs, which are usually broken anyway, and sometimes trash the machine with of denial of service attack on CPU and memory. Now I can focus on more productive things than Java programs. I just need to find an alternative program for the given task that doesn't rely on non-free software to be able to run. The fact that something doesn't run on OpenBSD already proven to be handy several times. I needed to run Lotus Notes which is not possible so I had to put it on a Linux server, which is faster. I don't like the Lotus Notes but I have to work with them. This way it's faster and Lotus Notes don't crash when I switch virtual desktop. They also don't take memory and disk and attack a different CPU than mine :) The same with the program Inventory I used for TODO list. It segfaulted because was written badly. On Linux it runs OK. I was forced to find a text-mode todo which is more suited to the task. And I don't have to run a MySQL server for that. I also appreciate there is no suspend to disk or ram. On Linux it used to cause problems - the CPU switched to lower speeds, the keyboard in X crashed, and when one closed the lid and reopened quickly, it took many minutes to recover from hysterical suspend-wake cycles. Now I just run shutdown and have benefits like: - if I wait on platform and a train comes, I just close the lid and don't have to wait for wake up in the train - I can switch to external LCD and turn off the internal LCD easily by putting a chip from old CDROM over the lid sensor. Some people whine that on OpenBSD nothing runs, but I think this is actually an advantage. This way the user is forced to work with the properly implemented things and doesn't have to waste time with crap. CL -- Mit freundlichen Gr|_en, Guido Tschakert _ SRC Security Research Consulting GmbH Graurheindorfer Str. 149 a Tel: +49-228-2806-138 53117 Bonn Fax: +49-228-2806-199 http://www.src-gmbh.de Mob: +49-160-3671422
Re: D-Link DUB-E100 new Revision does not work
Jonathan Gray schrieb: **snip** Hello, here is what I've done. installed an openbsd put src.tar.gz on it made an cvs-update A snapshot would have been easier for this bit. applied the diffs (by hand, as it were just a few lines and I didn't find the right way to do this with patch/cvs, maybe some can tell me) get -current src via cvs cd /usr/src/sys/dev/usb patch -p0 /path/to/patch rebuild kernel booted the system rebuild userland booted the system now I have done -current for the first time in my life ;-) Then I attached the usb-device and got following kernel message axe0 at uhub3 port 1 configuration 1 interface 0 axe0: D-Link DUB-E100 rev B1, rev 2.00/0.01, addr 2, AX88772, address 00:80:c8:38:64:3f rlphy1 at axe0 phy 3: IP101 10/100 PHY, rev. 4 looks good, but after configuring the network I wasn't able to send/receive packages over the device. The only thing I could see with tcpdump (while pinging another computer) was the arp request, nothing more. With windows the device works as it should *sigh* If there is another patch/diff I should try, please let me know. Are you sure you don't have another default route active? Perhaps try set an ip address run tcpdump on the machine with the axe(4), and ping it from another computer. Do you see anything then? Hello Jonathan I have now started from scratch, installed the latest snapshot and src.tar.gz updated the sources via cvs Patched your diffs with the patch command and build a new kernel. Everything works fine and with no problems. As before the device is recognized and can be configured but did not send or receive data. Yes I doublechecked the network connection (direct connection to another box, so no other network device like router or switch (which I tried also before) is interfering) As said before, if you have another patch or need some other information please tell me. guido
