Re: removing sendmail
On Sun, 2 Dec 2007 20:48:42 -0500, Douglas A. Tutty wrote: On Sun, Dec 02, 2007 at 03:48:14PM -0700, Darren Spruell wrote: On Dec 2, 2007 2:21 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote: On Sun, Dec 02, 2007 at 12:56:11PM -0700, Anthony Roberts wrote: I have seen several installations of Postfix go catatonic due to spam overload, large messages, mailing list expansions, and other undiagnosed problems. These were run by Postfix lovers, so I have always assumed that the installation was correct. In the one case I saw tested replacing Postfix with Sendmail resulted in no further problems. I have seen equally catastrophic failures of Qmail. Trying to do mail right for everyone in base is an exercise in futility. Does base require an MTA? If so, is there a tiny-drive-footprint local-only no-config MTA that could be in base? Everything else as a pre-compiled package or in alternate install sets? Why is everyone trying to come up with a solution to a problem that doesn't exist? The 'problem' is a piece of software installed on the box that some of us don't use. It takes up space (how much?). Each MTA has its champions and its detractors. The Solomonesque solution would be to remove the MTA from base altogether unless things in base need an MTA for local delivery, in which case installing something smaller than sendmail that can't be used for anything other than local delivery would be one solution to the 'problem'. That's all I'm suggesting. Forget it. No, I'm not ordering you to. It's a tip. Given that the developers are ignoring this thread, my guess is that nothing is going to happen. It's all been said before. Yes things in base do use mail, and it is not enough to have something that can only do local delivery. I have a bunch of machines (firewalls mostly) that report daily, weekly and monthly with an insecurity report as well, anytime something critical changes. They are anywhere in the world. Local delivery is not an option. As to saving space: RTFA, it has been done to death. You can customise your own install if you need ^W want a smaller install. Just remember what nick@ says (You break it, you get to keep all the pieces) and you'll get no help sorting out your self-inflicted pain. Just as a hint as to how much we need a trimmed install: I install firewalls using CF instead of HDDs. The only sets I decline at install time are x*,g* and comp. The latter is NOT for security but because we do upgrades/updates by supplying a new fast swapped card instead of bugging a low powered CPU with insufficient RAM or HDD to hold and compile the source tree. I don't have even one of them where I have bothered to remove anything, even stuff that doesn't break things if it's not there. httpd isn't running, port 80 isn't open, big deal to save a few bits of CF that we have no shortage of space in. Why bother? It all fitted in 256MB but I can buy faster 1GB cards for a couple of dollars more than I paid for the old 256, so less reason to twiddle. But as I said, you can do it if you want. So why campaign for somebody else to do it for you? BTW I run or admin several mailservers. I don't use sendmail but I avoid campaigning for a change in base: The package I use installs in a minute and Just Works (TM) so no, I don't demand the replacement of sendmail by my favourite MTA. Sorry to have posted at all in this going nowhere thread but once it got off religious choices and descended back to space saving, I couldn't resist. It's time the thread died. It should have died on day 1. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: maybe openssh's bug
On Tue, 27 Nov 2007 10:14:43 +0800, PowerBSD wrote: I use ssh connect to remote sshd server 192.168.1.191 , then i us # ssh 192.168.1.1911 Stop right there! What the hell does that 1911 mean? and all the 1912, 1913 etc stuff too. Those are not valid addresses, at least in the IPv4 universe. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: spamdb output
On Mon, 19 Nov 2007 14:47:37 -0700, Bob Beck wrote: RW [EMAIL PROTECTED] [2007-11-11 22:39]: It seems that the migrated database works but new entries go on the end - no SORT of order, and SPAMTRAP entries (that I entered using a script) ended up showing in two bunches in the midst of other unordered entries. My question is: Is this normal with spamd a la 4.2 or is it because I migrated a database? This is normal in 4.2 - the change happened post 4.0 when spamdb stopped using DB_BTREE Thanks Bob. I'm already using a script to sort the list to emulate the previous behaviour but at least I know I'll have to keep a copy for any future wipe and re-install upgrade. Looking at today's output showed me another puzzle which you will probably shoot down, but here goes. Here is one line fro spamdb: GREY|69.28.223.134|mta5br.cmpgnr.com|gotb1103621_1102728_683443_1138134 [EMAIL PROTECTED] |[EMAIL PROTECTED]|1195673789|1195675648|1195688189|2|0 but here is a line from my spamlog: Nov 22 07:08:14 mail spamd[28826]: whitelisting 69.28.223.134 in /var/db/spamd Why does the spamdb output show GREY instead of WHITE three hours later? It does show the 2 knocks which date -r will show were more than a half hour apart and so the whitelisting should have happened. Colour me puzzled. BTW the envelope recipient address shown is a spamtrap and is my only edit of the output. Thanks again for spamd. I absolutely love it. I have never known of it causing loss of genuine mail and also grepping the mail log daily for reject has only shown two emails in the last six months being blocked by zen.spamhaus having passed spamd. Both were really spammers anyway so apmd has an extremely good batting average. Two domains hosted on that box and zero customer complaints = mail admin happiness. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Redirect Syntax Errors
On Mon, 19 Nov 2007 22:05:02 -0700, Shane Harbour wrote: For the last few hours I've been knocking my head against my desk. I'm trying to setup spamd for the first time and keep receiving syntax errors on my redirect statements. My redirect statements are: nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on {$int_if, $wifi_if} proto tcp from any to any port 21 - 127.0.0 .1 port 8021 # spamd # rdr on $ext_if inet proto tcp from whitelist to $mail_svcs port smtp - $mail_svcs port smtp rdr on $ext_if inet proto tcp from blacklist to $mail_svcs port smtp - 127.0.0.1 port spamd rdr on $ext_if inet proto tcp from spamd to $mail_svcs port smtp - 127.0.0.1 port spamd rdr on $ext_if inet proto tcp from spamd-white to $mail_svcs port smtp - $mail_svcs port smtp rdr on $ext_if inet proto tcp from !spamd-white to $mail_svcs port smtp - 127.0.0.1 port spamd # My redirect for ftp-proxy works just fine. Every thing I've read (man pages, google, etc) says my syntax is right. I've tried making it identical to the statement in the pf.conf(5) and still got the same error so I figured I'd turn to more knowledgeable folks. I am using binat for my mail server and $mail_svcs contains my server IPs. I'm using 4.2-stable. Any help/info/pointers are very much appreciated. Have a look at the default pf.conf that comes with 4.2, or at least the rdr section as it applies to spamd. Notice anything outstandingly different? e.g. where is the table spamd in the original? That is just for openers. You mention binat. I don't see it anywhere. Now for the prime question: Why do you not run spamd on the mailserver? Do the redirects or binats (very simply) on the firewall and let a very simple pf.conf handle the mail server. Life gets much easier ;-) Oh, and if you come back, please include the entire pf.conf. We ain't mindreaders. BTW no need to copy me in reply, I'm on the list. Ta. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Update needed on Okean list/s for spamd.conf
I'm not sure which is the correct place to raise this, so a smack in the appropriate direction is fine. I noticed a bunch of suspicious grey listed entries in spamdb output. On checking the origins (122.136.48|49.x) I wondered why the China list didn't tarpit them immediately. Spamd logs showed quite a few lists: china, so I knew spamd was still in posession of some addresses. Checking http://www.okean.com/chinacidr.txt against www.openbsd.org/spamd/chinacidr.txt.gz showed that it is almost 14 months since the latter was generated. The Korea lists show a similar problem. Thanks, Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: identifying sparse files and get ride of them trick available?
On Sun, 11 Nov 2007 22:31:13 -0500, Daniel Ouellet wrote: Douglas A. Tutty wrote: I tried making a very sparse file (100 MB data, 1000 GB sparseness) and gave up trying to compress it. gzip has to process the whole thing, sparseness and all. Sure it would probably end up with a very small file, but the whole thing has to be processed. Yes it does and I am not sure anyone said it would be less work. I sure didn't and yes it needs to be process and I demonstrated it with the time it takes to rsync with a sparse file and without. In my test, 45+ minutes oppose to 17 seconds. I imagine that its no less time than that which rsync takes to process. Rsync takes lots of time and computation but saves on bandwidth. Yes it is a lots of processing to do it and lots of time wasted and lots of CPU power wasted and if you don't use the -S in case of rsync, you can't even sync it if the space on the destination is not the size of the sparse file, not the real data part. The short of it is that sparse file are a good thing when you don't have to copy them across file system on different servers in witch case, it's a way different ball game. It's been interesting learning and testing anyway. Hopefully it was useful to others, if not, it was to me anyway. Best, Daniel Daniel, it is more years than I care to calculate since I last did anything with sparse files. Certainly it was before any of today's *BSD tribe. What has not been addressed here is the question of what created those files. It isn't something you do with a shell script usually. So if you have, just as an example, a database program that does make such a file it is often possible to dump the database in such a way as to load it into another instance. Maybe a remote replication is possible. So, what evil little daemon do you have toiling away making TB files that only use 2k (joke!) and, is it not possible to teach the little bastard how to reconstruct its data on another drive? Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
spamdb output
I just got through updating a mailserver that had been running 4.0 to 4.2 using a new HDD, fresh install of OS and required packages. All old scripts settings etc preserved on original HDD now sitting in an accessible older box so I can grab anything forgotten. The one thing that hit me was the output of spamdb. Back on 4.0 all the entries came out (sort of) sorted. All the SPAMTRAP entries last but sorted on the trap address field. All the GREY, WHITE or TRAPPED entries first sorted on the IP field (but sorted alphabetically i.e. 101.x.y.z precedes 99.x.y.z) All that was fine because I could easily see if there were two entries for the one IP which happened when a script that runs every few minutes evaluates a GREY entry and enters it as TRAPPED. It seems that the migrated database works but new entries go on the end - no SORT of order, and SPAMTRAP entries (that I entered using a script) ended up showing in two bunches in the midst of other unordered entries. My question is: Is this normal with spamd a la 4.2 or is it because I migrated a database? I can always use: spamdb |sort -n -t | -k 2 |less to get a fully sorted list if I have to, but curiosity makes me ask about expected behaviour. Of course (to cut off pedants) I could have used: spamdb |sort -t | -k 2 -n|less to get the output looking like that from 4.0. Thanx, Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: reply-to rule not working
On Thu, 8 Nov 2007 20:40:00 -0500, Steven Surdock wrote: I assume you are running OpenVPN in UDP mode? ... Yes. But I also run a second OpenVPN process in TCP mode (port 443) to get around a few (very few) places that still only allow 80/443. UDP has less overhead and feels faster, but I have never performed any measurements. And TCP over TCP is fraught with its own problems. http://sites.inka.de/~W1011/devel/tcp-tcp.html Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: altroot is not mentioned in FAQ [diff]
On Tue, 6 Nov 2007 18:26:04 -0500, Douglas A. Tutty wrote: Jest Perhaps there needs to be a new fork: OldBSD: Unix for the Ages. s/Ages/Aged/ ?? Given that I joined IBM in 1962, I am allowed to make such jokes. ~|^ = From the land down under: Australia. Do we look umop apisdn from up over?
