Re: OT: Building a DNS blackhole server

2011-10-20 Thread Kevin Wilcox 
On 20 October 2011 04:21, carlopmart carlopm...@gmail.com wrote:

 https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_DNS_blacklists

 B But, what is your opinion about this table?? What are the most reliable
 suppliers??? Which of these lists is sure to be deployed in a production
 environment? I do not want to generate more false positives than necessary.

Is your intent to cut SPAM on your servers (the intent of the majority
of those) or are you looking to stop domain-based malware, like Zeus
and its kin, from being able to phone home? If the latter, I'd start
by looking for malware and botnet domains, and with the understanding
that it's only a small part of defence-in-depth.

kmw

Re: DNS lookups for hostnames in PF tables

2011-09-08 Thread Kevin Wilcox 
On Thu, Sep 8, 2011 at 01:13, Theo de Raadt dera...@cvs.openbsd.org wrote:

 For example, is it possible to block a well-known social networking
 site which resolves to multiple IP addresses, using a PF table
 socialnet with just the hostname of the website?

 No. B What you want is to expand to all of the addresses. B Since
 address keep being added for such hostnames on the fly, it won't
 work.

Blocking those hosts by IP is highly impractical given the reasons you
noted, and I'll add that it's usually a *really* bad idea to block the
CDNs by IP unless Gerard also wants to block his users from
Microsoft's update service, support.dell.com and a few other big
names. Been there, done that, suffered the resulting black eye.

Gerard - if this is to meet some policy that you can't influence then
use Squid with wildcards on the domains, play tricks in DNS if you
need to, then hope your users aren't proxying connections via outside
connections - all they need is one arbitrary port open to one
arbitrary host and you can be completely blind to what they're doing.
If you *can* influence the policy, consider a default deny with
whitelisting for necessary destinations/ports.

kmw

Re: PF and States

2010-12-20 Thread Kevin Wilcox 
On 19 December 2010 07:16, Henning Brauer lists-open...@bsws.de wrote:

 * Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]:

 More than 100,000. I havn't tested lately (planning to do so soo), but I
 would expect somewhere closer to 500,000.

 you're way off ;)
 I had 2 million during a DDoS. things got a bit slow but everything
 worked.

Henning - out of curiosity, what were the specs on that hardware?

My understanding was that pf won't use more than 1GB of RAM, which I
thought to equal about 1 million states, but I never verified that
information and now it's been so long I can't recall the source.

Obviously, my incorrectness probably exists on several levels here...

kmw

Re: Linux or OpenBSD

2010-09-22 Thread Kevin Wilcox 
On 22 September 2010 15:29, Rikky Taylor rikkytay...@hotmail.co.uk wrote:

 I was after some general advice. I need to setup a routing firewall with 3
 interfaces, moderate traffic and a fair amount of NAT'ing in the rules.

Define a fair amount of NAT'ing. Twenty machines in one class C,
multiple class B networks filled to capacity...?

Also, I would define moderate traffic. To some here, multiple
gigabit links is moderate, to others moderate may be ten workstations
as general web/email clients.

 Given identical modern server hardware would I expect a performance difference
 between an OpenBSD/PF setup and a Linux/IPTables one?

Again, it depends on the number of clients, the hardware being used,
type of traffic, Linux distribution (Debian or Gentoo will typically
yield better performance out-of-the-box than RHEL, Ubuntu, CentOS,
etc) and various other factors.

Basically, more information is needed for an informed decision but the
answer will almost certainly be yes, you'll see a performance
difference and it will be in favour of OpenBSD + pf.

kmw

Re: os that rather uses the gpu?

2010-07-13 Thread Kevin Wilcox 
On 13 July 2010 16:54, Jiri B. ji...@live.com wrote:

 On Tue, 13 Jul 2010 22:46:13 +0200
 Jozsi Avadkan jozsi.avad...@gmail.com wrote:

 Does someone know a distribution/operating system, that rather uses
 the GPU for working, not the CPU? [by default]

 Why are you asking on OpenBSD mailing list? OMG.

Probably for the same reason he asked on freebsd-questions earlier today.

Looks like he's casting a wide net to increase the likelihood of a catch.

kmw

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: OT, .. but has anyone seen a crontab editor

2010-02-19 Thread Kevin Wilcox 
On 19 February 2010 11:21, L. V. Lammert l...@omnitec.net wrote:

 On Fri, 19 Feb 2010, Lars Nooden wrote:

 L. V. Lammert wrote:

  ... no way I'd saddle some of these
  guys with vi, much less setting the cron time parameters correctly.

 Then you are far, far better off not letting them anywhere near the
 server room if they are that unqualified.

 No, that isn't going to work. This isn't some elitist club - if we can't
 provide a simple, sane, safe way for a [priviledged] user to push a backup
 image out to a DR server, than *we* have failed as technologists.

If *you* are letting underqualified users have privileged access to an
Unix machine then the failure here is *you*.

If *you* can't spend five minutes teaching your sys admins how to
use 'crontab -e' then the failure here is *you*.

If *you* are deploying an operating system that you don't have a
qualified admin to handle then the failure here is *you*.