Re: D-Link DUB-E100 new Revision does not work
Jonathan Gray schrieb: On Thu, Jul 06, 2006 at 04:14:12PM +0200, Guido Tschakert wrote: Guido Tschakert schrieb: Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work. A colleague has opened this box, the chipset is AX88772 LF. (The old one had AX88172). Hope that anyone can use this information. guido Please try this diff: Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.204 diff -u -p -r1.204 usbdevs --- usbdevs 27 Jun 2006 09:19:09 - 1.204 +++ usbdevs 6 Jul 2006 15:52:11 - @@ -903,6 +903,7 @@ product DLINK DWL120F 0x3702 DWL-120 re product DLINK RT2570 0x3c00 RT2570 product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK2 WUA1340 0x3c04 WUA-1340 +product DLINK2 DUBE100B1 0x3c05 DUB-E100 rev B1 product DLINK DSB650C0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: usbdevs.h === RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs.h --- usbdevs.h 27 Jun 2006 09:19:58 - 1.208 +++ usbdevs.h 6 Jul 2006 15:52:19 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -910,6 +910,7 @@ #define USB_PRODUCT_DLINK_RT25700x3c00 /* RT2570 */ #define USB_PRODUCT_DLINK2_DWLG122C10x3c03 /* DWL-G122 rev C1 */ #define USB_PRODUCT_DLINK2_WUA1340 0x3c04 /* WUA-1340 */ +#define USB_PRODUCT_DLINK2_DUBE100B10x3c05 /* DUB-E100 rev B1 */ #define USB_PRODUCT_DLINK_DSB650C 0x4000 /* 10Mbps ethernet */ #define USB_PRODUCT_DLINK_DSB650TX1 0x4001 /* 10/100 ethernet */ #define USB_PRODUCT_DLINK_DSB650TX 0x4002 /* 10/100 ethernet */ Index: usbdevs_data.h === RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs_data.h --- usbdevs_data.h27 Jun 2006 09:19:58 - 1.208 +++ usbdevs_data.h6 Jul 2006 15:52:28 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -1041,6 +1041,10 @@ const struct usb_known_product usb_known { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_WUA1340, WUA-1340, + }, + { + USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1, + DUB-E100 rev B1, }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DSB650C, Index: if_axe.c === RCS file: /cvs/src/sys/dev/usb/if_axe.c,v retrieving revision 1.53 diff -u -p -r1.53 if_axe.c --- if_axe.c 23 Jun 2006 06:27:11 - 1.53 +++ if_axe.c 6 Jul 2006 15:52:29 - @@ -160,6 +160,7 @@ Static const struct axe_type axe_devs[] { { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_USB200MV2}, AX772 }, { { USB_VENDOR_COREGA, USB_PRODUCT_COREGA_FETHER_USB2_TX }, 0}, { { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DUBE100}, 0 }, + { { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1}, AX772 }, { { USB_VENDOR_GOODWAY, USB_PRODUCT_GOODWAY_GWUSB2E}, 0 }, { { USB_VENDOR_JVC, USB_PRODUCT_JVC_MP_PRX1}, 0 }, { { USB_VENDOR_LINKSYS2, USB_PRODUCT_LINKSYS2_USB200M}, 0 }, Ok, I will try that out next week (today there is not so much time and at home I have no testing machine and btw, as I wrote I'm not in that hurry). To be honest I never worked with cvs and at this moment I don't know how to patch this diff to the source tree, but I will find out. thanks guido
Re: D-Link DUB-E100 new Revision does not work