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
On Mon, 05 Nov 2007 14:26:48 -0500, Brian A Seklecki (Mobile) wrote: - PIX/ASA has some magical black-box inline transparent protocol fixups People who have met those when trying to send mail will tell you that, at least for smtp, that quoted word at the end of the above sentence has a spelling error. s/i/u/ R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Where is 'cdrom42.fs'? 4.2 -release
On Fri, 2 Nov 2007 12:35:28 -0400, Calomel wrote: Rod, You are absolutely correct. Using the --reject *iso directive for wget in the instructions will now filter out all iso files from downloading. The wording on the web page has been cleaned up and clarified. Thanks for your feedback, it is appreciated. That's what we are here for mate. I'll send you my method when I clean it up a bit for public consumption. It avoids using anything not in a basic install. i.e. no pkg_add stuff. Then you can take anything from it that you might like. Regards, Rod. From the land down under: Australia. Do we look umop apisdn from up over?
Re: my work at p2k7
On Fri, 2 Nov 2007 20:43:49 +0100, Marc Espie wrote: This was really shortly mentioned on undeadly, because it probably deserves a separate announcement and article. and lots more informative stuff Gosh it's nice to hear the process in this form Marc. Totally comprehensible for those of us who don't have all your skills and experience and bloody well written too. In Australia (it may not be unique to us but I have not heard it elsewhere) we have a saying: Your blood's worth bottling! It applies to you. On behalf of those who appreciate just how well the OpenBSD ports and packages work for us, I'd like to thank you very much. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Where is 'cdrom42.fs'? 4.2 -release
On Thu, 1 Nov 2007 20:01:16 -0400, Calomel wrote: Making a custom, bootable OpenBSD install CD http://calomel.org/bootable_openbsd_cd.html Calomel, I think you need to rapidly go edit your instructions and the script to get rid of the wildcard in the wget command to get the install files. Nobody building a custom CD will thank you for imposing a dowload of the 204MB install42.iso along with the needed files. Secondly, you need to stop referring to install sets as packages. I was really confused when I read The OpenBSD group do (sic) offer iso's you can download and use to install a system. The problem is they may have packages you know you will never use. because I knew that the downloadable iso includes NO packages. Packages are precompiled applications from the ports tree. Let's not confuse newbies. Rod/ In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Problems booting 4.2 CD on two older machines.
On Sun, 28 Oct 2007 22:48:20 -0400, Nick Holland wrote: This thread is a bit bothersome for a lot of reasons. However, there is a lack of hard info so far. Well, I read Theo's message and I know we can't ask for any changes to the issue CDs. Shit happens. I just get my terrier genes showing a bit because it's a challenge. Don't like being locked out of solutions and knowing what is needed to prevent repetition. So I have done a bit of detective work and maybe it will get shot down or else it will pop up one of those cartoon lightbulbs for somebody who will then improve my education by informing me about the rest of the story. Here is what I know so far about the differences in the CDs that boot or don't on older machines: All the CDs that boot have a copy of the cdbr content before 64MB from the start of the CD whereas the 4.2 release has it located at 76,398,592 bytes in. I have used (in addition to 4.2 Official build 375) snapshots for kernel build 372, 373, 374 and 461. 372, 373 and 374 all have the cdbr code at 60,293,120 bytes and 461 has it at 60,854,272 and all of those boot. Here is what I don't know (about this issue, not LTUAE!): Is 67,108,864 a possible barrier for old BIOSes ? Do we have any way to predetermine where that code will be located on the CD? Am I chasing a red herring? I'd like to keep a bunch of low(er) powered servers going for a while and I as I said earlier I can do it without a bootable CD even tho' those boxes (except one) don't have a floppy drive either. My concern is more for some young guys with only one old dumpster surprise and no previous experience with OpenBSD, trying to give it a try using a buddy's CD. Apart from my mad curiosity, of course! Rod/ (Please reply to the list even if it's Theo or Nick telling me to let go of it.) -- Write a wise saying and your name will live on forever. - Anonymous
Re: Marginal boot CD #1 in OpenBSD 4.2 sets
On Mon, 29 Oct 2007 18:42:19 +, Stuart Henderson wrote: On 2007/10/29 10:49, Austin Hook wrote: I understand that some people have experienced boot problems with CD #1 in the new 4.2 release set, mainly with older machines. I don't have a suitable machine to try it on, but amd64 boot loader is now able to boot an i386 kernel, and I suspect (but am not certain) that the boot loader itself may be able to run on either arch. So, it may be worth someone with an affected machine trying to boot CD 2 and if the boot loader does start up, pause it (just hit space or something), swap to CD 1, and continue by typing 'boot'. The CD2 does get to where it is about to boot, stops on a space but never accepts any variation of all possible /4.2/i386/bsd.rd combinations. Nice try (and I agreed it was worth a try) but no cigar... Regards, Rod From the land down under: Australia. Do we look umop apisdn from up over?
Re: Marginal boot CD #1 in OpenBSD 4.2 sets
On Mon, 29 Oct 2007 17:29:42 -0400, Barry Miller wrote: On Mon, Oct 29, 2007 at 06:42:19PM +, Stuart Henderson wrote: On 2007/10/29 10:49, Austin Hook wrote: I understand that some people have experienced boot problems with CD #1 in the new 4.2 release set, mainly with older machines. [...] So, it may be worth someone with an affected machine trying to boot CD 2 and if the boot loader does start up, pause it (just hit space or something), swap to CD 1, and continue by typing 'boot'. Worked for me. Thanks! (Also you need to 'set image /4.2/i386/bsd.rd'.) Ahhh, yes! Muggins me forgot the set image bit. Too much hurry. Thanks. From the land down under: Australia. Do we look umop apisdn from up over?
Re: Marginal boot CD #1 in OpenBSD 4.2 sets
On Mon, 29 Oct 2007 10:49:09 -0700 (MST), Austin Hook wrote: I understand that some people have experienced boot problems with CD #1 in the new 4.2 release set, mainly with older machines. There are cases where the same CD works with a newer machine, but fails to boot with an older one. I presume this means the track alignment is marginal in some cases. I am not tracking misc@ We would like to send out replacement CD's for anyone with those problems so that we can see if the problem is with all CDs of the current release, or only with some of them. Please contact me if you have seen this problem. Austin Hook OpenBSD distribution Milk River, AB I have good reason to believe that it isn't a physical problem with the CDs. Here are my reasons: I have 5 machines around here that won't boot on a 4.2 CD and one that will. The won'ts have a variety of CD drives, most pertinently one is a brand new Liteon DVD+/- with all the bells whistles. Not likely to have read problems.. The CD can be read from start to finish with zero errors on any of the drives using dd. I can make a copy of the CD on a windows machine by saving an ISO image and burning that to a CD using imgburn. Zero errors copying or burning but boots new box won't boot any old box. Now here is my suggestion. Because I'd like to see this fixed from a PR point of view before Nov 1 and the install42.iso won't be available until then, please have a copy of it put on an ftp server in a location not publically known and let me download it and test it. That will be clear of the entire commercial pressing process and will possibly save the project a lot of money shipping out new CDs which may not work when they get to the end users. I'll be on standby ready to do the download and testing at any time I'm awake over the next couple of days. Austin/ OpenBSD team can please use ash2 at witworx dot com rather than the list. misc readers with comments can reply to the list, please no CC. Regards, Rod Whitworth. From the land down under: Australia. Do we look umop apisdn from up over?
Re: Google employment opportunity
On 10/28/07, Karel Kulhavy [EMAIL PROTECTED] wrote: On Sun, 28 Oct 2007 12:15:28 +0530, Karthik Kumar wrote: Loads of irrelevant waffle which belongs somewhere else. How about you two start your own blog somewhere and recruit a willing coterie who are at least mildly interested. Anybody here who is interested will follow but it looks like the total crowd would fit in an old English public phonebox. Rants about OpenBSD are bad enough but this has no relevance at all. Goodbye. From the land down under: Australia. Do we look umop apisdn from up over?
Re: Problems booting 4.2 CD on two older machines.
On Sun, 28 Oct 2007 11:51:37 +, Edd Barrett wrote: Hi, On 28/10/2007, RW [EMAIL PROTECTED] wrote: So maybe that narrows it a bit if we can find out what relevant factor changed between those and release. I guess it would be around here somplace: http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/ I had a quick look in the i386 folder but dont see any obvious relevant changes. Do newer snapshots work on this hardware? Well, install42.iso from Oct 26 does. Don't know about others, sorry, Rod (please don't CC me. I'm on the list and the reply-to is a limited use, burn when spam arrives facility 8-) ) whereas the list mail always get through due to classy filtering. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Problems booting 4.2 CD on two older machines.
On Sun, 28 Oct 2007 22:48:20 -0400, Nick Holland wrote: This thread is a bit bothersome for a lot of reasons. However, there is a lack of hard info so far. When you say it isn't booting the CD, what does this mean? Does it try but fail with some error? Does it not even stop at the CD on the way to attempting to boot the hard disk? It says: Bootable CD does not exist ... and goes off to the HDD. And let's see what the actual scope of the problem is: Does the official CD boot? (I think the point of this thread is for some people, no it doesn't). For me: No Does a copy of the official CD boot? (Is there any error reported when trying to make a copy?) I didn't make the copy but simply imaged the release CD to an iso file. Zero errors. For the people that say the official CD doesn't boot, do they have other machines they /can/ boot the official CD? Yes. If people are spotting some machines that do and some that don't, what happens if you move the CD drive from one that does boot to one that doesn't? Does the problem follow the machine or the drive? I can't do that test. I have 4 identical no-go machines and only one other that I may not swap the drive out of plus 2 laptops that won't swap drives with the desktops. Besides I have the 4 identical boxes with MX36LE A-Open mobos that I posted dmesgs from yesterday. There are 2 with Diamond 52X CDR, one with a combo drive and the one that made me think I had a buggy DVD 2 layer/dvd-ram/+/-/cdr/rw/ latest and greatest. They all fail on the release CD or a copy of it. I don't believe it is drive related. BIOS maybe ? Whoops! I just remembered an old clunker around here where I am. 766 Celeron + combo drive. It won't boot release but does do the others. Does a CD made from install42.iso boot? Can't test that until Friday (Australian time) when it gets onto ftp. 8-) BUT install42.iso from Oct 26 snapshot does boot! As does install42.iso from Aug 24 (which had a build #374 kernel) Does a CD made from cd42.iso boot? Can't tell atm. Does a CD made from cdemu42.iso boot? Can't tell atm. I'm away from the necessary resources for a while. If install42.iso or cd42.iso boot, don't be looking for code changes, sounds like we had a bum pressing of CDs or some other quirk in the way the master was made, as they all use the same boot process. Still needs to be identified and fixed for 4.3, but it wouldn't be a code problem. It would look like a crook boot track except for all the boxes that it works on, including that one I was trying to get four copies onto ;-) Anything else I can assist with? It's my job to help wherever I can, is it not? I can get the OS onto any of those boxes without a CD but not everyone is as well placed. ttys, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Problems booting 4.2 CD on two older machines.