It sounds to me like you don't have basic sys admin types, you have
a bunch of Microsoft folks that don't actually know anything about
system administration, they just know how to click okay. Teach them
how to use Unix, they'll be better off for it.

This isn't an OpenBSD or software issue (because the tools exist to
easily and safely edit cron, and to easily and safely backup your
system), this is a personnel issue - and if you can't be buggered to
teach your admins how to use the tools provided, you should probably
use a different system, just don't use Unix because the tools are
pretty standard.

kmw

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: OT, .. but has anyone seen a crontab editor

2010-02-19 Thread Kevin Wilcox 
On 19 February 2010 14:37, L. V. Lammert l...@omnitec.net wrote:

 On Fri, 19 Feb 2010, Kevin Wilcox wrote:

 If *you* are letting underqualified users have privileged access to an
 Unix machine then the failure here is *you*.

 Didn't say they had access to the **MACHINE** THAT'S THE WHOLE POINT FOR
 THE NCURSES QUESTION, if you had bothered to read the OP instead of
 bitching about what you THOUGHT it meant.

Lee -

if they don't have access to the machine then **why are you looking
for alternatives to crontab**?

If they don't have access to the machine then how in blazes are their
changes going to useful other than as a text file on some random
machine that isn't the one they need to be active on?

Which is to say - I've read the entire thread so far and this is the
first time you've said they won't have access to the machine.

Instead of asking what is an alternative to foo, you should come
out and say exactly what problem you need to solve, because as of this
post it has become a moving target.

kmw

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: OT, .. but has anyone seen a crontab editor

2010-02-19 Thread Kevin Wilcox 
On 19 February 2010 14:32, L. V. Lammert l...@omnitec.net wrote:

 On Fri, 19 Feb 2010, Johan Beisser wrote:

 What the hell is so hard about:

 If you have to ask what's so hard, it's too hard. The OP was about making
 the process **SIMPLE**, .. not complicated. Man pages are used to learn
 about a command, .. not a way to perform a specific command such as
 change the replicatio0 schedule to start at 8PM instead of 6PM.

Man pages typically have examples.

'man 5 crontab' gives me a full breakdown of the field and allowed
values, and further down gives a couple of examples of entries with a
full description of what the examples do.

It's called learning and you are intentionally being difficult.

 B While lines in a user crontab have five fixed fields plus a command
 in the form:

 B  B  B  B  B  B minute hour day-of-month month day-of-week command
 B [...]

 Yeah right. That isn't SIMPLE by any definition.

As I said, you're intentionally being difficult. That is really simple.

0  5  *  *   *   /usr/local/bin/backup.sh

Every day at 0500 run /usr/local/bin/backup.sh. How is that difficult
once you see the format?

 Being a UNIX Systems Admin means knowing your tools, and most
 importantly your toolkits. Cron is a tool, making it simpler for a
 new admin is doing you both a disservice in the long run.

 The question was about a way to provide a way to change a crontab entry
 for ***NON SYS ADMINS***.

No, the question was about an alternative to editing cron entries for
basic sys admin types, that's a far cry from non sys admins.

kmw

--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: OT, .. but has anyone seen a crontab editor

2010-02-19 Thread Kevin Wilcox 
On 19 February 2010 16:14, L. V. Lammert l...@omnitec.net wrote:

 On Fri, 19 Feb 2010, Kevin Wilcox wrote:

 On 19 February 2010 14:37, L. V. Lammert l...@omnitec.net wrote:

  Didn't say they had access to the **MACHINE** THAT'S THE WHOLE POINT FOR
  THE NCURSES QUESTION, if you had bothered to read the OP instead of
  bitching about what you THOUGHT it meant.

 if they don't have access to the machine then **why are you looking
 for alternatives to crontab**?

 Changes to the actual machines will be pushed via ssh, .. but that's way
 too much detail for the level of the question I was asking.

This is the *exact* level of detail that's needed. You don't need an
alternative method of editing crontab, you need to be able to write
cron-compatible files and have those pulled into cron. That's a
*significant* difference.

Rather than reply to your next email via a separate one, I'll include
the responses below:

 No, you are not bothering to comprehend the question - these are *NOT*
 sysadmin types, .. and the procedure must be SIMPLE  - open this nCurses
 application, check a different box, save and exit.

The question was about editing a crontab entry. The question you
originally asked was insufficient (and apparently the initial data you
supplied was incorrect). What it should have been was I have a
machine that I'm going to let some folks look after and I want to let
some non sys-admin, non Unix folks change scheduled times for things
to run in cron but they won't have any access to the machine other
than via scp, is there a GUI that can write cron compatible output
that I can then push to that remote machine?

For that matter, I find edit this text file, change the 2 to a 5,
save it to be simpler and more fool-proof, but difficult versus
simple is relative; recompiling my FreeBSD kernel for PAE support is
simple to me, telling someone how to clear their browser history and
cache in Internet Explorer would be a much more difficult, more time
consuming process.

 Remember, .. KISS rules.

Cron *is* simple. You give it a time, you give it a command, it does its job.

What you are trying to accomplish is completely separate from what you
asked about.