Jonathan Gray schrieb: On Thu, Jul 06, 2006 at 04:14:12PM +0200, Guido Tschakert wrote: Guido Tschakert schrieb: Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work. A colleague has opened this box, the chipset is AX88772 LF. (The old one had AX88172). Hope that anyone can use this information. guido Please try this diff: Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.204 diff -u -p -r1.204 usbdevs --- usbdevs 27 Jun 2006 09:19:09 - 1.204 +++ usbdevs 6 Jul 2006 15:52:11 - @@ -903,6 +903,7 @@ product DLINK DWL120F 0x3702 DWL-120 re product DLINK RT2570 0x3c00 RT2570 product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK2 WUA1340 0x3c04 WUA-1340 +product DLINK2 DUBE100B1 0x3c05 DUB-E100 rev B1 product DLINK DSB650C0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: usbdevs.h === RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs.h --- usbdevs.h 27 Jun 2006 09:19:58 - 1.208 +++ usbdevs.h 6 Jul 2006 15:52:19 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -910,6 +910,7 @@ #define USB_PRODUCT_DLINK_RT25700x3c00 /* RT2570 */ #define USB_PRODUCT_DLINK2_DWLG122C10x3c03 /* DWL-G122 rev C1 */ #define USB_PRODUCT_DLINK2_WUA1340 0x3c04 /* WUA-1340 */ +#define USB_PRODUCT_DLINK2_DUBE100B10x3c05 /* DUB-E100 rev B1 */ #define USB_PRODUCT_DLINK_DSB650C 0x4000 /* 10Mbps ethernet */ #define USB_PRODUCT_DLINK_DSB650TX1 0x4001 /* 10/100 ethernet */ #define USB_PRODUCT_DLINK_DSB650TX 0x4002 /* 10/100 ethernet */ Index: usbdevs_data.h === RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs_data.h --- usbdevs_data.h27 Jun 2006 09:19:58 - 1.208 +++ usbdevs_data.h6 Jul 2006 15:52:28 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -1041,6 +1041,10 @@ const struct usb_known_product usb_known { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_WUA1340, WUA-1340, + }, + { + USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1, + DUB-E100 rev B1, }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DSB650C, Index: if_axe.c === RCS file: /cvs/src/sys/dev/usb/if_axe.c,v retrieving revision 1.53 diff -u -p -r1.53 if_axe.c --- if_axe.c 23 Jun 2006 06:27:11 - 1.53 +++ if_axe.c 6 Jul 2006 15:52:29 - @@ -160,6 +160,7 @@ Static const struct axe_type axe_devs[] { { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_USB200MV2}, AX772 }, { { USB_VENDOR_COREGA, USB_PRODUCT_COREGA_FETHER_USB2_TX }, 0}, { { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DUBE100}, 0 }, + { { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1}, AX772 }, { { USB_VENDOR_GOODWAY, USB_PRODUCT_GOODWAY_GWUSB2E}, 0 }, { { USB_VENDOR_JVC, USB_PRODUCT_JVC_MP_PRX1}, 0 }, { { USB_VENDOR_LINKSYS2, USB_PRODUCT_LINKSYS2_USB200M}, 0 }, Hello, here is what I've done. installed an openbsd put src.tar.gz on it made an cvs-update applied the diffs (by hand, as it were just a few lines and I didn't find the right way to do this with patch/cvs, maybe some can tell me) rebuild kernel booted the system rebuild userland booted the system now I have done -current for the first
Re: Kernel pppoe (and the german ISP Hansenet)
[EMAIL PROTECTED] schrieb: Hello everybody, Lately I switched to a new ISP in germany wich provides much more bandwith (~18Mbit) then my old ISP (~2Mbit). Until now I use the pppD and not the kernel-pppoe. I read somewhere that the kernel-pppoe may should be better with such fast connections so I tried to configure it. I set up a hostname.pppoe0 and I also got a connection but: It seams that the Routing does not work. pppoedev xl1 !/sbin/ifconfig xl1 up !/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=MYTEL \ myauthkey=MYPASS !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x !/sbin/route add default 0.0.0.1 up The Box where I tried to set up the Kernel-pppoe is a Router. Devices: ath0 (wlan), xl0 (lan), xl1 (for external). And yes, Packetforwarding is enabled *otherwise I wouldn`t be here* ;-) I`m sure I did a misstake somewhere but don`t get it yet (it pretty hot here too :)) so I would be happy for any suggestions. Thanks :) Kind regards, Sebastian Have you tried setting the mtu of your pppoe Device like !/sbin/ifconfig xl1 up mtu 1454 guido
D-Link DUB-E100 new Revision does not work
Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work.
Re: Configuring pppoe during installation?