On Sat, 27 Oct 2007 19:30:27 -0400, Barry Miller wrote: On Sat, Oct 27, 2007 at 07:01:04PM +0100, Edd Barrett wrote: A couple of friends have been wanting to try out OpenBSD 4.2 on their machines, but the 4.2 disk will not boot whereas the 4.1 disk will. [...] Has anyone else had problems booting the 4.2 CD? And is there a workaround? I have the same problem. My 4 year old i386 test box doesn't see it as bootable (4.[01] CDs work fine). The CD seems ok - no problem pulling kernels, sets, and packages off it. It boots on my newer machines, and Another one (user but 4 identical PCs). The first (to exhibit the problem) machine I tried to upgrade to 4.2 had a CD drive that was dead some time ago but I only replaced it when I took it out of service to upgrade. When it failed to boot the 4.2 release CD I figured that a fancy DVD burner with all the bells whistles must have scared the old BIOS. I just planted a bsd.rd onto it across the network and upgraded using the CD which as the others have said mounts and reads perfectly. I cannot see any pertinent difference in 4.1cd boot dmesg and 4.2 installed dmesg but my eyes may have missed something so here is one of each: 4.2 installed. OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(TM) CPU 1300MHz (GenuineIntel 686-class) 1.31 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F XSR,SSE real mem = 259555328 (247MB) avail mem = 243314688 (232MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/27/02, BIOS32 rev. 0 @ 0xfb4b0, SMBIOS rev. 2.3 @ 0xf0800 (35 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 02/27/2002 bios0: VIA Technologies, Inc. VT8601 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xde94 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde10/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05 ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340016A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITE-ON, DVDRW LH-20A1P, KL0N SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 12 uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 12 viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40: 24-bit timer at 3579545Hz rl0 at pci0 dev 17 function 0 Realtek 8139 rev 0x10: irq 11, address 00:01:80:20:88:ab rlphy0 at rl0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb0 at uhci0: USB revision 1.0 uhub0 at usb0: VIA UHCI root hub, rev 1.00/1.00, addr 1 usb1 at uhci1: USB revision 1.0 uhub1 at usb1: VIA UHCI root hub, rev 1.00/1.00, addr 1 biomask f765 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a swap on wd0b dump on wd0b 4.1 CD booted to shell: OpenBSD 4.1 (RAMDISK_CD) #248: Sat Mar 10 19:32:46 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Celeron(TM) CPU 1300MHz (GenuineIntel 686-class) 1.31 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F XSR,SSE real mem = 259555328 (253472K) avail mem = 230711296 (225304K) using 3199 buffers containing 13103104 bytes (12796K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 02/27/02, BIOS32 rev. 0 @ 0xfb4b0, SMBIOS rev. 2.3 @ 0xf0800 (35 entries) bios0: VIA Technologies, Inc.
Re: Problems booting 4.2 CD on two older machines.
On Sun, 28 Oct 2007 01:48:54 +, Edd Barrett wrote: But why are these machines not booting the CD's properly? I was testing snapshots up to build #374. One of my no-boot on #375 (release) boxes was installed from either #373 or #374 (can't tell now) using snapshot .iso file So maybe that narrows it a bit if we can find out what relevant factor changed between those and release. I have a spare box that will let me provide testing assistance if required. Mind you, if the problem never gets fixed it is not the end of the world. When it comes to installs TIMTOWTDI prevails. I wish I'd had the time to do the snap that was #375 as my test box for snaps was one of the problem varietyand that's why we do snapshot testing, innit? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: cp(1) bug ?
On Sat, 20 Oct 2007 09:59:26 +, Tom Van Looy wrote: on unix everything is a file? Always has been. At least as far back as I can remember - about early 1978. Probably always will. And, given the thread running here, my second edition of the Unix Programmers Manual vol 1 from those days states baldly: Cp (sic) refuses to copy a file onto itself. 8-) Rod In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
ntpd error message filling logs
I have a GENERIC 4.1 box running ntpd as a server that is now part of au.pool.ntp.org and suddenly (once the world discovered it) the logs began to fill with entries like: Oct 19 16:46:05 freya ntpd[12012]: malformed packet received from 121.216.235.111 Oct 19 16:46:19 freya ntpd[12012]: malformed packet received from 144.131.135.143 Oct 19 16:46:25 freya ntpd[12012]: malformed packet received from 58.173.48.94 Oct 19 16:46:46 freya ntpd[12012]: malformed packet received from 58.168.107.247 Oct 19 16:47:20 freya ntpd[12012]: malformed packet received from 144.131.135.143 Oct 19 16:48:21 freya ntpd[12012]: malformed packet received from 144.131.135.143 Oct 19 16:48:29 freya ntpd[12012]: malformed packet received from 58.168.107.247 Oct 19 16:49:22 freya ntpd[12012]: malformed packet received from 144.131.135.143 So I went running to Mrs Google and she didn't say much really but one entry showed that somebody found that one version of Debian could deal with an early OBSD ntpd but a later Deb could not. I followed up some cvs entries for our ntpd and I can see the message text there but nothing much to let me figure out if it can be mitigated in any way. Ohh whoops! I just saw the tail -f daemon stop scrolling and it's now been silent for several minutes after nearly an hour where a bunch of Telstra (not my ISP) adsl customers repeatedly hammered the box. Anyway can someone please give me a clue as to what the effect is at t'other end clients? If it starts again what is the best tcpdump recipe to capture data that smart people need? I did a tcpdump -X -s 1500 -nettti rl0 udp and dst 218.214.194.118 but the output did not mean much to me . Any other clues? Thanx, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: lookup option in /etc/resolv.conf ignored
On Sat, 13 Oct 2007 11:43:46 +0200, Karel Kulhavy wrote: I want to make my OS return 127.0.0.1 on google-analytics.com and ad.doubleclick.net to speed up the work with Sourceforge. I put 127.0.0.1 google-analytics.com 127.0.0.1 ad.doubleclick.net into /etc/hosts and checked that /etc/resolv.conf contains lookup file bind According to man resolv.conf this should result in /etc/hosts having priority over the DNS system. However, it simply doesn't work. Both Firefox and the host command behave as if I didn't do anything. Why doesn't it work when man resolv.conf says it should? CL Run dnsspoof on your firewall. Works like a charm. Part of the dsniff package. Includes a ready made hostfile that contains loads of the annoyances and you add your own. Does wildcard names too, like *.adserver.* Also resolves names for LAN hosts if you add them. Easy, but remember to pkill dnsspoof and restart it after any update to the spoofing config file. From the land down under: Australia. Do we look umop apisdn from up over?
Multi booting OpenBSD and OpenBSD and
I have seen plenty of QA about multibooting OpenBSD and Windows/Linux/whatever and although I did a lot of that stuff way back, I generally don't need it in the days of almost zero cost PC that are plenty good enough to run OpenBSD. So why this question? Well I was blessed by a client who had some troubles with a fairly recent grunty Intel mobo and donated it with its RAM to me for past favours. I figured it would make a pretty nice build machine, tossed a 160G SATA in and voila! Then (the devil made me do it!) I thought: Why not four OpenBSDs as in Release, Release minus one, current and some experimental stuff. Just multiboot to whichever and away. Pretty soon the Release would be stable for latest and one back etc. I know that something like GAG would handle the boots but how would I slice and dice the drive? I managed to play with fdisk and set up partition 3 with about 40G at the end of the disk and use the b command in disklabel to describe the disk and whacked in a bunch of filesystems. Pretty standard install - booted and ran just file. Then I fdisked again to do partition 0, easy. Even remembered the 63 offset. BUT (and I can see Nick Holland smiling here) when I get to the disklabel phase and use b to describe the disk, I still end up with all those other partitions visible. I don't want to cream the first install unnecessarily so I'm here to be told. Is it at all possible? If so what is the trick? I did flag the new MBR entry as active and I can't see anything in the docs that contemplates this kind of set-up. If there is an answer at Mother Google's I cannot construct a smart enough query to not be drowned in all the OpenBSD and some other OS questions. Anybody successful at this task? Thanx, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Multi booting OpenBSD and OpenBSD and
On Wed, 10 Oct 2007 22:51:26 +0200, Tilo Stritzky wrote: On 10/10/07 21:37 RW wrote: Then (the devil made me do it!) I thought: Why not four OpenBSDs as in Release, Release minus one, current and some experimental stuff. Just multiboot to whichever and away. Is it at all possible? If so what is the trick? I did flag the new MBR entry as active and I can't see anything in the docs that contemplates this kind of set-up. It's actually not very difficult but ... If you have to ask, you shouldn't be doing it Pushing boundaries on a machine without internet connection and (unless it works) not a part of critical infrastructure is just fun for learning. If it blows up an OpenBSD flush and install another way is not exactly the punishment that Linux or Windows would inflict. ;-) Start your first install. Make one fdisk partition (OpenbSD type). disklabel as many slices as you want OpenbSD releases (plus swap, plus c). Install one on slice a. Hmmm. Right there is the showstopper. I did say it was so I could build stable for at least a couple of releases. I have 9 slices on my present builder and could probably lose a couple. but only one to build and clean on? Not for me. I have listened to the experienced crew about having filesystems you can just flush rather than rm -rf * on. Looks like a lost cause. I did really want to get out of all the drive swapping with wear on the connectors (the old IDE trays at least had rugged sockets like the old centronix ones, the SATA trays have an edgecon and I don't rate edgecons as suitable for lots of insert/remove cycles with a heavy mechanical load) but if it don't fly, c'est la vie. Thanx, Rod When done, start the next install. Before doing the actual install, jump into shell, hack the install-script's ROOT_DEVICE (or something like it) to a different slice (say d). Exit shell, proceed with install. This installation will end up on that very slice. And so on. Now every time you want to a boot any installation other then the one on a-slice you use the boot loaders set device .. to select the kernel you want. *AND* you have to tell that kernel which root partition to use (-a flag in boot). That's it. If there is an answer at Mother Google's I cannot construct a smart enough query to not be drowned in all the OpenBSD and some other OS questions. I don't think there is one and there is reason for it too. This is unsupported. This is weird. This is outright dangerous. The potential for holes in your feet is really high. Sooner or later you will end up running current binaries on a release kernel or vice versa. You will probably get your packages mixed up. There have been changes in the disklabel which are compatible one way only. There is probably a lot more. The failuremodes of all this are subtle and mean. You will spend more time scratching your head and thinking WTF? then it would cost you to re-install from scratch everytime you like to run a different release. (Well, maybe I'm exaggerating but in hindsight it really feels like this) Anybody successful at this task? I ran this for same time on my laptop. I wanted to run current on it, but also have fallback release installation. In the end it turned out I never used the release. So after spending some serious time and learning a lot more then I ever hoped for (but nothing of this is lost) I scrapped it. If you really must do this (I recognize there is must and *must* ;) I reckon you go for seperate media. Seperate disk drives, or even better removable media (USB sticks, clearly labeled; maybe live-CDs). I just got a brand new office PC, 64bit CPU. But I'm stuck with some Apps in i386 compatibility. So I installed i386 for work. Next week I'm going to get an USB stick and put an amd64 install on it, for play :) regards tilo Thanx, Rod/ From the land down under: Australia. Do we look umop apisdn from up over? From the land down under: Australia. Do we look umop apisdn from up over?