Now that you have provided some *necessary* information (the users
*don't* have access to the machine, their inability to edit cron is
not a skill issue but an access issue, et cetera), you might get a
meaningful answer from anyone you haven't already pissed off by being
difficult, being obstinate, being obdurate, failing to give the full
parameters of what you are trying to accomplish and trying to
back-track on what you said over the course of your own half-dozen or
so emails on the subject.

kmw

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: VMware and OpenBSD

2009-11-17 Thread Kevin Wilcox 
2009/11/17 Steve Shockley steve.shock...@shockley.net:

 Under VMware ESX, which NIC works better with OpenBSD, E1000, pcn or vic?

In my experience, e1000 has been the way to go.

kmw

-- 
Beware the leader who bangs the drums of war in order to whip the
citizenry into a patriotic fervor, for patriotism is indeed a
double-edged sword. It both emboldens the blood, just as it narrows
the mind. And when the drums of war have reached a fever pitch and the
blood boils with hate and the mind has closed, the leader will have no
need in seizing the rights of the citizenry. Rather, the citizenry,
infused with fear and blinded by patriotism, will offer up all of
their rights unto the leader and gladly so - Unattributed, post 9/11

Re: Snort on OpenBSD

2009-10-08 Thread Kevin Wilcox 
2009/10/8 Joachim Schipper joac...@joachimschipper.nl:

 What, specifically, fails to work?

 OpenBSD has a snort package, I assume that will install without issues.
 Don't you get a working IDS just by installing the port (and updating
 the rules, if so desired)? What, specifically, are the issues?

Not only what fails to work but what version information can you provide?

kmw

-- 
Whenever there is in any country, uncultivated lands and unemployed
poor, it is clear that the laws of property have been so far extended
as to violate natural right. The earth is given as a common stock for
man to labour and live on. -- Thomas Jefferson, 1785

Re: OpenSSH exploit... or not?

2009-07-20 Thread Kevin Wilcox 
2009/7/20 Leonardo Rodrigues leonardov...@gmail.com:

 For information... http://seclists.org/fulldisclosure/2009/Jul/0279.html

I wondered how long it would take for someone to ask about that either
in misc@ or po...@.

I'll believe there is something to release when something gets
released or the OpenSSH devs say oh, wait, there's a problem...

Until then I'm treating anything from that poster (anti-sec) as FUD and SPAM.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: OpenBSD HA

2009-06-11 Thread Kevin Wilcox 
2009/6/11 Joachim Schipper joac...@joachimschipper.nl:

 If you decide not to go with OpenBSD, you may wish to consider
 OpenSolaris instead of FreeBSD, which will allow you to use ZFS and
 DTrace, both of which may be useful in a PostgreSQL deployment. There
 are good reasons not to use (Open)Solaris (you may consider it not
 truly free, Oracle may kill it, you may have trouble finding people
 with experience, the userland utilities lack polish, etc), but at least
 it does offer some useful things in exchange for the headache of running
 two different OSes.

I'll offer a flipside to this. I have physical and virtual (ESX)
FreeBSD machines doing all manner of apache/php/postgresql/named/snmp
work. FreeBSD *does* have ZFS support but it's not nearly as mature as
the support in OpenSolaris. That said, I have virtual machines with
100+ GB data stores acting as sources for ZFS pools under FreeBSD
7.2-RELEASE with PostGreSQL 8.3.7 and I love it. This is a low I/O
setup and I only do about 9 million inserts/updates per day but it
suits my needs just fine.

OT, I know, but there are my $0.02.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK

2009-05-26 Thread Kevin Wilcox 
2009/5/26 Sam Fourman Jr. sfour...@gmail.com:

 Sam Fourman Jr.
 sfour...@gmail.com
 rlz686

Now that's funny.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

OFF TOPIC: Re: OpenBSD ESXi VMware image on Soekris Net5501

2009-05-21 Thread Kevin Wilcox 
David - it looks like my mobile device did a horrendous job of
displaying your email so I apologise for coming off a bit half-cocked
in the last email (and despite it being so much more OT conversation
on the list, I still wanted to do it publicly).


2009/5/20 David Talkington dt...@flyingjoke.org:

 Kevin Wilcox wrote:

 that practically necessitates IBM, Sun, HP or Dell hardware.

 No it doesn't.

That was based on my last review of the .pdf we received from our
VMWare rep that was, admittedly, some time ago. I just checked the
ESXi HCL and I'm glad to see that support has grown *substantially*,
particularly with them offering ESXi. So, my apologies for outdated
information.

 Skip the virtualisation cruft and install natively.

 That isn't a helpful or enlightened answer (not that one should expect help
 with this topic here).

Agreed. A better reply (though perhaps less relevant) would be,

O.P. - I do not have experience with OBSD on VMWare ESXi on a Soekris.
I do have quite a bit of experience with OpenBSD on VMWare ESX on
officially supported hardware and the results vary depending on load
and how much tweaking you may or may not have to do with your
configuration. For certain storage backends we have to do some minor
voodoo to the disk configuration before the VM is made aware of the
disk - this has caused several of our OpenBSD VMs to panic, an issue
that in no way, shape, form or fashion am I blaming on OpenBSD - that
problem lies with VMWare. On the other hand, I have virtualised
OpenBSD firewalls on plain configurations sitting in front of
virtualised servers (yes, it works for our needs) that never hiccup.
The latest I am using is 4.4 as I've been unable to take any of those
machines down for upgrade since receiving the 4.5 cds.