Michael Lechtermann schrieb: Falk Husemann wrote: No doubt my name is anyone. I'd be angry. It's not about hitting Return one more time, it's integrating something new into the Installation Floppy. And you REALLY don't want to drop Floppy Installation support or favor CDs. If you had actually read what I have written you would know that I suggested to add it as a special feature for the CDs you can buy (and only to them), the other stuff stays the way it is. Maybe that would get more people to buy the CD, since they get a little bit more usability. Its simply a marketing idea to give a little more support or features (like the included install sets) to the CDs you buy. No no no, than we have to add all the other network stuff as mentioned before. You surely do not want to say no to dozens of network questions (and maybe a lot of other stuff) This would make sense if you have any kind of graphical installer like many linux distros have, but the openbsd installer is just straight forward to get a minimal running system, which you configure afterwards. One power of OpenBSD is that you can configure everything with a text editor as interface to your configuration. You do not need any awkward program to configure anything. And during installation you are always allowed to change to a shell and use vi to edit your config files. guido
Re: Reading a file that is been written make the system freeze?
Federico Giannici schrieb: Matthias Kilian wrote: On Tue, Jun 20, 2006 at 10:59:58AM +0200, Federico Giannici wrote: [...] The pc freezes (but only occasionally) during dumps of the entire filesystem, using the system dump program. The dump is done while the system is in use, so files may change during the dump. Yesterday another PC freezed! I noticed that it occurred just at the time that a copy of a directory was done, this time by means of the tar program. This time too the backed-up files were in use and probably written. What else is running? What's mounted? ps: as somebody else wrote, fishy power supplies are a common (and hard to debug) cause of failure, too. As many suggested, I replaced the power supply with a big and expensive one. It just crashed again! At the first backup (it usually crash every 3-4 times). So, now we have changed every piece of hardware. And remember that a second PC freezed too, just during a backup of a directory. So I continue to suspect that it's a software problem related to high disk/io usage, and maybe with concurrent reads and writes. Here is the dmsg. Thanks. OpenBSD 3.9-current (GENERIC) #591: Sat Jun 17 00:52:05 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2146758656 (2096444K) avail mem = 1835319296 (1792304K) using 22937 buffers containing 214884352 bytes (209848K) of memory mainbus0 (root) --snip-- dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hmm, the problems doesn't have to be in software. I have an example of freezing: I have a box working as a bridge which freezed on high traffic. I replaced everything of hardware upgraded the software and it still freezes. After a lot more testing I found my problem: the system freezes only if it were connected to a Cisco Catalyst with a stge Network card and fiber optic cable. Using a fxp card and twisted pair cable solve the problem - no more freezes. Since you talk of backup, do you backup on another machine in your lan? Have you tried to use another network card (with another chip) or another switch? guido
Re: Clock Drift - VMWare
Adrian Close schrieb: On Tue, 20 Jun 2006, Justin Blackmore wrote: Im running several OpenBSD 3.9 VM's on a GSX server and the clocks on the OBSD vm's drift pretty bad, the real time host hardware clock is How much drift? The guest hardware clock generally won't be stable enough for NTP to keep things in sync (it might look like it's OK for a bit, but it won't be). Hello, I had the same problem with GSX Server and a linux guest, about 3 hours in one day. (After stopping the java process from the developers, the drift was only some minutes in a day :-) But the developers need their crappy java stuff ;-) ). You might be able to use the Linux vmware-guestd tool (I haven't tried on OpenBSD), which will sync the time to the host hardware if you ask it (but you need X11 to config that, from memory). I installed the vmware tools, don't have X running and started the vmwaretools from another machine by ssh -X [EMAIL PROTECTED] vmware-tools. Don't