Re: 4.2 song
On Mon, 8 Oct 2007 20:04:15 +0200, ropers wrote: On 08/10/2007, Tom Van Looy [EMAIL PROTECTED] wrote: I think it should have been 101 instead of 11. Gord wrote: Someone is giving it a go: http://slashdot.org/~TheRaven64/journal/184027 That's real interesting, guys. TheRaven64 writes that (0)11 1010101 is (caesar-)ciphertext for Au. But going with Tom's suggestion of a missing 0, 101 1010101 is plaintext for AU. So is Gold the answer or is it not you? I dunno, but me likey! :) --ropers Well back on last Sunday I put my guess on undeadl at: http://undeadly.org/cgi?action=articlesid=20071007002942mode=expanded; count=26 and it was Gold as you can easily see. I didn't explain my reasoning because it might have been a spoiler but now there are two others getting gold, both differing from mine in the method. Listen to the song. The two strings are broken and come out as: 100 001 that gives 41 which is A in hex 101 0101 that gives 55 which is U in hex. Gosh, three ways to make gold. OpenBSD is Alchemy! I'd award it gold in the marathon for sure. From the land down under: Australia. Do we look umop apisdn from up over?
Re: SMTP flood + spamdb
On Wed, 26 Sep 2007 17:26:22 +0200, Peter N. M. Hansteen wrote: Or take advantage of the (by default) 25 minute window to use other means to detect that this address is sending spam. Perhaps spamd should be extended to look for excessive attempts to send messages from an address during that period? (How often do spammers' lists contain only one or two addresses from a domain?) You could probably use straight rdr instead of rdr pass to feed spamd, then in the relevant pass rule apply your source tracking options and overload and some table magic for that Have you been looking at my ruleset? ;-) I took out the pass on the rdr ages ago because unless I did my personal blacklist could not be used to block things like stormers and some tedious twits like a movie-house chain which keeps on sending to a long gone client of mine even though the address returns a 554 every time. I blacklist those permanently to stop log clutter. Rod/ _ Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 09:38:10 +0100, Craig Skinner wrote: Greylisting is of no use whatsoever because the servers sending the bounces to you are actual smtp boxes (sendmail, extrange, ), not malware, so they will quickly bypass spamd. Spamd greytraps will help a great deal, but you say that the addresses are random. I've snipped all the content (which I largely agree with) above and below this paragraph to recount my experience which started about a fortnight ago and ran for about a week. Log analysis showed that there were two classes of incoming unwanted crap. One was bounced mail that should have been rejected as invalid recipient mail at the original target. That included an mx at aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies who want ISPs to block websites on request and who spent $84mil on a kiddie-filter that some 10-year old bypassed in ten minutes, The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. If it failed then the sender IP was added to a pf table that was outright blacklisted for 24 hours. The other script did housekeeping and added sender IPs to the TRAPPED category in case they retried later. The blacklist grew rapidly to over 1200 unique addresses but then petered out after a few days and I turned off the cron jobs running the scripts at day nine. So greylisting/spamd did a hell of a good job for me. I would not have been able to block traffic from all those crappily configured boxes (MTAs mostly qmail or windows) unless I had a greylist database to scan every few minutes. Peter H and Beck@ know what they are doing alright and do good papers on it. Thanks. R/ Me...a skeptic? I trust you have proof.
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 12:40:50 +0100, Craig Skinner wrote: RW wrote: The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. Yes, but the OPs problem is back scatter, and that does not come from bots, they don't retry. What I was getting looked like backscatter and smelled like backscatter it is just that some of the IPs sending it didn't check out as MTAs. i.e. they were not listed MXs for the domain they came from AND the domain was not likely someone with separate outbound senders. They all retried too and when I had them as TRAPPED entries the logged data included typical failed-to-deliver messages. If the OP was repeatedly getting mail to a few addresses from different hosts, he could use grey trapping. But he said that they are all random. My experience entirely. I trapped them by looking for as sender, parsing the recipient as invalid (using a postfix lookup) and then inserting the IP into spamdb as TRAPPED. Later I firewalled them out for 24 hours. It cut the log clutter. The scripts are still there but the crontab lines are commented out until needed again. R/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 14:14:46 +0300, Liviu Daia wrote: On 25 September 2007, RW [EMAIL PROTECTED] wrote: [...] My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. [...] With Postfix you can use anvil(8) to control concurrency. Yep, you could. BUT 1- why let it get to postfix? This is crap that spamd can deal with, with a bit of scripting help for extra functionality. 2- What concurrency? We had a mailstorm of backscatter from hundreds of IPs each trying to send one or two messages. We had over a thousand IPs marked TRAPPED in spamdb at one time. Postfix would just be rejecting them and filling its logs. As far as I'm concerned filling the logs of mailservers that are backscatter generators is A Good Thing . In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: SMTP flood + spamdb
On Wed, 26 Sep 2007 03:16:35 +0300, Liviu Daia wrote: Postfix would just be rejecting them and filling its logs. Oh come on, these days you're probably rejecting 95% of messages anyway. :) Nope. Every day at log reading time I do grep reject maillog and very rarely do I see a result. spamd is the genius. As far as I'm concerned filling the logs of mailservers that are backscatter generators is A Good Thing . Unfortunately the people in charge with these servers either don't have a clue, or don't care. If even one sees a lot of greytrap try-again messages followed by an entry when it gives up, then it will be worth it if it causes a config to be fixed. R/ Me...a skeptic? I trust you have proof.
Re: 4.1 on ALIX.1C - recommendations?
On Fri, 21 Sep 2007 23:48:11 -0500, Aaron wrote: ... SNIP Is anyone using solid state drives yet? CF is effectively IDE. Witness (a firewall here): # disklabel wd0 # Inside MBR partition 3: type A6 start 63 size 1000881 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: SanDisk SDCFB-51 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 993 total sectors: 1000944 rpm: 3600 8 snip! But I also have a customer using a flash based drive that looks like a 3.5 IDE job. It cost heaps but she loves the speed of random access and I love the cool quiet(er) machine. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: help needed with laptop hdd
On Thu, 20 Sep 2007 10:26:14 -0500, [EMAIL PROTECTED] wrote: You'd be unhappy with the write cycle longevity of a flash drive for regular use anyway. Flash and super dense mag drives seem fine for use if write/erase only happens occasionally (i.e. embedded/mp3 etc...) The next step: The next step is to find some justification for your statement about longevity. I remember early nand tech that wore out in a few days or maybe hours. That isn't now. I have attempted to wear out an Apacer CF 512MB by doing a regular install of OpenBSD (no memfs, no mount ro) and then turning the most verbose logging possible for spamd with daily rotations. I then used it to run a firewall in front of a moderately busy mailserver that had hundreds of spamtrap addresses. After fourteen months I gave up and put the spamd stuff on the mailserver (simply to keep all the email process on one box) at the next OS update. I have about a dozen client sites for one company that store all their inventory data on CF at their branch firewalls on a similar CF. Updates daily from head office overwrite the data. No problems. I saw some info recently that showed that flash technology is now less likely to fail than a spinny disk. Wish I'd kept a link to it because I don't really have time to Google it ATM. Price is the killer on the basis of storage size but it is heading down fast. We already have one flash drive in a desktop PC and it is slick. For laptops the ruggedness is tops. R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: help needed with laptop hdd
On Thu, 20 Sep 2007 19:25:40 -0500, [EMAIL PROTECTED] wrote: I guess they are great and I'm an idiot, nuff said... No. I don't think so. There are lots of things (in techy stuff particularly) that are true at some point. Later on that thing becomes no longer true but the meme hangs around and most of us at some time get caught by one of these outdated facts. I've seen Theo shoot down improvements suggested by people who thought that code would be better written as it would have been to be efficient back in the days when I did 4040 and 8080 assembler. His explanation was an enlightenment because I had not kept up with modern code generation technology and how CPUs help out. Until the last few years I too had thought that flash memory was easily worn out. Of course it isn't as good as it appears, at least at the cell level. It is partly made to look better because not only has the technology improved but there are stacks of spare cells on board tto replace worn out ones. Read up on wear levelling for better info. Ya just gotta keep on learning. No rest for us wicked older guys! Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: The Atheros story in much fewer words
On Fri, 14 Sep 2007 16:06:56 +0100, Rui Miguel Silva Seabra wrote: There's no blind so bad as that which refuses to see. There's nothing I can do to change that. Pot, Kettle, Black. R/ Write a wise saying and your name will live on forever. - Anonymous
Re: OpenBSD Install Goal
On Thu, 13 Sep 2007 20:35:35 -0400, Stephan Andre' wrote: I hope one day soon OpenBSD will adopt a nice ncurses setup similar to something like FreeBSD with ease to it. Honestly, I don't see why. How does making the installer more complicated is going to help anything. I recently sat a friend down to show how easy an install was. This was on a 400MHz Dell with a 10G disk. Putting the disk in the box to having a system that booted up took 11 minutes, with me making comments about each step. Once the machine came up, I said it was done, the system was ready to use. blink blink You mean, thats all? Yes, I replied and left him to playing with Perl Damn right STeve, I did a similar demo to the techs at the outfit that builds boxes for me. Install on a brand new box from CD with explanation of partitioning and turning on httpd and having another box with a browser showing the It worked! page in 15 minutes. As to the original poster's something like FreeBSD with ease to it. I have never been able to be confident in that piece of pretend gui-ness. There is no clarity about it and I forever feel that it's the only installer I've ever used where I wished for a comprehensive manual in hard copy. Given that I joined IBM in 1962 and only quit instructing for them a couple of years back, that covers a few installations There are some things (very few) that I could use in Free that aren't in Open. Spending loads of time with that crappy installer is too high a price. Rod/ Me...a skeptic? I trust you have proof.
