Re: removing sendmail

[RW]

On Sun, 2 Dec 2007 20:48:42 -0500, Douglas A. Tutty wrote:

On Sun, Dec 02, 2007 at 03:48:14PM -0700, Darren Spruell wrote:
 On Dec 2, 2007 2:21 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote:
  On Sun, Dec 02, 2007 at 12:56:11PM -0700, Anthony Roberts wrote:
I have seen several installations of Postfix go catatonic due to spam
overload, large messages, mailing list expansions, and other 
undiagnosed
problems. These were run by Postfix lovers, so I have always assumed
that the installation was correct. In the one case I saw tested
replacing Postfix with Sendmail resulted in no further problems.
  
   I have seen equally catastrophic failures of Qmail.
  
   Trying to do mail right for everyone in base is an exercise in futility.
  
 
  Does base require an MTA?  If so, is there a tiny-drive-footprint
  local-only no-config MTA that could be in base?  Everything else as a
  pre-compiled package or in alternate install sets?
 
 Why is everyone trying to come up with a solution to a problem that
 doesn't exist?

The 'problem' is a piece of software installed on the box that some of
us don't use.  It takes up space (how much?).  Each MTA has its
champions and its detractors.  The Solomonesque solution would be to
remove the MTA from base altogether unless things in base need an MTA
for local delivery, in which case installing something smaller than
sendmail that can't be used for anything other than local delivery would
be one solution to the 'problem'.  That's all I'm suggesting.


Forget it.
No, I'm not ordering you to. It's a tip.
Given that the developers are ignoring this thread, my guess is that
nothing is going to happen. It's all been said before.

Yes things in base do use mail, and it is not enough to have something
that can only do local delivery. I have a bunch of machines (firewalls
mostly) that report daily, weekly and monthly with an insecurity report
as well, anytime something critical changes.

They are anywhere in the world. Local delivery is not an option.

As to saving space: RTFA, it has been done to death.

You can customise your own install if you need ^W want a smaller
install. Just remember what nick@ says (You break it, you get to keep
all the pieces) and you'll get no help sorting out your self-inflicted
pain.

Just as a hint as to how much we need a trimmed install: I install
firewalls using CF instead of HDDs. The only sets I decline at install
time are x*,g* and comp. The latter is NOT for security but because we
do upgrades/updates by supplying a new fast swapped card instead of
bugging a low powered CPU with insufficient RAM or HDD to hold and
compile the source tree.

I don't have even one of them where I have bothered to remove anything,
even stuff that doesn't break things if it's not there. httpd isn't
running, port 80 isn't open, big deal to save a few bits of CF that we
have no shortage of space in. Why bother?

It all fitted in 256MB but I can buy faster 1GB cards for a couple of
dollars more than I paid for the old 256, so less reason to twiddle.

But as I said, you can do it if you want. So why campaign for somebody
else to do it for you?

BTW I run or admin several mailservers. I don't use sendmail but I
avoid campaigning for a change in base: The package I use installs in a
minute and Just Works (TM) so no, I don't demand the replacement of
sendmail by my favourite MTA.

Sorry to have posted at all in this going nowhere thread but once it
got off religious choices and descended back to space saving, I
couldn't resist.

It's time the thread died. It should have died on day 1.


Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: maybe openssh's bug

[RW]

On Tue, 27 Nov 2007 10:14:43 +0800, PowerBSD wrote:

I use ssh connect to remote sshd server 192.168.1.191 , then i us

# ssh 192.168.1.1911

Stop right there!
What the hell does that 1911 mean? and all the 1912, 1913 etc stuff
too.
Those are not valid addresses, at least in the IPv4 universe.


Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: spamdb output

[RW]

On Mon, 19 Nov 2007 14:47:37 -0700, Bob Beck wrote:

 RW [EMAIL PROTECTED] [2007-11-11 22:39]:

 It seems that the migrated database works but new entries go on the end
 - no SORT of order, and SPAMTRAP entries (that I entered using a
 script) ended up showing in two bunches in the midst of other unordered
 entries.
 
 My question is: Is this normal with spamd a la 4.2 or is it because I
 migrated a database?

   This is normal in 4.2 - the change happened post 4.0 when
spamdb stopped using DB_BTREE

Thanks Bob. I'm already using a script to sort the list to emulate the
previous behaviour but at least I know I'll have to keep a copy for any
future wipe and re-install upgrade.

Looking at today's output showed me another puzzle which you will
probably shoot down, but here goes.