Because of the quirks that are introduced with running on top of
VMWare, if you have the hardware and this is a single use machine, I
can't stress highly enough that, if at all possible, you should skip
the virtualisation cruft and install natively. Performance *will* be
better, as will reliability and the chance of finding some form of
community assistance.

 O.P., you should start here for detailed ESXi hardware support info:

 http://www.vm-help.com/

And the official VMWare HCL here should you ever decide to move to
supported hardware:

http://www.vmware.com/resources/compatibility/search.php?action=basedeviceCa
tegory=server

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: OpenBSD ESXi VMware image on Soekris Net5501

2009-05-21 Thread Kevin Wilcox 
2009/5/21  obiozorok...@yahoo.com:

 I'll have to re-think this but I
 honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image
 running on ESXi as my strong firewall I would be ok. B Basically its just a
 virtualization of my physical environment but all on one box with 3 VM
images.
 So my idea was to have second OpenBSD image (not the firewall OpenBSD
image)
 running with Samba as my Domain Controller and File server, and Email
server
 and then the third Windows VM running just the custom app. B I figured that
as
 long as all the 'Net traffic hit my first OpenBSD VM and was properly
filtered
 and controlled by pf, spam greylisting, brute force checked, etc I would be
 ok? B No?

There are some strategic issues with virtualising a firewall.

What should be the simplest, most rock solid member of your network is
now on the same hardware as foo virtual machines. If one of the
application servers is compromised then it's *possible* that the
VMWare server itself could be compromised, rendering the firewall VM
under the control of The Bad Guys. If one of the VMs screws the pooch
and takes down the server then you've not only lost the ability to
communicate with those servers, you've lost the ability to communicate
with your firewall. If one of the application VMs isn't configured
with proper resource limits then performance on the firewall will drop
under periods of heavy traffic. For that matter, you've already
introduced overhead on throughput of the firewall by forcing traffic
to be received by the VM OS before it's received by OpenBSD. If the VM
server is compromised then the things that can be done to traffic
without ever actually disrupting the firewall are almost certainly fun
fun fun (in all fairness, I haven't tried mucking with traffic on
ESX/i, this is based entirely in speculation).

I'm sure there are obvious things that I'm missing but these are the
ones that blast the loudest through my brain when I think about
virtualising a firewall. As I stated before, I have done it and there
are a few that I maintain - and they do their job well - but that
doesn't mean I condone the practice in general and it surely doesn't
suggest that I think it's something that should be done on a whim or
with a light attitude. It is dangerous and unsupported and you need to
understand there is significant risk in doing so.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: OpenBSD ESXi VMware image on Soekris Net5501

2009-05-20 Thread Kevin Wilcox 
This is doomed to failure, mostly because I am *almost* certain that
you'll never get ESXi to install on a Soekris. My understanding is
that it has a strict HCL, very similar if not identical to the HCL for
ESX, that practically necessitates IBM, Sun, HP or Dell hardware.

Skip the virtualisation cruft and install natively.

kmw

On 20/05/2009, Obiozor Okeke obiozorok...@yahoo.com wrote:
 Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501
 appliance and I was wondering if anyone has already tried successfully
 running ESXi on the Soekris Net5501 before I order the hardware?

 Any advice or comments is appreciated.

 Thanks in advance



--
Sent from my mobile device

To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: OpenBSD ESXi VMware image on Soekris Net5501

2009-05-20 Thread Kevin Wilcox 
David, I'm currently mobile and unable to track down the HCL for ESX/i
myself - thus my mentioning them to the original poster with what I
could remember off the top of my head about supported machines. If
that was an insufficient response then the OP is more than welcome to
ignore it. On the other hand, the OP could always say, oh, ESXi HCL,
I wonder... and google 'vmware esxi hardware compatibility'.

kmw

On 20/05/2009, David Talkington dt...@flyingjoke.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 This is way OT for this list, but:

 Kevin Wilcox wrote:

 My understanding is that it has a strict HCL,

 Yes it does.

 that practically necessitates IBM, Sun, HP or Dell hardware.

 No it doesn't.

 Skip the virtualisation cruft and install natively.

 That isn't a helpful or enlightened answer (not that one should expect
 help with this topic here).