Re: routing question
On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: routing question
On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote: Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ I don't know your setup because you didn't explain it fully but what I showed you works for my client. Let's make a symbolic ipsec.conf out of what I have shown you: ike esp from $OpenVPNlan to $HOlan peer $HOfirewall ike esp from $Branchlan to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOfirewall You cannot use macros like that but perhaps it makes it clearer. In our case we have servers on both office LANs and the roadies using OpenVPN need to be able to get to both. You will have to trim and tweak your rules to suit your own variation but think about this. Regular route table entries have no influence on what happens with IPsec and do not need to. IPsec configuration sets up flows and then the packets know how to get to their target. If they don't have a flow path, they won't know how and will be routed out to the cloud via the default gateway and then get lost. Rod/ Hint. Read this: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: OT: recommendations for a serial/USB UPS?
On Sun, 19 Aug 2007 14:42:31 +0900, vladas wrote: I am about to buy UPS, but would really appreciate your opinions to make sure I throw money away in the right direction. Time is not on my side. I have got OMRON BX35F's. (4.2 GENERIC #338) /bsd: uhidev1 at uhub3 port 1 configuration 1 interface 0 /bsd: /bsd: uhidev1: OMRON BX35F, rev 1.10/0.07, addr 2, iclass 3/0 /bsd: uhid0 at uhidev1: input=64, output=16, feature=0 Could please somebody enlighten me if usb upses need any special treatment from kernel or it is all just about libusb (like bluetooth afaik)? 1. Can I just assume that device will work reliably if it is listed as supported in nut, upsd or apc-upsd? What should I avoid buying? (All machines involved are running -stable) I am looking forward to hear from nut-upsdev soon if there is interest in the hw from their side. 5. Are there ways to monitor the UPS from two (or more) machines? (self-made, three-head serial cable, right ;) ? What I have meant here is that I do _NOT_ want to run any not-in-the-baseXX.tgz TCP services. Whether or not it is practical - that is another question :) You really should do a bit more reading of the readily available information. e.g. http://ports.openbsd.nu/sysutils/nut says: Nut also has a network communications layer that allows other machines to coordinate shutdowns with the machine that is physically attached to the UPS. Of course you would also look at the nut website and find: http://www.networkupstools.org/client-projects/ which you can do your own research on. Let your fingers do the walking... on your keyboard before you ask more questions. This isn't really a misc@ question. ports@ or at the nut mail-list would be best IMNSHO. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: OT: recommendations for a serial/USB UPS?
On Sun, 19 Aug 2007 16:33:58 +0900, vladas wrote: You really should do a bit more reading of the readily available information. e.g. http://ports.openbsd.nu/sysutils/nut says: Nut also has a network communications layer that allows other nut was mentioned in my post. machines to coordinate shutdowns with the machine that is physically attached to the UPS. I have explained my question about network in the second post. And what, precisely, does nut use in the way of network functionality that does not come with OpenBSD default install, other than nut itself? Of course you would also look at the nut website and find: http://www.networkupstools.org/client-projects/ which you can do your own research on. I did see the compat list before asking. Let your fingers do the walking... on your keyboard before you ask more questions. Not to be not polite, but you are not answering any of those questions either. You want a how-to? Run Linux. I pointed you not at nut but at some extra information that you showed no sign of knowing. The best help you can get when it looks like you have not done enough research is a pointer or two so that you find the answers for yourself. If you do research and read the man pages and mail archives you'll become self sufficient in less time. I AM assuming you have the potential to do that. Those who don't seem to wither away in OpenBSD. There will often be a reason to ask for help. It comes more readily when the question is accompanied by evidence of what the person has done to get to where s/he is. Often it's then just a clarification that's needed, or evidence like log entries will allow a guru to spot the problem. This isn't really a misc@ question. ports@ or at the nut mail-list would be best IMNSHO. Ok, point taken. I thought ports@ would not like it. Well nut isn't part of the OS... I'd try the nut list first - they are the people who work on the app. Good luck. BTW I am subscribed to misc@ so you can save the hassle of CCing me. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: updating pf filter rules
On Tue, 7 Aug 2007 18:31:53 -0500, Mike Piety wrote: On Tue, 7 Aug 2007 15:46:41 -0400 Austin Murphy [EMAIL PROTECTED] wrote: I inherited a transparent bridging firewall running OpenBSD 3.8 and pf. I would like to add two new filter rules without disrupting the current network traffic. The pfctl man page did not seem to indicate a way to load a single filter rule to a running configuration. If I made a new file with a just the new rules and loaded it with something like pfctl -f two.pf.rules.conf, would all the existing filter rules be dropped and would only the two new rules be in effect? Let's say I updated the existing config file, /etc/pf.conf, with my new rules. What would happen if I ran pfctl -f /etc/pf.conf? I'd suggest pfctl -n -f /etc/pf.conf Lazy me likes to be safe and does: # pfctl -f /etc/pf.conf -n and if has no error output: up arrowbackspacebackspaceenter loads the rules. Would the existing state table be flushed? Would there be a point in this time frame where there were no filter rules loaded and packets would get dropped? Thanks, Austin Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: spamd question (4.1)
On Tue, 24 Jul 2007 06:01:07 -0500, Jacob Yocom-Piatt wrote: for domains that have multiple MX records, it might be nice to have all those IPs whitelisted when sending to that domain. maybe this is already done or there is a reason it isn't :). guess someone could publish a list of bogus IPs in their MX records... Outgoing server pools do not have MX records . Some biggies use SPF (Bob Beck has good info in a presentation about why you would not use it at your own MX to check incoming mail) and those usually provide records that you can access with dig or host. Use -ttxt and see. e.g. _spf.google.com has a /16, a /17, a/ 18, two /19s and a /20 which you can add by hand to your own whitelist if you trust all gmail clients. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: spamd question (4.1)
On Mon, 23 Jul 2007 20:51:33 -0700, Darrin Chandler wrote: Also, though spamd works GREAT, it is what it is. As I mentioned above, it will not stop spam from real mail servers, whether open relays or spam house servers. You may get to the point where you do want to add ports/packages). I deal with a few different domains. On some I need more filtering, and on others I use only spamd. Don't add extra stuff unless you find you need it. Even so, having spamd take the major brunt will let you do additional filtering without needing a beefy server. Well I host two domains here and spamd stops plenty of mail from real servers or spambots that use the host's idea of an outbound MX. I do NO content inspection whatsoever and spam into mailboxes is almost zero. I hate spam but my philosophy is that deleting one spam every week or so (actually I'm getting less than one a month) is better than losing genuine mail and hardly qualifies as a stressor. The default blacklisting of China and Korea is OK for me as I haven't had work in Korea since well before spamd came along. Greytrapping, using Bob Beck's list plus a bunch of locally harvested never-been-used addresses that seem to be on many spam target lists, added to the OK domains feature that came with 4.1, does the rest. It can be a bit of a pain dealing with the outbound server pools but I usually spot spamdb telling me that it has the one sender/ one target combo listed from several IPs and then I go and get the pool details (if I can) and whitelist it. Most get through eventually. Content inspection is playing catchup and most of the well heeled spammers own a bunch of hardware filters (Barracuda etc) and run Spamass and other cpu wasters. All of them are kept right up to date and the mailings are rapidly changed to address the latest hurdles. I see this because I keep one remote mailbox entirely unfiltered in another domain. It gets NO genuine mail but its address has been put invisibly on webpages and seeded onto similar locations. Mostly I just junk the entire contents regularly, but on an idle day I have a sniff at a few to see what the bastards are up to. Very educational. Of course there are poorboys who don't have any track on the latest bayesian-guessing toys and they seem to persist but they don't get through here either so why waste cycles? It's all a judgement call but I'm very happy with what the devs have provided for our use. I only use one BL lookup on the MX and that is zen.spamhaus.org but I never seem to see hits from it anyway. Good luck! Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Access Control Mechanism (DAC x MAC)
On Tue, 3 Jul 2007 22:32:01 -0300, Joco Salvatti wrote: Hi all, Having Read about computer security, one of the parts that mostly called up my atention were the access control mechanisms. I've found out that the mechanism used by mostly of the Unix-like systems is DAC (Discretionary Access Control) and as I could see OpenBSD fits in that mechanism as well. But the literature says that there is a more sophisticated mechanism, called MAC (Mandatory Access Control). In my studies, all the papers I have read explain that MAC is much more sophiscitated that DAC. Thus I would like to know from you why OpenBSD does not implement this type of mechanism. Thanks. STFA! or JFGI! About the third or fourth hit will tell you. Doing your own research before asking here is strongly recommended. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: port knocking?
On Mon, 25 Jun 2007 10:48:20 -0700, John N. Brahy wrote: I was wondering what the general census on port knocking in the OpenBSD community is. I like the idea of hiding services but I don't like the idea of relying on a piece of code that's not part of the OpenBSD core. I know when it comes down to it, it's only hiding ports and not actually securing anything. I am assuming that it's not practiced in the OpenBSD world because there are no port knocking ports. Anyone not agree with that summation? Me. I'd guess that a better line would be that the reason there are no port knocking ports is because OpenBSD developers think that port knocking is a giant wank. But that's just my guess and, if they do, I'd heartily agree. Rod/ Me...a skeptic? I trust you have proof.