know If the vmware-tools work on openbsd (with linux or freebsd emul) but you don't need X on the openbsd Client, just a ssh-Connection and X Forwarding will help you to open the vmware-toolbox (if it run on openbsd which I don't believe by now, but I am very interested if it works :-) ) Maybe you need tcl/tk. I also had a look throug the vmware-dirs on my machine but didn't find where vmware-tool stored if to synchronize time with host or not. I once had a GSX setup where guest hardware clocks typically ran at 1/3 - 1/10th of realtime, and sped up when the guest OS was eating lots of CPU, but that doesn't sound like what you have... Adrian Closeemail:[EMAIL PROTECTED] 107 Essex St, Pascoe Valeweb:http://www.close.wattle.id.au/~adrian VIC, 3044, Australiamobile:+61 417 346 094 thanks guido
Re: release email in amavis temp
sonjaya schrieb: some email detect spam also most importan email ,so how to restore email in /var/virusmail/xxx because taht email is important. also any body have some tip to make amavisd-new in openbsd 3.9 most faster working because they a lot delay when send and receive with attachment. my regard Hello, amavis works much more faster if its tempdir is mounted on a ramdisk. (but at this moment I don't know how to configure a ramdisk with OpenBSD but surely google will know) guido
Re: encrypting Bridge freezes
Stuart Henderson schrieb: On 2006/05/18 10:06, Guido Tschakert wrote: I also run a memorytest over a weekend with the only result that the memory seems to be ok. What else could freeze an OpenBSD box Other hardware problems can occur that memtest won't show. Some are fixable (e.g. poor cooling), others can be due to failed components (cpu, motherboard, memory, PCI cards,..). Try some 'make build', maybe run 'stress' from packages at the same time. This won't tell you for sure that everything is good, but if it fails here too you know there's likely to be some hardware problem. Ok, I try out. BTW in the last hours I had a kernel message because of Keyboard problems (pckbc: command timeout) and some messages of too many DMA segments (stge0: Tx packet consumes too many DMA segments, dropping...) I think I have a Mobo Problem, in the next day my dealer will bring a new board and we will see. thanks guido
Re: DVD burning, cdrloots, dvdrtools, dvd+rw_tools on OpenBSD-3.8
Jacob Meuser wrote: On Fri, Feb 03, 2006 at 10:35:16AM +0100, Guido Tschakert wrote: Jacob Meuser wrote: On Fri, Feb 03, 2006 at 12:04:20PM +0500, Dmitry Slobodchikov wrote: Growisofs don't work too neither -Z nor -M arguments /home/zoosman-dvd+rw-format -blank /dev/dvd * DVDRW/-RAM format utility by [EMAIL PROTECTED], version 4.10. :-( unable to open(/dev/dvd): Invalid argument or /home/zoosman-dvd+rw-mediainfo /dev/dvd /dev/dvd: unable to open: Invalid argument what is /dev/dvd? you should use /dev/rcd0c or /dev/rcd1c. Hello, /dev/dvd ist the appropriate device name under linux. maybe some distros set that up for you. there is nothing stopping a user from doing: # ln -s /dev/rcd1c /dev/dvd Hello, ok you're right. I thought there where a config file for dvd+rw-tools which contains the name of the device to use. (next time I do: reading, thinking, writing ;-) and not just writing) And /dev/dvd is actually not the device name under linux but a convenience which also can be used under OpenBSD. guido
Re: DVD burning, cdrloots, dvdrtools, dvd+rw_tools on OpenBSD-3.8
Jacob Meuser wrote: On Fri, Feb 03, 2006 at 12:04:20PM +0500, Dmitry Slobodchikov wrote: Growisofs don't work too neither -Z nor -M arguments /home/zoosman-dvd+rw-format -blank /dev/dvd * DVDRW/-RAM format utility by [EMAIL PROTECTED], version 4.10. :-( unable to open(/dev/dvd): Invalid argument or /home/zoosman-dvd+rw-mediainfo /dev/dvd /dev/dvd: unable to open: Invalid argument what is /dev/dvd? you should use /dev/rcd0c or /dev/rcd1c. Hello, /dev/dvd ist the appropriate device name under linux. BTW: Wouldn't it be good, if the maintainer of a port/package have a look at the differences of the config files between the systems. You will never seen the device /dev/dvd on OpenBSD, so changing the device directly in the port/package to /dev/rcd0c as default would be a good idea in my opinon. (i think a maintainer maintaines some port because he use it, so he/she has to change the config, why not put it directly in the port). guido
Re: Does iocharset option be supported in OpenBSD mount?