 O.P., you should start here for detailed ESXi hardware support info:

 http://www.vm-help.com/

 Cheers -d

 - --
 David Talkington
 dt...@flyingjoke.org
 - --
 PGP key: http://www.flyingjoke.org/keys/801E3976.asc
 (What's this? http://en.wikipedia.org/wiki/Digital_signature)
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.11 (GNU/Linux)

 iQEcBAEBAgAGBQJKFKpkAAoJEO7jL1CAHjl2+YgH/jwqmzLTgAGD1wDkxBPbJGZC
 qOQkT2lYoyy0obJ66777wfh/BRcZt88jIpnBVxPfprfnE3h4HUVw/0pP4xtriWcK
 nOQp+dWQeuhGYmV9QycWXAWvhRIrSwgmB3LagKPPYUQ4eR0aVz8NJ/LzkJpzwRb1
 4kdxc4KXYxDG+HdaQ/mhQ4yGeY2AiTs41zs0oEjBQraeBb/FUwdXzKfFmK9brFxd
 kOEuKYUW9QAFnpzAmkKcFHM7QOQ8zIhLNIs7K/jTmLPVYycU14eutUUR+Q+SoI9W
 YriQmxcZ2PTxHIXA2hjvORM9FZiy0NwyDU8H9NHl2gA34rq1vheuVUnsHRJVH4U=
 =eE8z
 -END PGP SIGNATURE-


--
Sent from my mobile device

To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: Migration from IPTABLES to PF

2009-05-04 Thread Kevin Wilcox 
2009/5/4 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br:


#___
 # Protecao do KERNEL

#___
 #Enable forwarding in kernel
 echo 1  /proc/sys/net/ipv4/ip_forward

man sysctl

 #Block source routing
 echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

man sysctl

 #Enable SYN Cookies
 #echo 1  /proc/sys/net/ipv4/tcp_syncookies

man sysctl

 #Kill redirects
 echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

man sysctl

 #Reduce DoS'ing ability by reducing timeouts
 echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
 echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/tcp_sack

man sysctl

Your problem isn't necessarily your understanding of pf, it's of *nix
in general.

Don't feel bad, a lot of Linux admins grow too reliant on using /proc
directly instead of using the more appropriate method of setting
values, sysctl.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: Memory and Swap Info

2009-04-30 Thread Kevin Wilcox 
2009/4/30 socknoggle todd.sarg...@hostedsolutions.com:

 Sorry,all. B I didn't state what I needed very well. B What I'm really
looking
 for is hardware data related to memory, swap, cpu, pci and scsi devices.
 This would be similar to the data on Linux in /proc/meminfo, /proc/cpuinfo,
 lspci -v and /proc/scsi/scsi respectively.

 Thanks for all responses so far!

man sysctl

kmw

Re: OpenSSH release CDS

2009-03-11 Thread Kevin Wilcox 
2009/3/11 patric conant mirage.comput...@gmail.com:

 I've repeatedly been in a position where we weren't making direct use
 of OpenBSD, but were using OpenSSH, and if there were a recurring cost
 associated with it (like purchasing a semi-annual CD) it would have
 been relatively painless to get a rubber stamp approval of such a
 cost, whereas purchasing an OS we weren't using would've been a much
 more difficult sell. Since there is already regular ssh art, (that
 could be used for the next several releases), how much further
 effort/money would it take to release OpenSSH on CD? Also of the
 people on misc@ how many would think they'd have an easier time
 convincing bosses/clients/others to buy a single CD for say $25 then
 they would getting an OS purchased. Just a thought, for these trying
 economic times and whatnot.

I can't speak for the devs, Theo, @misc or anyone except myself and my
personal experiences with having a custom CD created but I'd bet my
experiences aren't too different from what Theo and the core team have
to deal with.

When we looked into it for something else, we had to order a set
number before anyone would even agree to print/press/package. All of
that gets paid out of pocket with the hopes that you can move the
product. If it doesn't sell in a reasonable time then it has suddenly
become outdated and an unnecessary waste if your sales do not cover at
least the physical costs and the man-hours of effort put into it.

Colour me skeptical or pessimistic but I'd wager it's Just Not Worth
It to package/print/sell OpenSSH discs. You can always donate to the
project, though. Methods of payment are available at

http://www.openssh.org/donations.html
http://openbsd.org/donations.html

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

Re: I am not a geek ;)

2008-11-03 Thread Kevin Wilcox 
2008/11/3 Jeff1981 [EMAIL PROTECTED]:

 I actually am starting the use of OpenBSD thanks to production team.
 Please can you help me to pass this error message when I try to connect my
 NAS an external drive (a network drive). This works on my other computer but
 not from the one on BSD, I have an access error message however the ping to
 the NAS server works and so does the FTP via internal IP, so does the SSH
 connection.

 Only the network drive cannot be connected. Any suggest ?

Hi Jeff.

For anyone to be able to help you they need, at the minimum, the
version of OpenBSD, how you're attempting to 'connect the network
drive' and the error message you're getting. I'm sure if anyone needs
additional information they'll ask for it.

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if checkered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the gray
twilight that knows not victory or defeat.

Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you.

2008-10-28 Thread Kevin Wilcox 
2008/10/28 Owain Ainsworth [EMAIL PROTECTED]:

 On Tue, Oct 28, 2008 at 05:37:24AM -0700, Neko wrote:

 git a life

 [EMAIL PROTECTED]:~$git clone a://life
 Initialized empty Git repository in /home/oga/life/.git/
 fatal: I don't handle protocol 'a'

Didn't anyone ever tell you not to run arbitrary commands you read on
a mailing list? grin

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if checkered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the gray
twilight that knows not victory or defeat.