Re: Spamd variation
On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote: Hi, From the man page it appears that spamd relies on static information about spam originators. Why not a more dynamic scheme ?. Why not run the content of the mail through a spam detector (like dspam), find the spam score and make decisions based on that. I know that spam detection is no where near perfect but it can be used for assigning a 'badness score' to a site(originator of email). So a site keeps getting this score and the average (per msg) exceeds a we black list the site for fixed duration. Similarly for white listing. 'Badness score' and also be assigned for other things, like trying to send to non-existant user (a typical spammer probe), absence of mx entry etc. A milter(sendmail/postfix) can be implemented for this. Thus decisions will be more dynamic and 'configuration free'. Does this sound reasonable ? No. That would make spamd into bloatware and much less efficient. People who want milters, content-inspection, RBL lookups and whatever can run them in conjunction with their MTA. spamd does all I want it to do with no measureable load on my system. I do NO content inspection and there have been only 3 spams total which got to any user in this domain since 1/1/7. Content inspection practitioners are always playing catchup and fiddling with ham/spam training for their toys and then along comes the next trick of the spammers = back to square one. Thanks to beck@ and company I don't have to play that silly game. R\/\/. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Problem booting CD for serial console
I have a Commell LE564 which will work happily with a serial console including doing BIOS stuff. The BIOS allows use of a USB CD drive and that works too. Well, it works perfectly if you can just time it right and blindly type in the magic string to redirect the console to com0 and then you can do all of the install and thankfully some really kind dev gave us a choice to use serial console for running the installed OS. So I thought it would be cool to modify the CD boot to do the console switch that I remembered somebody describing some time back, and did the svnd mount of the cdrom41.fs, added /etc/ and put in a boot.conf containing set tty com0. I noted that the image contained /boot and /bsd as expected. I then did mkhybrid with all the buttons and knobs and burned the resulting ISO to a CD. Mounting it shows the expected directory structure and when it is booted it announces that it is using a 2.88 floppy image and then gives out ERR M and locks up. I haven't suffered that before and found it in the FAQ but I'm none the wiser as to what could have happened in a CD boot situation. Anybody who has had this problem and worked it through can feel free to be very superior and lay a clue on me because I'm sure that it is a painful thing to debug except for the authors of the boot processes. Thanks, _Rod Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Re: Problem booting CD for serial console
On Mon, 04 Jun 2007 08:55:09 -0500, Jacob Yocom-Piatt wrote: uh, pxeboot? you can put the CD contents on your pxeboot server and there's no need to hook up a CD drive. me thinks that's how you're supposed to do it for headless machines. have had the same bad magic errors in the past when using usb cdrom drives. Uhh, pxeboot? It MIGHT work if it was in the BIOS but it is not. The local distributor has just got a copy of an update which he has promised to test and to forward to me if it works. To do the first install I pulled the card out of the 1U case, stripped the plank off an fxp PCI card and installed from my pxe server. I'm not doing that on a regular basis and in the field I don't have pxe servers on tap anyway. I have installed from the USB CD since but, as I said, it depends on typing in the console switching line blindly at the boot prompt. I can't expect junior admins to do that at customer sites and get it right first time every time with a customer looking on. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Addition to list of supported ral mini-pci cards
The list of mini-pci cards that work with ral does not include one I obtained recently. It is an MSI MP54G5 and it seems to work well as an AP. More testing coming up and I'll send an alert if I see any problems. It shows up in dmesg as: ral0 at pci0 dev 20 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:13:d3:6a:5f:96 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 About $AUD35+GST for the benefit of Aussies and nearby denizens. Thanks to damien@ and others who helped. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Boot mystery
I am helping a friend by setting up dual boot HDDs to swap back and forth between DOS (for a legacy data entry app) and OpenBSD (to push the data to a backup box to burn CDs for short term archival use.) It just works for every machine bar one. dmesg below. The problem is that the drive boots to either OS and swaps on comand in my LabRat but in its intended home it boots to DOS just fine and fails totally when trying to boot to OpenBSD. Message on screen is No operating system The swapping is done by rewriting track 0 to suit. Every swap stores a copy of the existing track 0 where the other OS uses it to rewrite for switching back. There is no boot menu or grubby manager thingy. Just a command of gobsd or godos as required from each of the running systems. It has me stumped. Intel mobos have a nasty habit of rebooting instead of powering down at halt -p commands but we do not have another that won't boot this drive. We don't have an identical model to try either. Dmesg (from 4.1 floppy): OpenBSD 4.1 (RAMDISK) #260: Sat Mar 10 19:38:22 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK cpu0: Intel(R) Celeron(R) D CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID ,CX16,xTPR real mem = 257982464 (251936K) avail mem = 231079936 (225664K) using 3187 buffers containing 13053952 bytes (12748K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 04/14/06, SMBIOS rev. 2.3 @ 0xe4d90 (29 entries) bios0: Intel Corporation D945GTP apm0 at bios0: Power Management spec V1.2 apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Intel 82801GB HD Audio rev 0x01 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01 pci3 at ppb2 bus 3 Intel 82801GB USB rev 0x01 at pci0 dev 29 function 0 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 1 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 2 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 3 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 7 not configured ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci4 at ppb3 bus 4 fxp0 at pci4 dev 0 function 0 Intel 8255x rev 0x0c, i82550: irq 10, address 00:02:b3:eb:e5:cd fxp0: Disabling dynamic standby mode in EEPROM, New ID 0x50a0, cksum @ 0x3f: 0x8404 - 0x8406 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ACCUSYS ACS75130 1.4 wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 11 for native-PCI interrupt Intel 82801GB SMBus rev 0x01 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fbed netmask ffed ttymask ffef rd0: fixed, 3800 blocks dkcsum: wd0 matches BIOS drive 0x80 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: ral AP Requires ifconfig down/up Daily (Kind of Solved)
On Mon, 28 May 2007 16:38:31 -0600, Daniel Melameth wrote: 8-- snipped lots of good info, thanks. 8 Any thoughts... or anyone know of a 802.11g card/driver combination with that legendary wi reliability? I have an MSI PCI card in a Soekris 4850. It looks like this (in dmesg): ral0 at pci0 dev 10 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:13:d 3:6b:a9:be ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 and it works perfectly for me as an AP. So good that I have just bought an MSI miniPCI to go in a Commell LE564 that will be my new firewall. HTH, Offline replies best sent to ash2 at witworx dot com. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: smtp auth + greylisting
On Tue, 22 May 2007 16:08:10 -0600, Bob Beck wrote: arlo guthrie ... We walked in, sat down, Obie brought up the the help desk page with 8snip And you can get anything you want at Bob Beck's Restaurant, as long as it's moose! Loved it Bob! You are not just a good coder. Thanks, the day just got better, _Rod Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Insecurity problem?
In the past I have always applied relevant patches and recompiled whatever was needed to take care of errata items. Nearly a week ago I decided to use a spare machine to track i386 4.1 stable, did what I was told (FAQ, thanks Nick et al!) : untarred sources, cvs updates, makes all went without hitches and just used a fair few hours. The build box now sends me email every day saying: Checking setuid/setgid files and devices: Setuid/device find errors: find: fts_read: No such file or directory I ran sh -v /etc/security 21 |less and searched for fts_read but the context is just waht you'd expect from the output above. I know that fts_read is a part of find but what is it looking for in vain? I get an itchy feeling that everything did not go as expected during update but the box seems to do whatever I try with no problems. Cluebat? _Rod Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Re: Routing to host over IPsec
On Mon, 7 May 2007 23:01:15 -0600, Joel Knight wrote: --- Quoting RW on 2007/04/30 at 16:52 +1000: Existing setup: Head Office: WAN IP=165.x.y.z LAN = 172.22.22.0/24 Extranet gateway = 10.x.y.1 Branch Office: WAN IP=150.x.y.z LAN= 172.22.23.0/24 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is fine. My challenge is to get traffic to pass from a host on the Branch LAN over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1. If I could add a route entry that used the LAN IP of the H/O firewall life would be easy but of course addresses the are only visible through IPsec don't appear in the routing table to be used as the next hop. Is there a way to do this using either route or pf or ipsec itself? Some other method? I have to be able to get traffic to several hosts on the extranet (and get the replies back!) and they are only reachable via the extranet gateway on the head office firewall. Cluestick, anybody? Setup your flows appropriately on the branch ipsec gateway to get traffic over the tunnel and to the head office. On the HO endpoint, setup a normal route to push the traffic to the extranet gateway. Thanx for replying. For the record: All the flows needed to do FW-FW + LAN-FW + FW-LAN + LAN-LAN were already setup and working just fine. A route doesn't need to be added at HO to find the extranet as it terminates on the firewall just as the tunnel did. What solved it for me was to add a flow from the branch LAN to the extranet IP on the f/wall and vice versa. That is probably bleedin' obvious to IPsec gurus (which I ain't) but intuition said that I should be able to do it with some routing entries alone. Not so, it seems. Rod/ Write a wise saying and your name will live on forever. - Anonymous
Routing to host over IPsec
Existing setup: Head Office: WAN IP=165.x.y.z LAN = 172.22.22.0/24 Extranet gateway = 10.x.y.1 Branch Office: WAN IP=150.x.y.z LAN= 172.22.23.0/24 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is fine. My challenge is to get traffic to pass from a host on the Branch LAN over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1. If I could add a route entry that used the LAN IP of the H/O firewall life would be easy but of course addresses the are only visible through IPsec don't appear in the routing table to be used as the next hop. Is there a way to do this using either route or pf or ipsec itself? Some other method? I have to be able to get traffic to several hosts on the extranet (and get the replies back!) and they are only reachable via the extranet gateway on the head office firewall. Cluestick, anybody? Rod/ Write a wise saying and your name will live on forever. - Anonymous
Re: Static Ip's: Routing and Fowarding
On Wed, 18 Apr 2007 17:40:49 -0700, Bryan Vyhmeister wrote: On Apr 18, 2007, at 5:31 PM, Bray Mailloux wrote: shared-network LOCAL-NET{ option domain-name theamericanbray.com; option domain-name-servers 208.204.224.11, 208.204.224.33 subnet 192.168.0.0 netmask 255.255.255.0 { options routers 192.168.0.1; range 192.168.0.14 192.168.0.23; } } On the third line, you need a semicolon after the second DNS server. I would typically do this whole thing in a subnet declaration that is at the root of the file. Take out the shared-network statement and the last closing brace. See if that makes a difference. After you do that, run the following commands: pkill dhcpd /usr/sbin/dhcpd tail -f /var/log/daemon Look for any errors with the last command. You have pulled one of my tricks - writing a quick helpful reply and forgetting something you never would when doing it at the console of your own machine. dhcpd needs to be told what interface(s) to listen on. R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: SSH/SFTP question
On Fri, 13 Apr 2007 09:37:14 -0400, stuart van Zee wrote: Sorry if this belongs elsewhere but I was sure someone here would know. I was under the impression that when using SFTP to transfer files they were automatically treated as Binary files. So if the remote file uses CRLF to terminate lines, the downloaded file would have CRLF terminating it's lines. So I have a vendor that has replaced his FTP with SSH/SFTP. my code is written to expect CRLF because that is the way the files were when using the old FTP system to download. Now, when I use SFTP the files just have the LF. The vendors answer is that we need to use ASCII mode to transfer the files to get the CRLF. I didn't know that there WAS an ASCII mode in SFTP let alone that using ASCII as opposed to Binary would change the line terminators. The files in question are technically ASCII text files but shouldn't I be getting an EXACT copy of the file when I use Binary mode (assuming that I am right and that is indeed the default with SFTP)? What I really need is an explanation or a pointer to where I can get an explanation so that I really know what I am talking about when I talk to this vendor (and KNOW that I know what I am talking about). Stuart van Zee I cannot duplicate your findings. maybe we need to know a bit more about what is running at each end. I did: Make short file with CRLF at end of each line except last. That used a windows text editor (UE). Used winscp to send it to an OpenBSD box using sftp (you can choose that or scp). Note: Winscp does offer Text mode, Binary mode and Automatic. I chose binary. Note that the conversion happens in winscp if you let it do Text or Auto. Then I used sftp on another OpenBSD box to get the file from the other one. All of the CRLF pairs were intact. Conclusion: My theory is that the conversion happens at the other end. Insufficient data to speculate further but the CR stripping does NOT happen in OpenBSD's sftp. HTH, HAND. More testing if you'd like to spec it. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: spamdb: convert greylisted addresses to whitelisted servers?