Armand Chen wrote: Hi all :-) After I switched to OpenBSD, there are still some data in my old NTFS partition. I've made the NTFS support into kernel, and successfully mounted the NTFS partision. The problem is, some filename of the data is encoded other than ISO8859-1. In other UNIX-like systems, I could use savior option like this: Code: mount -t ntfs -r -o iocharset=ENCODING /dev/DEVICEPARTITION /mnt But the iocharset seems not be supported in OpenBSD, because the system told me: Code: mount_ntfs: -o iocharset: option not supported Does this option be unsupported or just there exists some tweaks whick I don't know? Thx you guys and hope there would be someone to give me some hints :-) Hi, don't know if there's a port for openbsd but the tool convmv does exactly what you want. Convert Filenames from one encoding to another encoding. guido
Re: Connect a Zaurus 3100 to a VGA monitor/projector
Zoong PHAM wrote: Does anyone know if a Zaurus 3100 can work with any VGA monitor/projector? And where can I buy a VGA adapter for Zaurus 3100? Thanks, Zoong Hello, maybe you have a look here http://www.trisoft.de/zxgacf.htm (sorry it's German) and here: http://www.iodata.com/manuals/CFXGA/e_manual.html But I dunno if it works under OpenBSD because I have no Zaurus 3100 and my girlfriend will kill me if I buy one just for fun ;-) guido
Re: OT: Quad Ethernet cards feedback on OpenBSD
Daniel Ouellet wrote: Sorry for this off topic question. Looking at the archive, SK (Henning love them! (;) is what look likes the best Ethernet cards to use, a few months ago anyway. The network cards are changing so quickly that what was true 6 months ago, may well not be today. For quad, can someone confirmed, deny or offer alternative known to work well before I get 12 of them. Hopefully I may be able to fit them into the Sun X2100, but will see. Also, any issue to run a minimum of 100 VLan on them? I didn't see issue in the archive, so I take it as been no problem! I don't think of any. Any other suggestions is also welcome, I am more concern at the efficiency of the cards as they will be routing and supporting many VLan and PF will in some of the setup use individual VLan firewall configuration, up to 125 in one case. Will see if I can make that work well, not sure of my possible success, but will see... Thanks for your time. Hello, the D-Link Card DFE-580TX works under OpenBSD, but their greatest advantage is that they are cheap (around 100 Euro in Germany). Don't expect to much performance. The are useful if you have to connect a lot of networks (with small traffic) and have not enough pci slots and money ;-) I think you need something with better performance regarding to your setup. guido
Re: su on 3.8 soekris
Andreas M|rdter wrote: command groups does not exist on the soekris-box. but id. this is the output after reboot. ---snip--- $ id admin uid=1000(admin) gid=10(users) groups=10(users), 0(wheel) $ su Password: Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 Sorry Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 $ ---snip--- -Andreas Which password do you use? The password of admin or the password of root? Using su you need the password of root. Using sudo su (if you use sudo) you need the password of admin. guido
[Fwd: Re: pf rules generation policy]
Kilaru Sambaiah wrote: Hello All, I am linux administrator and use iptables for firewall. I use shorewall, which you need to be setting up only policy based on your box is having one interface or two interfaces or three. Policy, zone, interfaces, rules these are all I need to edit. Is there any such tool for PF. I am not looking at GUI for generating rules. Hello Sam, fwbuilder is a GUI which vomits pf rules if you wish (and also iptables and some other kind of firewalls). It's easy to use, but the result is not ever ecactly what you want (therefore i used vomit). Its' nice to see what it produces with iptables and then what it produces with pf (at this point it can help you to see the differences between iptables rules and pf rules), but mostly it is better to edit pf.conf directly. So you know exactly what your firewall rulez does. And btw: pf rules are much more readable then a set of iptable commands. So give it a try. thanks, Sam guido
Re: How to lock a user in his home.