Here is one line fro
spamdb:
GREY|69.28.223.134|mta5br.cmpgnr.com|gotb1103621_1102728_683443_1138134
[EMAIL PROTECTED]
|[EMAIL PROTECTED]|1195673789|1195675648|1195688189|2|0
but here is a line from my spamlog:
Nov 22 07:08:14 mail spamd[28826]: whitelisting 69.28.223.134 in
/var/db/spamd

Why does the spamdb output show GREY instead of WHITE three hours
later? It does show the 2 knocks which date -r will show were more than
a half hour apart and so the whitelisting should have happened.

Colour me puzzled.

BTW the envelope recipient address shown is a spamtrap and is my only
edit of the output.

Thanks again for spamd. I absolutely love it. I have never known of it
causing loss of genuine mail and also grepping the mail log daily for
reject has only shown two emails in the last six months being blocked
by zen.spamhaus having passed spamd. Both were really spammers anyway
so apmd has an extremely good batting average.

Two domains hosted on that box and zero customer complaints = mail
admin happiness.

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: Redirect Syntax Errors

[RW]

On Mon, 19 Nov 2007 22:05:02 -0700, Shane Harbour wrote:

For the last few hours I've been knocking my head against my desk.  I'm
trying to setup spamd for the first time and keep receiving syntax
errors on my redirect statements.  My redirect statements are:

nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on {$int_if, $wifi_if} proto tcp from any to any port 21 - 127.0.0
.1 port 8021

# spamd #
rdr on $ext_if inet proto tcp from whitelist to $mail_svcs port smtp
- $mail_svcs port smtp
rdr on $ext_if inet proto tcp from blacklist to $mail_svcs port smtp
- 127.0.0.1 port spamd
rdr on $ext_if inet proto tcp from spamd to $mail_svcs port smtp -
127.0.0.1 port spamd
rdr on $ext_if inet proto tcp from spamd-white to $mail_svcs port smtp
- $mail_svcs port smtp
rdr on $ext_if inet proto tcp from !spamd-white to $mail_svcs port
smtp - 127.0.0.1 port spamd
#

My redirect for ftp-proxy works just fine.  Every thing I've read (man
pages, google, etc) says my syntax is right.  I've tried making it
identical to the statement in the pf.conf(5) and still got the same
error so I figured I'd turn to more knowledgeable folks.  I am using
binat for my mail server and $mail_svcs contains my server IPs.

I'm using 4.2-stable.  Any help/info/pointers are very much appreciated.


Have a look at the default pf.conf that comes with 4.2, or at least the
rdr section as it applies to spamd. Notice anything outstandingly
different?

e.g. where is the table spamd in the original? That is just for
openers.

You mention binat. I don't see it anywhere.

Now for the prime question:
Why do you not run spamd on the mailserver?

Do the redirects or binats (very simply) on the firewall and let a very
simple pf.conf handle the mail server.
Life gets much easier ;-)

Oh, and if you come back, please include the entire pf.conf. We ain't
mindreaders.

BTW no need to copy me in reply, I'm on the list. Ta.



Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Update needed on Okean list/s for spamd.conf

[RW]

I'm not sure which is the correct place to raise this, so a smack in
the appropriate direction is fine.

I noticed a bunch of suspicious grey listed entries in spamdb output.
On checking the origins (122.136.48|49.x) I wondered why the China list
didn't tarpit them immediately. Spamd logs showed quite a few lists:
china, so I knew spamd was still in posession of some addresses.

Checking http://www.okean.com/chinacidr.txt against
www.openbsd.org/spamd/chinacidr.txt.gz showed that it is almost 14
months since the latter was generated.

The Korea lists show a similar problem.

Thanks,

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: identifying sparse files and get ride of them trick available?

[RW]

On Sun, 11 Nov 2007 22:31:13 -0500, Daniel Ouellet wrote:

Douglas A. Tutty wrote:
 I tried making a very sparse file (100 MB data, 1000 GB sparseness) and
 gave up trying to compress it.  gzip has to process the whole thing,
 sparseness and all.  Sure it would probably end up with a very small
 file, but the whole thing has to be processed.

Yes it does and I am not sure anyone said it would be less work. I sure 
didn't and yes it needs to be process and I demonstrated it with the 
time it takes to rsync with a sparse file and without. In my test, 45+ 
minutes oppose to 17 seconds.

 I imagine that its no less time than that which rsync takes to process.
 Rsync takes lots of time and computation but saves on bandwidth.