Re: This is what Linus Torvalds calls openBSD crowd

2008-07-16 Thread Kevin Wilcox 
2008/7/16 Nuno MagalhC#es [EMAIL PROTECTED]:

 Eheh he's right :-) If you guys get your heads out of your asses and
 actually read his words with the use of some common sense you might
 get what he means. It's a balanced opinion.

It's not that it isn't a balanced opinion or that he may be right or
wrong - it's that the guy was asking why they weren't following their
disclosure policy and no one has provided a sufficient answer as to
why they don't a) follow the policy or b) change the document.

 From what i've seen so far in this list, the BSD-crowd *is* a bunch
 of masturbating monkeys anyway, i get much more decent reasonable
 answers to my problems in any Debian list, along with constructive
 criticism. Here it's rtfm and chest-thumping.

Coming from the GNU/Linux community I felt the same way for a while.
Then I started really looking at what my expectations were versus what
they should be.

In the Linux world I had grown used to expecting something in
particular. Despite no SLA or any other type of agreement, I expected
the community to support the distribution. When I made the change to
FreeBSD and OpenBSD, I brought those expectations with me.

Then I realised that was both selfish and foolish. Now my expectations
have changed. I expect to get an install CD and whatever swag I pay
for. Beyond that, I *hope* that if I have troubles that I can approach
the *BSD community and get some assistance but I realise that that
should never be an expectation and that I'm equally as likely to get a
sorry, I value my time as I am to get you should look at the -foo
flag - and that either response is ok.

Actually, allow me to correct the above. At the end of the day there
is one other expectation I have, and that is to be totally thrashed
for bringing something totally off-topic or meaningless or just plain
wrong to [EMAIL PROTECTED]

Marco commented: *yawn* linus' opinion is as interesting as his relevance.

I say: +1

kmw

Re: timezone anomalies

2008-05-22 Thread Kevin Wilcox 
2008/5/22 frantisek holop [EMAIL PROTECTED]:

 bios: UTC
 os: timezone

This is how I setup all of my *strictly* *nix machines, be they
GNU/Linux or *BSD.

 bios: localtime
 os: localtime and pretend i am in a timezone? (ntpd gets crazy this way)

This is what I do for machines that dual boot MS Windows + *nix.

If the machine were mine, dual booting GNU/Linux and OpenBSD, I'd go
for the former.

Of course, I'm no expert and YMMV.

kmw

Re: Use of 'Puffy' Logo *and* weatherproof stickers?

2008-04-09 Thread Kevin Wilcox 

Hannah Schroeter wrote:


I read there (http://www.openbsd.org/art1.html):

  but do not make profit from them since our own T-shirt sales provide
  funding so that OpenBSD can continue to operate.

Recently it was said on a mailing list, that T-shirt sales do *not*
provide net funding, only donations and *CD* sales do. Which is true?


I was a bit curious about that, too, but just figured it was a page left 
that still needed editing.


I also have a question of my own related to Puffy and, rather than start 
a new thread, I'll go ahead and ask in this one since it's kind of on-topic.


Before I have some weatherproof OpenBSD/Puffy stickers made up for my 
own personal use, does anyone know *off the top of your head* if there 
are already some out there, available for purchase, where proceeds find 
their way back to the project? I'd rather buy some knowing that some of 
the $$ is going to make its way back to OpenBSD than to spend the same 
amount and it all go to a corporate interest.


By weatherproof, I plan to stick it on my motorcycle luggage where it 
will be exposed to sun, rain, snow, ice and 120km/h+ winds.


Thanks!

kmw

Re: [Fwd: Open-Hardware]

2008-01-10 Thread Kevin Wilcox 

bofh wrote:


On Jan 9, 2008 1:52 PM, Jacob Meuser [EMAIL PROTECTED] wrote:


On Wed, Jan 09, 2008 at 10:07:50AM -0500, Kevin Wilcox wrote:


Daniel then brought up the idea of CD sales. Something you can buy and
put an exact digital replica of online.

are sure about that?  and what about the sticker(s) that come with the
CDs?  and the artwork on the insert?  and the preprinted installation
instructions?



This is beyond silly.  FSF/GNU used to sell tapes of GPLed stuff too.  I'm
sure it came with pre-printed instructions as well.  No idea about artwork
or stickers however.  But splitting hairs is not useful.


No, he makes a very valid point. The stickers/artwork/installation
instructions are all copyrighted material and the purchaser of the CD
set is not licensed to redistribute that material. So, if you are making
digital replicas and selling them, that's a big no-no and not what I was
talking about.

My quoted statement was about the content of the CD itself. I had
forgotten why I had originally made my own OpenBSD CDs - the *layout* of
the master set is copyrighted as well. You can't legally rip and
redistribute the purchased CD set (well, unless you're Theo or he
licenses it to you in such a way that you are allowed to do so). While
it doesn't affect the broader scope of my argument (you can make money
selling software that is already freely available), it does affect that
particular statement.

kmw

Re: ssh controlling question

2008-01-10 Thread Kevin Wilcox 

James Mackinnon wrote:

Hi All

Just a little question on something I'm working on

I have say 50 accounts on a box.