Leonardo Marques wrote: Hello people, I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? Thanks for attention, []s -- -- Leonardo Marques http://www.analyx.org -- Hmm, if you lock your user in his home, he cannot access directories and files like /bin /usr/bin /dev/null and many others. This will prevent him from doing mostly anything (like ls, vi ...) If you want your user not to access directories of other users, have a look at chmod, chown, chgrp. guido
Re: firewall products
Florian wrote: ok, squid, but what about POP and SMTP ? Hmm, Proxy for smtp? What about sendmail, postfix, qmail, etc? Almost every MTA should work as a smtp proxy (i.e. is a smtp proxy) Proxy for pop? Never used one of them but have you looked at balance-2.33.tgz nylon-1.2.tgz proxy-suite-1.9.tgz and pop3gwd-1.2.tgz (I just looked at the packages for tcp proxies and found the aboves) Install them on a test system read the manuals and have a look at google. guido
Re: Migration to PF - some questions
Hello On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote: Thanks to the kind help on this list, my test firewall successfully runs OpenBSD 3.7 and is basically configured. I now need to think about migrating my existing netfilter rule set to pf and would like to ask also some general questions to understand the concept(s) suffiently. If I understand correctly, pf has no 'forward' chain like netfiler (which is probably by design). I have to admit I've found it pretty handy to use forward chains since one does not have to specify IN and OUT rules separately. But I don't want to argue about that. The simple question is: Does that mean, a netfilter forward rules needs to be replaced by two pf rules (in general)? Does rdr not provide forward-like functionality in pf? Or is it that you want to filter rdr'd connections? No, I think he doesn't speak of redirections. What he means are packets, which travel through the firewall but aren't from or for the firewall. Yes, you have to define rules for incoming and for outgoing packets (just like it was in ipchains but there you had also to define rules for forward), but pf is stateful! if you use pass in on $int from $net to $internet keep state then the packet is known when it leaves on $ext and you don't need another rule their. Btw (and that's just my 2 cents) I worked 5 years with ipchains/iptables and started some month ago with pf and I must say I like it, it's easier to understand, simpler to debug and I like the idea of not having a forward chain: Packets just come in and go out. And the logging, the logging is absolutly cool. Nothing else then sniffing on an interface. guido
Re: snmp support
Joco Salvatti wrote: Hi all, I have a firewall with a xl0 at pci0 dev 9 function 0 3Com 3c905 100Base-TX rev 0x00: irq 11, address 00:60:97:d3:77:85 network interface card, and I'd like to know how to activate SMNP under my OpenBSD system to capture the informations and generate the input to MRTG. Thanks What about pkg_add net-snmp and than have a look in the manuals (starting with apropos snmp or man -k snmp) guido
Re: Problems with pf+nat+some websites
Jonathan Schleifer wrote: I don't see where you set the MTU/MSS? Are you sure you have set them somewhere else? eBay is known to have problems with bad/wrong MTU/MSS. Try adding scrub out on $ext_if max-mss 1414 to your pf.conf and adding -mtu 1454 to the route. Also take a look at pppoe(4) [*NOT* pppoe(8)!], section MTU/MSS ISSUES. Hello Jonathan, nice try, but i Don't use pppoe. We have a DSL-Router from our providewr and as I mentioned before, we had no Problems with the cisco-router doing the firewall job (Nat). guido
Re: Problems with pf+nat+some websites
Nick Holland wrote: Guido Tschakert wrote: Jonathan Schleifer wrote: I don't see where you set the MTU/MSS? Are you sure you have set them somewhere else? eBay is known to have problems with bad/wrong MTU/MSS. Try adding scrub out on $ext_if max-mss 1414 to your pf.conf and adding -mtu 1454 to the route. Also take a look at pppoe(4) [*NOT* pppoe(8)!], section MTU/MSS ISSUES. Hello Jonathan, nice try, but i Don't use pppoe. We have a DSL-Router from our providewr and as I mentioned before, we had no Problems with the cisco-router doing the firewall job (Nat). so, yes you DO use PPPoE. DSL systems VERY often have a smaller-than-possible MTU. This often