On Thu, 5 Apr 2007 18:06:29 -0700, John N. Brahy wrote: I've been looking at the source and I've read the man page but I don't see a way to convert a greylisted entry to a whitelisted entry. Is it possible or just unnecessary? # spamdb -a 12.34.56.78 # spamdb | grep 12.34.56.78 WHITE|12.34.56.78|||1175817375|1175819030|1178929430|1|2 GREY|12.34.56.78|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1175815019|1175829419| 1175829419|4|0 # Unnecessary. The WHITE entry wins when a lookup of 12.34.56.78 is done in the database. R/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: IPsec gone assymetric
On Thu, 22 Mar 2007 05:30:45 -0600, Jacob Yocom-Piatt wrote: RW wrote: I have a simple setup. Sydney to Melbourne and the ipsec.conf is one of the nice easy ones whilst I learn to do more complex setups. It has been working for months. Today doing ipsecctl -s all at either end generates the expected output. Each is a mirror of the other. netstat -rnf encap shows expected output at both ends. Again mirrors of the other. However sshing into each and doing a traceroute to t'other end gives madly assymetric results. With the distant gateway as the target Syd gets to Mel in one hop, as expected. Mel gets to Syd going out the $ext_if rather than the encap. As the LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel. i wouldn't expect you to have a route not set on the isakmpd endpoints, but i have a route add remote net internal private IP in the hostname.if files for the internal interfaces on both endpoints. that's the only thing i can think of that would work for a while (manually added routes) and then stop working after, say, a reboot of one endpoint. No, not the problem here. It works without any extra route lines, but read the update at the bottom of the quoted stuff. cheers, jake Killing (desperation set in) isakmpd and restarting both ends did nothing to change the situation. What kind of diagnostics can I use to debug this? Extra points for a correct guess as to the cause all this time after installation. Thanks, OK, a night's sleep led to an early morning Eureka moment. I should have said What changed? and I did. The mistake that dummy me made was not to consider a change made ages ago. That change did not break ipsec for the clients but did for the firewall endpoint at one end. For the benefit of others here is the detail: Originally Mel (bourne) was on an ADSL connection running half-bridge so the OpenBSD firewall had the WAN IP on $ext_if and the first (usable) of a /29 on the server LAN NIC. Due to problems with the modem we swapped it out for one that does not do half-bridge. So I gave $ext_if 192.168 addr to mate with the one on the modem. I then did all the NAT stuff based on $svrlan_if e.g. nat on $ext_if from $fwext to any - $svr_if nat on $ext_if from $lan_ip to any - $svr_if where fwext is the IP on $ext_if and lan_ip is the /24 for the LAN users. So all outbound packets look like they come from the svr_lan nic. That works sweetly and I have a similar setup at home. Neither of those has the /30 that would be preferred to make everything work but that's IP scarcity for you. So ipsec works just fine for everything on Mel and its mate, Syd. Except for packets I generated at Mel using ssh login. Until I woke up and used the -I flag in ping and the -s flag in traceroute to source the packets from the svrlan_if address, that is. I don't know what, if anything, can be done to ensure that packets generated in the firewall Mel can be forced to use the tunnel when the destination is Syd, but it isn't a showstopper (fingers crossed!) So, there was a change ages ago and I had never after it, until now, tried to ping up the tunnel from the firewall so I didn't know that it was kinda broken, and if anybody knows how to unbreak it I'll be pleased just in case Thanks Jacob for your reply. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
named stopped with error
On a firewall that is not mine but where the admins run to me for help 8-) somebody noticed that name resolution was not working. rc.conf.local says: named_flags= named.conf is the default (caching with recursion only for local clients) uname says: OpenBSD fw.example.com.au 3.9 GENERIC#617 i386 /var/log/daemon says: Mar 23 00:13:03 fw named[13888]: /usr/src/usr.sbin/bind/lib/isc/mem.c:628 : INSIST(((unsigned char *)mem)[size] == 0xbe) failed Mar 23 00:13:03 fw named[13888]: exiting (due to assertion failure) It started up manually and ran as it has for the past (nearly) year, so it looks like a one-off but I'd love to hear of possible causes. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
IPsec gone assymetric
I have a simple setup. Sydney to Melbourne and the ipsec.conf is one of the nice easy ones whilst I learn to do more complex setups. It has been working for months. Today doing ipsecctl -s all at either end generates the expected output. Each is a mirror of the other. netstat -rnf encap shows expected output at both ends. Again mirrors of the other. However sshing into each and doing a traceroute to t'other end gives madly assymetric results. With the distant gateway as the target Syd gets to Mel in one hop, as expected. Mel gets to Syd going out the $ext_if rather than the encap. As the LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel. Killing (desperation set in) isakmpd and restarting both ends did nothing to change the situation. What kind of diagnostics can I use to debug this? Extra points for a correct guess as to the cause all this time after installation. Thanks, Rod. From the land down under: Australia. Do we look umop apisdn from up over?
Re: No Blob without Puffy
On Tue, 20 Mar 2007 03:54:41 -0400, Gordon Willem Klok wrote: I'm one of those users with my atheros-based wireless card I'm using right now. I know what I'm doing. I don't feel less safe. I don't audit every single driver I use. And I'm happy to use OS which gives me the choice. I'm one of the other users with an atheros wireless card in an IBM Thinkpad I'm using right now on another desk. And I know what I'm doing and I feel really safe because I'm happily using an OS which really gives me lots of choice and doesn't force blobs down my throat. OpenBSD. BTW the fact that some people are great programmers doesn't mean that they are great judges of ethics or art or politics or anything outside their area of expertise. Judging their nous about other subjects by their code is like taking corporate investment advice from a teenage rockstar. That comment doesn't imply that they cannot have any other skills like being clueful about really open code. It is just the case that you cannot imply it where no evidence exists. R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: No Blob without Puffy
On Mon, 19 Mar 2007 11:59:51 -0400, Dan Farrell wrote: I thought it was free as in beer, but because of the blobs, not necessarily free as in you can do whatever you want with it... Because what can you do with a blob? Are you allowed to use a blob anywhere you want, in any situation? Are you allowed to crack open a blob and use parts of its code to re-write your own software/drivers? Are you even allowed to have documentation regarding a blob? These are all defined by license restrictions... that restrict your freedom concerning the use of the blob. So IMHO FreeBSD is only free to obtain... but not fully 'free' to use in any way you want. Please follow the simple formula- License Restriction = Not Free. You've been so involved in this discussion I thought you wouldn't need this simplistic review... or maybe you're just trolling. Yes, he is just trolling. And for the other mentally challenged who think that FREEbsd has any real freedom, cop this quote from their website: While you might expect an operating system with these features to sell for a high price, FreeBSD is available free of charge and comes with full source code. If you would like to purchase or download a copy to try out, more information is available. Full source code? For all the blobs? Really? Or do you accept entries in the Obfuscated Code Contest as real, usable, and fixable if needed, source? From the land down under: Australia. Do we look umop apisdn from up over?
Re: OpenBSD speed on desktops
On Mon, 19 Mar 2007 16:26:12 -0500, Marco Peereboom wrote: Yes but since these are production machines in a lab that requires clearance I can't share. We keep backups around for all these machines since every now and then we lose one for no good reason. In contrast the windows and openbsd machines we have deployed do not share this behavior. You are the one making bold statements based on a non representative sample. production server != home computing != desktop On Mon, Mar 19, 2007 at 05:31:11PM +0100, RedShift wrote: Marco Peereboom wrote: If you like losing data ext3 and reiserfs work just fine. I manage to lose Linux installations pretty often by doing crazy things like rebooting. snip rest of long thread we have all read Here is a quote from Theodore Tso (http://thunk.org/tytso/ for bio) a few months back in kerneltrap: quote The fact that reiserfs uses a single B-tree to store all of its data means that very entertaining things can happen if you lose a sector containing a high-level node in the tree. It's even more entertaining if you have image files (like initrd files) in reiserfs format stored in reiserfs, and you run the recovery program on the filesystem. Yes, I know that reiserfs4 is alleged to fix this problem, but as far as I know it is still using a single unitary tree, with all of the pitfalls that this entails. Now, that being said, that by itself is not a reason not to decide not to include reseirfs4 into the mainline sources. (I might privately get amused when system administrators use reiserfs and then report massive data loss, but that's my own failure of chairty; I'm working on it.) For the technical reasons why resierfs4 hasn't been integrated, please see the mailing list archives. /quote Enough said? I think that backs up Marco pretty well, given that Tso is a Linux kernel dev since '91. I used to be an IBM Linux instructor until a few years ago and we always warned about Reiser FS being too bleedin' edgy. Seems it hasn't matured yet. From the land down under: Australia. Do we look umop apisdn from up over?
Re: a few questions on spamdb
On Wed, 28 Feb 2007 11:48:52 -0800, Tom Bombadil wrote: I wonder how people are coping with master downtime when using spamd? Is it a good idea to regularly dump spamd-white into a file, rsync it to the backup carp server, and load these IPs in a separate table? I was thinking of lowering whiteexp on spamd as well (to have a leaner DB) From what I gather from old posts, there is no safe way of copying /var/db/spamd to the backup server. Am I wrong here? On the advice of Bob Beck I did it when changing firewalls a while back. I took the old one off the internet, copied the file to the new one, swapped the two boxes, plugged in the ADSL and voila! Nothing broke. I think there is a caveat about differing arches but that is probably not a prob for you. From the land down under: Australia. Do we look umop apisdn from up over?
Re: spamd-white
On Tue, 27 Feb 2007 13:55:50 -0800, Tom Bombadil wrote: Greetings... By any chance, will spamd delete any IPs that I add manually to spamd-white? spamd(8) says: spamd regularly scans the /var/db/spamd database and configures all whitelist addresses as the spamd-white pf(4) table. How exactly does spamd configure spamd-white table? The objective is to safely add my own IPs to the whitelist. Thanks :) Try looking at /etc/spamd.conf (the default copy from install) The spamd-white table expires entries in 36 days (default) From the land down under: Australia. Do we look umop apisdn from up over?