Yes it is a lots of processing to do it and lots of time wasted and lots 
of CPU power wasted and if you don't use the -S in case of rsync, you 
can't even sync it if the space on the destination is not the size of 
the sparse file, not the real data part.

The short of it is that sparse file are a good thing when you don't have 
to copy them across file system on different servers in witch case, it's 
a way different ball game.

It's been interesting learning and testing anyway.

Hopefully it was useful to others, if not, it was to me anyway.

Best,

Daniel


Daniel,
it is more years than I care to calculate since I last did anything
with sparse files. Certainly it was before any of today's *BSD tribe.

What has not been addressed here is the question of what created those
files. It isn't something you do with a shell script usually.

So if you have, just as an example, a database program that does make
such a file it is often possible to dump the database in such a way as
to load it into another instance. Maybe a remote replication is
possible.

So, what evil little daemon do you have toiling away making TB files
that only use 2k (joke!) and, is it not possible to teach the little
bastard how to reconstruct its data on another drive?

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

spamdb output

[RW]

I just got through updating a mailserver that had been running 4.0 to
4.2 using a new HDD, fresh install of OS and required packages. All old
scripts settings etc preserved on original HDD now sitting in an
accessible older box so I can grab anything forgotten.

The one thing that hit me was the output of spamdb.

Back on 4.0 all the entries came out (sort of) sorted.
All the SPAMTRAP entries last but sorted on the trap address field.
All the GREY, WHITE or TRAPPED entries first sorted on the IP field
(but sorted 
alphabetically i.e. 101.x.y.z precedes 99.x.y.z)

All that was fine because I could easily see if there were two entries
for the one IP which happened when a script that runs every few minutes
evaluates a GREY entry and enters it as TRAPPED.

It seems that the migrated database works but new entries go on the end
- no SORT of order, and SPAMTRAP entries (that I entered using a
script) ended up showing in two bunches in the midst of other unordered
entries.

My question is: Is this normal with spamd a la 4.2 or is it because I
migrated a database?

I can always use:  spamdb |sort -n -t | -k 2 |less  to get a fully
sorted list if I have to, but curiosity makes me ask about expected
behaviour.

Of course (to cut off pedants) I could have used:  spamdb |sort -t |
-k 2 -n|less to get the output looking like that from 4.0.
Thanx,

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: reply-to rule not working

[RW]

On Thu, 8 Nov 2007 20:40:00 -0500, Steven Surdock wrote:

 I assume you are running OpenVPN in UDP mode? ...

Yes.  But I also run a second OpenVPN process in TCP mode (port 443) to
get around a few (very few) places that still only allow 80/443.  UDP
has less overhead and feels faster, but I have never performed any
measurements.


And TCP over TCP is fraught with its own problems.
http://sites.inka.de/~W1011/devel/tcp-tcp.html

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: altroot is not mentioned in FAQ [diff]

[RW]

On Tue, 6 Nov 2007 18:26:04 -0500, Douglas A. Tutty wrote:

Jest
Perhaps there needs to be a new fork:  OldBSD: Unix for the Ages.

s/Ages/Aged/   ??

Given that I joined IBM in 1962, I am allowed to make such jokes.
~|^
 =

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[RW]

On Mon, 05 Nov 2007 14:26:48 -0500, Brian A Seklecki (Mobile) wrote:

- PIX/ASA has some magical black-box inline transparent protocol
fixups

People who have met those when trying to send mail will tell you that,
at least for smtp, that quoted word at the end of the above sentence 
has a spelling error.

s/i/u/

R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Where is 'cdrom42.fs'? 4.2 -release

[RW]

On Fri, 2 Nov 2007 12:35:28 -0400, Calomel wrote:

Rod,

You are absolutely correct. Using the --reject *iso directive for wget in
the instructions will now filter out all iso files from downloading. The
wording on the web page has been cleaned up and clarified.

Thanks for your feedback, it is appreciated.


That's what we are here for mate.

I'll send you my method when I clean it up a bit for public
consumption.
It avoids using anything not in a basic install. i.e. no pkg_add stuff.
Then you can take anything from it that you might like.

Regards,
Rod.


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: my work at p2k7

[RW]

On Fri, 2 Nov 2007 20:43:49 +0100, Marc Espie wrote:

This was really shortly mentioned on undeadly, because it probably deserves
a separate announcement and article.

and lots more informative stuff

Gosh it's nice to hear the process in this form Marc.
Totally comprehensible for those of us who don't have all your skills
and experience and bloody well written too.

In Australia (it may not be unique to us but I have not heard it
elsewhere) we have a saying: Your blood's worth bottling!