causes problems much like you describe. Ok, the DSL-Router of my provider uses PPPOE. But please tell me, why I should set the mtu on the openbsd router to something lower then 1500 when the cisco router, I used before and now has set the mtu on his outgoing interface to 1500. (This router has 2 Ethernet-Interfaces and does nothing with pppoe). Why can it deal with this problem and openbsd not. BTW. this morning I tried the suggestions from Jonathan and it didn't work :-( As I mentioned in another thread (ok, it was stupid to fork the thread) there is another problem with malformed packets and reassemble tcp and all other scrub rules I tried did'nt work. Just set it in your hostname.if file. Google for simple ping tests to find the maximum MTU you can use in your precise case...and see if setting the firewall accordingly solves your problem. Nick. -- Mit freundlichen Gr|_en, Guido Tschakert
Re: Problems with pf+nat+some websites
Guido Tschakert wrote: Ok, after digging in the archives I found the thread pf reassemble tcp problem in latest snapshot? and it seems there is no real solution for this problem in OpenBSD/pf. provocation on I found that somewhat poor, because with Cisco IOS and Linux iptables this problem doesn't exist and there are no problems to reach this sites with nat. provocation off Hello, I have problems to load some websites (e.g. www.hit.de, www.lidl.de, www.ebay.de, www.ebay.com). They are very slow if they show up. I have this problem since this morning, when I changed our old cisco router with our new OpenBSD Firewall. Other sites load normal. Here is the network $srcnetopenbsd-box--$src_ext | ---internet (the OpenbsdBox has a regular IP-Address and an Alias from Class B $src_ext, therefore there is the exclusion in nat Yes I know this looks evil, but I have some more Firewalls in $src-net :-) thanks guido
Re: NAT doesn't appear to work for some websites
Matt Garman wrote: I have a number of websites that I cannot load from machines connected to the 'net through my OpenBSD firewall/NAT box. One such site is directron.com. Using Mozilla Firefox, it will just say Waiting for directron.com... but the page never loads. There are several other pages I've tried to load with the same result. On the other hand, some pages load fine (such as openbsd.org). However, if I login to the firewall (the openbsd box), I can use links to connect to these sites without any problem. I'm guessing that this has something to do with redirects on the target website. I'm pretty sure that directon.com is actually an alias for some other URL. I'm thinking that the pf ruleset on the OBSD box is not allowing this. I'm using the pf example from the OpenBSD FAQ: http://openbsd.org/faq/pf/example1.html Has anyone else seen this before? Thanks for any suggestions, Matt Hello, just an idea, are you connected to the internet via pppoe (DSL). There is a well-known problem with mtu/mss (1500/1460 vs. 1492/1452) You can use scrub in your pf.conf to solve it. something like scrub out on ppp0 all max-mss 1452 -- Mit freundlichen Gr|_en, Guido Tschakert _ SRC Security Research Consulting GmbH Graurheindorfer Str. 149 a Tel: +49-228-2806-138 53117 Bonn Fax: +49-228-2806-199 http://www.src-gmbh.de Mob: +49-160-3671422
IPSEC between OpenBSD (isakmpd) and Linux (FreeS/Wan)
Hello All, I'm trying to build a vpn between an OpenBSD and a Linux Router. (If I could, I would directly replace the linux box to simplify matters ;-) but that's not possible at the moment :-( BTW: I want to use RSA-based authentication using x509 certificates. I have already build the CA and also create my certs. I found the following page but the configfile for isakmpd is full of bugs (looks like a lot of copy and paste without re-editing :-) ) http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html I want you to ask if one of you already has setup this sort of connection and is willing to give me some config files. (Or point me to some good documentation about inter-OS VPNs. I read a lot of docu but most of them deal with homogeneous networks) Otherwise I will send my configs an error messages in the next days to the list :-D And yes, I know openvpn is easy to set up, but I don't want to deal with the lower mss/mtu. (But on the other hand openvpn is my fallback solution.) TIA -- Mit freundlichen Gr|_en, Guido Tschakert