Re: binary updates
On Mon, 26 Feb 2007 22:31:08 -0600, Default User wrote: When will we ever see binary updates for OpenBSD? Taking a system off-line for over 20 hours to do a source code rebuild is just too long, and just tracking RELEASE means running an insecure system. Binary updating - try it, you'll like it! Troll /dev/null Plonk! From the land down under: Australia. Do we look umop apisdn from up over?
IPsec intermittent failure
We have an IPsec tunnel setup between two OpenBSD firewalls and normally it just works (thanks developers!) Over the past day or so the tunnel breaks. ipsecctl -sa shows no flows or SADB entries. The log entries at the Sydney end show lines like: Feb 24 05:59:21 pps35001 isakmpd[9204]: rsa_sig_decode_hash: no public key found Feb 24 05:59:21 pps35001 isakmpd[9204]: dropped message from xyz.101.222.1 port 56858 due to notification type INVALID_ID_INFORMATION Feb 24 05:59:32 pps35001 isakmpd[9204]: rsa_sig_decode_hash: no public key found Feb 24 05:59:32 pps35001 isakmpd[9204]: dropped message from xyz.101.222.1 port 56858 due to notification type INVALID_ID_INFORMATION There are batches of such messages, some quite short (1 or 2) but some go on for long periods. The batch including the above sample started at 05:10:57 and is still (06:13) going. The Melbourne end log looks like: Feb 24 06:13:04 PPS35004 isakmpd[23508]: transport_send_messages: giving up on exchange peer-abc.228.107.202, no response from peer abc.228.107.202:500 Feb 24 06:13:32 PPS35004 isakmpd[23508]: transport_send_messages: giving up on exchange peer-abc.228.107.202, no response from peer abc.228.107.202:4500 The pubkey for Melbourne is in place and readable at /etc/isakmpd/pubkeys/ipv4/ Any clues? Any other pertinent info needed? Please reply on list. The sender address is filtered to allow connections only from the list server. The spammers know it well enough. ;( Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: rsyncing -current packages -- pattern matching problems
On Sun, 18 Feb 2007 16:30:36 +1300, [EMAIL PROTECTED] wrote: hi, i am rsyncing -current packages taking advantage of rsync's pattern matching to avoid specifying the package versions, to make a local repository for upgrades. there are several packages that i _don't_ want to retrieve flavours for, e.g. cyrus-sasl as an example. but i haven't been able to force just the base package, without specifying identically the filename - which defeats the purpose of what i was trying to achieve. here's my current go, trimmed to show the specific problem: $ cat snapshot.inc # include file for rsync cvsync-* cyrus-sasl-* - cyrus-sasl-*db* - cyrus-sasl-*mysql* - cyrus-sasl-*ldap* db-4* - *.tgz $ rsync -thrivz --stats --del -n rsync://rsync.de.openbsd.org/OpenBSD/snapshots/packages/i386 /var/tmp/packages/ --include-from=snapshot.inc [...] f+++ i386/cvsync-0.24.19.tgz f+++ i386/cyrus-sasl-2.1.21p2-db4.tgz f+++ i386/cyrus-sasl-2.1.21p2-ldap.tgz f+++ i386/cyrus-sasl-2.1.21p2-mysql.tgz f+++ i386/cyrus-sasl-2.1.21p2.tgz f+++ i386/db-4.2.52p11.tgz f+++ i386/index.txt [...] but I _don't_ want to retrieve all the{db4,ldap,mysql} flavors - just the base one. can anybody help? I don't have a chance to check (no rsync file or man page to check) but: Maybe in the rules you constructed first match wins. Once a match happens no further rules are evaluated? Otherwise you might go ask on an rsync list - I'd guess the folk there wouldn't have to go look at the manpages It really is OT here. Please reply to the list only. Due to the nicely open list (which I heartily approve of) being archived with unmasked addresses, all mail to the sender address is /dev/null In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: is there an install packages file list?
On Wed, 14 Feb 2007 17:00:55 -0800, Bryan Irvine wrote: I'm going to be installing on a soekris box (probably on flash media), and I'm trying to figure out what the bare minimum I need to install. Is there somewhere I can see what files are included in the base40.tgz, etc40.tgz etc... so I know what don't fill up the flash card at the start? They are going to be a pf firewall, and ipsec vpn (with one of them running poptop for roadwarriors). Any pitfalls I should watch out for on this? fstab options etc..? Don't even consider reducing the base install. There is no reason to. On a Soekris 4801 here I have been running OpenBSD 3.9 and 4.0 for more that a year (3.9 beta was running before release) on a Apacer PhotoSteno CF card with verbose spamd logging (until a month ago when I moved spamd onto our new MTA). I do pxe boot installs and I leave out all the X sets and the comp set. Xis not needed for anything on that host and compiling is best done on a build host we keep here with lots more RAM and grunt in the CPU. The CF is 512MB but any new boxes will have 1024MB simply because they are now cheaper than the 512 was when I bought it and also the wear-levelling is better on larger CFs. Pretty soon we won't see smaller cards easily bought. I don't run httpd or use sendmail for anything except the daily/weekly/monthly/security reports but it is more work trimming stuff than the benefit of smaller filesystems when I'm not short of space anyway. Here is the end of disklabel followed by mount and df -h. Note that I have an unused 68.9 MB partition and that /usr has ALL the manpages loaded and space for any packages I may need to add. Swap is never used. I just tossed a bit in because (1) it stops the system whinging about it not being there and (2) I don't need the space, as you can see. 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 60.0M 0.0M 4.2BSD 2048 16384 122 # Cyl 0*- 121 b: 9.8M 60.0Mswap # Cyl 122 - 141 c:488.7M 0.0M unused 0 0 # Cyl 0 - 992 d: 99.9M 69.9M 4.2BSD 2048 16384 204 # Cyl 142 - 344 e:250.0M169.8M 4.2BSD 2048 16384 328 # Cyl 345 - 852 f: 68.9M419.8M 4.2BSD 2048 16384 16 # Cyl 853 - 992 [puffy:/var/log] $ mount /dev/wd0a on / type ffs (local, noatime, softdep) /dev/wd0e on /usr type ffs (local, noatime, nodev, read-only, softdep) /dev/wd0d on /var type ffs (local, noatime, nodev, nosuid, softdep) [puffy:/var/log] $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 59.0M 27.3M 28.8M49%/ /dev/wd0e 245M163M 69.6M70%/usr /dev/wd0d 98.3M6.6M 86.8M 7%/var Any questions? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Problems with routing
On Thu, 15 Feb 2007 01:08:28 +, Jamie Penman-Smithson wrote: On 15/02/07, Stuart Henderson [EMAIL PROTECTED] wrote: I'm attempting to setup openbsd 4.0 as a router, the system has two interfaces, rl0 and rl1. It looks something like this (apologies if this looks really odd): router [x.x.58.129] --- router2: rl0 [x.x.58.130] router2: rl1 [x.x.58.140] --- Not so much odd as lacking information. Post ifconfig output instead. Presumably the OpenBSD box is 'router2', though you don't actually say. Yes, router2 is the OpenBSD box. That ain't gonna work. Your configuration of the two nics on router2 is wrong. My guess is that you have a routed subnet supplied by your ISP and that you have taken the first usable one (xx.xx.58.129) and used it on the LAN i/f of your (ADSL?) modem. Router 2 now gets .130 on its rl0 and that's fine but you have applied .140 to rl1 and both interfaces are in the same network: xx.xx.58.128/28. You cannot do that and expect routing to work in r2. 2 ways (maybe more possible but I don't have all day 8-) ) to get around it. 1 alias ALL of your IPs except .129 onto rl0 and then use RFC1918 addrs on rl1 and its attached hosts. You can then rdr or binat them to the correct addresses on rl0. 2 You can use a pair of RFC1918 IPs on the modem and rl0, static route the /28 to rl0, configure rl1 to use .129 and hang all (up to 13) hosts on a LAN there. Case 2 requires tricky NATting and pf rules but I have done it several times and it just works but your original post makes me think you'd need a few more clues first. So go with #1 for an easier life. Any replies/questions on list please. Offlist replies /dev/null Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: remove sendmail/install postfix
On Wed, 7 Feb 2007 11:49:07 +0100, Toni Mueller wrote: Hi, On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus [EMAIL PROTECTED] wrote: But the mailwraper provides a more generic way for OpenBSD to use mail without dealing much about the uses mail system. (sendmail,postfix,exim,qmail, ...) this is probably correct (or that's what it was created for), but I have yet to overcome my inertia against implementing this, for marginal benefit. Hell, that's funny. I installed the postfix package and used the recommended (and supplied) script to make postfix the default mailer. There is one to switch back. Apart from that there was only (IIRC) one manual thing to do: change the queue-runner or something like that. So easy I forget: no pain = no brain (storing horror tales). Trivial for me and I thought that I had a very large inertia to mass ratio as I only weigh in at 66.x kg. 8-)) Anyway jakob@ has (for me) done a fine job of making it painless. R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Nearly 1/4 of New Filesystem Gone
On 01 Feb 2007 12:26:09 +0100, Artur Grabowski wrote: [EMAIL PROTECTED] writes: I just moved a 200GB hard drive from a 3.7 box to a 4.0 box, and since my data was all backed up, I decided to run disklabel, create a fresh partition that spanned the whole disk, and then run newfs on that partition. I expect to not have all 200GB, between the whole issue of poorly labeled disk sizes and the 5% reserved by default. What I don't expect, however, is to see ** 22% ** of my disk already in use: -bash-3.1$ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 7.3G 78.9M6.9G 1%/ /dev/wd0d 22.0G512M 20.4G 2%/usr /dev/wd0e 7.2G6.7M6.8G 0%/var /dev/wd1a 183G 38.0G136G22%/mnt Can anyone explain this? Have I done something wrong here? More importantly, is there a simple way to remedy this and get my 38GB back? $ bc 2000/(1024*1024*1024) 186 Talk to the marketing department of your disk manufacturer. Uh, I think he wasn't worried about the 183G but was worried about the 38G that left him with only 136G. At least that is his question. $ bc 136*1024*1024*1024 14602064 and that's quite a bit short of where you started. From the land down under: Australia. Do we look umop apisdn from up over?
Re: spamd openbsd 4.0 query
On Sun, 28 Jan 2007 19:19:09 +, John wrote: The only other thing I'm trying to find out now is whether whitelist.txt can use domains rather than dotted quads No. It doesn't do DNS as it is a fast lightweight single purpose MTA-like daemon. Besides which: Are you expecting to trust the domain in the HELO transaction? Or maybe you trust the envelope sender? Both are easily and commonly forged. R/ From the land down under: Australia. Do we look umop apisdn from up over?