40 of which I want the users to connect from ANY IP address

10 of which I want the users to only be allowed to connect from a specific IP
address that is assigned to them.

Is there a feature to control SSH account from a specific ip address


In sshd_config:

==

AllowUsers [EMAIL PROTECTED]

==

kmw

Re: [Fwd: Open-Hardware]

2008-01-10 Thread Kevin Wilcox 

Tony Abernethy wrote:

[EMAIL PROTECTED] wrote:
I'm not out to convince anyone that anyone has any more 
rights than anyone else. 


HOWEVER, the original author DOES have more rights than anyone else.
In particular, the original author says who has what rights.
You have no say in the matter.
Your opinion does not count.


Hi Tony. I'm not going to argue against that. The author, as creator of 
the piece of work and originator of the copyright, does have more 
rights. It's true. I'm just not out to *convince* anyone of it.


kmw

Re: [Fwd: Open-Hardware]

2008-01-10 Thread Kevin Wilcox 

Tony Abernethy wrote:


[EMAIL PROTECTED] wrote:



 I was pointing out that you could release the alpha/beta/testing
software under whatever license you choose that will keep it 
from being re-distributed



Huh???
What kind of release is not re-distributed?


By redistribute I do not mean the author distributes it again, I mean
the recipient then acts as a distributor.

Just because I have an alpha release of some software doesn't mean I
have the right to redistribute that software. Those rights are
determined by my license agreement.

kmw

Re: [Fwd: Open-Hardware]

2008-01-10 Thread Kevin Wilcox 

Marco Peereboom wrote:

On Thu, Jan 10, 2008 at 12:11:46AM -0500, [EMAIL PROTECTED] wrote:



I'm not out to convince anyone that anyone has any more rights than anyone
else. What I *was* doing was bringing that particular portion of the
conversation back to more than just baseless bashing of a particular
license.


It isn't baseless you are simply blind to it because you are convinced
that the GPL is the best thing evah!


What have you been smoking and can a brotha get a hit?

I am not a particularly large fan of the GPL. It's not my first choice
of license but I can see where it has its uses. It also has its fair
share of issues and those issues are fair reasons for attack. Bash it
for its legitimate flaws, though, and not by making sensationalist
claims that aren't true.


The GPL essentially strips the author of his/her rights.  So here you
are slaving away writing some code that you give away and then on top of
that you have to forfeit your labor in favor of users.  I hate to tell
you this but that is the wrong way around.


I'm not making any statements to the contrary. If you choose to give
your code away then that's your own mistake. Why would you hate to have
to tell me that?


That is not how I see this.  One side came to slander (not the first
time either) and the other side kept correcting the slanderer.  There
might have been some strong words going back and forth but only one side
was wrong.  Lets call it self-defense.


Yes, RMS slandered. Tell him he's wrong, that the comment was incorrect
and that his argument is bollocks. Rally the troops for self-defense.
That's the right thing to do.

Attack the GPL for its flaws. That's the right thing to do.

I'm not denouncing either of these acts. What I *am* denouncing are some
of the sensationalist claims that were incorrect.


They're not my teachings or teachings to which I particularly subscribe. I
would maintain that most of the more popular licenses have their pros -
ultimately it depends on who or what you want to protect.


Popular does not mean good.  VHS anyone?


That's why I intentionally said more popular. Lots of things are
popular but complete rubbish. Somewhere along the line each of the
more popular licenses scratched an itch for some developer or
organization and others felt that *something* about the license was
useful to them - the license had it's pros.


Let me quote my man Franklin:
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.

Where the GPL is temporary safety in trade of Essential Liberty.


That's quite a broad stretch to make and I both agree and disagree. I
think it boils down to what it is you're trying to protect.

Nice use of Ben.


Don't paint me with the RMS/GNU brush because I refused to stand by and
watch *blatantly* false accusations be made. There is a big difference
between correcting those accusations and *supporting* the recipient of the
accusations.


Then don't stand by them by not replying to this.  By adding to this
thread you picked a side like it or not.


Let's use your own quotation from Franklin. By not replying I am
foregoing my own Liberty in exchange for a bit of temporary safety in
not being painted with that brush.

I choose, instead, to exercise the ability to reply and say that this is
not an us or them situation and that I refuse to allow myself to be
painted that colour. I've chosen no side. If that means I get cut down
by yours because you want to make it a with us or against us argument,
fine. If that means I get cut down by RMS/GNU/FSF because they want to
make it a with us or against us argument, fine. *I don't care*. I
choose to remain a neutral third party that can see the benefits (and
detriments) of the different licenses.

You can't lump someone as your enemy simply because they aren't full of
fervour for your cause.

kmw

--

Quis custodiet ipsos custodes

Re: [Fwd: Open-Hardware]

2008-01-09 Thread Kevin Wilcox 

Eric Furman wrote:

On 08 Jan 2008 20:21:08 -0500, Daniel Hagerty [EMAIL PROTECTED] said:

Eric Furman [EMAIL PROTECTED] writes:


This is one of the most retarded things I've ever read.
You might get one wanker to pay for it, but if it comes
in non-binary with all the source what's to stop them
from posting it on the internet and everybody else
getting it for free?

Good question.

Theo de Raadt [EMAIL PROTECTED] writes:


Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

Maybe this guy can explain it to you.


OK, *that* was the most retarded thing I have ever read.
You're comparing apples and oranges.


No, he's not.

Stallman said I'm not against buying software from developers (as long
as it is free software).

That is the baseline for your This is one of the most retarded things
I've ever read comment. You make a valid point, what is to keep someone
from taking the source that they'd bought and putting an exact digital
replica online. This implies that you can't make money selling the
source to software that could potentially be had sans gratis on the 'net.

Daniel then brought up the idea of CD sales. Something you can buy and
put an exact digital replica of online. By your implication that you
can't make money selling the source to potentially sans gratis, it's
also implied that you shouldn't be able to make money with CD sales of
*definite* sans gratis software because someone could either buy the CD
and make a .iso version available online or you could just get the
software sans gratis anyway.

Since you're missing the analogy I'd say you probably didn't intend to
imply that. For those of us that read the implication there, though, the
analogy makes perfect sense.

kmw

--

Quis custodiet ipsos custodes

Re: [Fwd: Open-Hardware]

2008-01-09 Thread Kevin Wilcox 

Eric Furman wrote:


*BULLSHIT*.
You have so completely missed the point it is to laugh.
Apples and Oranges.
Remember OBSD isn't GPL'ed


There's no need to continue this on the list because you don't get the
analogy so I'm replying directly.

I didn't say that OBSD is GPL'ed, did I? I said that selling software
that's available at no cost (GPL software someone has bought and
re-released to the public) is no different than selling software that's
available at no cost (an OpenBSD CD versus the .iso format available to
the public).

In both cases you are taking software that is freely (cost) available
and selling it via some physical medium.

I even stated that it was just something that I had picked up as an 
implication and that for those of us that interpreted your statement in 
that fashion, the analogy made sense. How is that bs?


I've no qualms being someone's laughing stock because they fail to
understand something so feel free to laugh away. My regret is that I 
failed to sufficiently explain the analogy, and why at least a few of us 
felt it was appropriate, in a manner you could understand the first time.


If you still do not understand the analogy, and why I agree with Daniel
that it was an appropriate one, please feel free to email me directly
and we can discuss it. There's no point in continuing to butt heads on
the list.

kmw

Re: [Fwd: Open-Hardware]

2008-01-09 Thread Kevin Wilcox 

chefren wrote:


On 1/9/08 12:54 AM, Eric Furman wrote:



This is one of the most retarded things I've ever read.
You might get one wanker to pay for it, but if it comes
in non-binary with all the source what's to stop them
from posting it on the internet and everybody else
getting it for free?


You got the point, Richard doesn't respect creators. He wants every 
programmer to go through life as beggar like he does himself. Giving in 
that that's impossible, that you cannot raise children that way doesn't 
matter to him.


Following Richard Stallman's theories everyone may make money with his 
creation/work except a programmer. Richard Stallman /says/ a programmer 
may earn money 1 time and than the code should be free after that.


Why he says so is clueless, he clearly cannot explain how a programmer 
should make money if it's about a lot of work that is just a little 
feature for a lot of people, such a programmer should go around and ask 
a milion users a cent before he lets them test the code. Because the 
moment he let other people test it, the code should be for grabs too. 
Richard want's such a programmer to spam the world about a little 
feature to get money for it.


This man has no respect for programmers, clearly doesn't understand why 
money was invented and how a market can be a very reasonable way to let 
people earn money.


I don't think either of you have a firm grasp of what's being said with
regards to selling free software. Or of the GPL in general.

The use of the word free has nothing to do with price, it is that the
recipient of a piece of software has the freedom to modify the software
as they see necessary so that it does what they want it to do. To
accomplish this, they should receive the source to said software. That's
what the GPLv2 is all about - providing the recipient of a piece of
software with the source code to that software and the freedom to modify
it as they desire. It is only once they decide to *further distribute*
the software that they are restricted. At that point the only
restrictions placed on them is that they provide the source - thereby
giving the recipient the same rights bestowed upon them by *their* provider.

No one has said that you can't charge whatever you like for your
software *or* that you have to give the code away to the world - they
are saying that if you provide a binary then you should provide the
recipients of that binary with the corresponding source and the right to
change it and distribute it as they see fit.

While that *can* present a situation where you sell software to PERSON_A
and PERSON_A distributes the code to whomever they choose, it's a
perfectly reasonable assumption that that is not likely to occur in a
high-end software field because no corporation or organization will want
to give away something for which they had to pay top dollar.

Testing the software has nothing to do (as far as licensing goes) with a
final, released GPL product. You can release the alpha and beta releases
under whatever license you want to. Just license the final product under
the GPL.

In no way is anyone saying you can't make a comfortable living writing
code and that you have to go through life as a beggar.

Disclaimer: In no way am I suggesting that anyone should use the GPL
over another license. When I talk about releasing code under the GPL in
previous paragraphs I am speaking for hypothetical situations. I have
only been involved with GPL software for a limited time, 4-5 years, so
my understanding of GPL/v2 may be incorrect.

kmw

--

Quis custodiet ipsos custodes