It applies to you.

On behalf of those who appreciate just how well the OpenBSD ports and
packages work for us, I'd like to thank you very much.

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Where is 'cdrom42.fs'? 4.2 -release

[RW]

On Thu, 1 Nov 2007 20:01:16 -0400, Calomel wrote:

Making a custom, bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html


Calomel, I think you need to rapidly go edit your instructions and the
script to get rid of the wildcard in the wget command to get the
install files.

Nobody building a custom CD will thank you for imposing a dowload of
the 204MB install42.iso along with the needed files.

Secondly, you need to stop referring to install sets as packages.

I was really confused when I read The OpenBSD group do (sic) offer
iso's you can download and use to install a system. The problem is they
may have packages you know you will never use. because I knew that the
downloadable iso includes NO packages.

Packages are precompiled applications from the ports tree. 

Let's not confuse newbies.

Rod/

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: Problems booting 4.2 CD on two older machines.

[RW]

On Sun, 28 Oct 2007 22:48:20 -0400, Nick Holland wrote:

This thread is a bit bothersome for a lot of reasons.  However, there
is a lack of hard info so far.

Well, I read Theo's message and I know we can't ask for any changes to
the issue CDs.
Shit happens.

I just get my terrier genes showing a bit because it's a challenge.
Don't like being locked out of solutions and knowing what is needed to
prevent repetition. So I have done a bit of detective work and maybe it
will get shot down or else it will pop up one of those cartoon
lightbulbs for somebody who will then improve my education by informing
me about the rest of the story.

Here is what I know so far about the differences in the CDs that boot
or don't on older machines:

All the CDs that boot have a copy of the cdbr content before 64MB from
the start of the CD whereas the 4.2 release has it located at
76,398,592 bytes in.

I have used (in addition to 4.2 Official build 375) snapshots for
kernel build 372, 373, 374 and 461.

372, 373 and 374 all have the cdbr code at 60,293,120 bytes and 461 has
it at 60,854,272 and all of those boot.

Here is what I don't know (about this issue, not LTUAE!):

Is 67,108,864 a possible barrier for old BIOSes ?

Do we have any way to predetermine where that code will be located on
the CD?

Am I chasing a red herring?

I'd like to keep a bunch of low(er) powered servers going for a while
and I as I said earlier I can do it without a bootable CD even tho'
those boxes (except one) don't have a floppy drive either. 

My concern is more for some young guys with only one old dumpster
surprise and no previous experience with OpenBSD, trying to give it a
try using a buddy's CD.

Apart from my mad curiosity, of course!

Rod/
(Please reply to the list even if it's Theo or Nick telling me to let
go of it.)

--
Write a wise saying and your name will live on forever.  - Anonymous

Re: Marginal boot CD #1 in OpenBSD 4.2 sets

[RW]

On Mon, 29 Oct 2007 18:42:19 +, Stuart Henderson wrote:

On 2007/10/29 10:49, Austin Hook wrote:
 I understand that some people have experienced boot problems with CD #1 in
 the new 4.2 release set, mainly with older machines.

I don't have a suitable machine to try it on, but amd64 boot loader is
now able to boot an i386 kernel, and I suspect (but am not certain) that
the boot loader itself may be able to run on either arch.

So, it may be worth someone with an affected machine trying to boot
CD 2 and if the boot loader does start up, pause it (just hit space or
something), swap to CD 1, and continue by typing 'boot'.

The CD2 does get to where it is about to boot, stops on a space but
never accepts any variation of all possible /4.2/i386/bsd.rd
combinations.

Nice try (and I agreed it was worth a try) but no cigar...

Regards,
Rod

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Marginal boot CD #1 in OpenBSD 4.2 sets

[RW]

On Mon, 29 Oct 2007 17:29:42 -0400, Barry Miller wrote:

On Mon, Oct 29, 2007 at 06:42:19PM +, Stuart Henderson wrote:
 On 2007/10/29 10:49, Austin Hook wrote:
  I understand that some people have experienced boot problems with CD #1 in
  the new 4.2 release set, mainly with older machines.
 [...]
 So, it may be worth someone with an affected machine trying to boot
 CD 2 and if the boot loader does start up, pause it (just hit space or
 something), swap to CD 1, and continue by typing 'boot'.

Worked for me. Thanks!  (Also you need to 'set image /4.2/i386/bsd.rd'.) 


Ahhh, yes! Muggins me forgot the set image bit. Too much hurry.
Thanks.

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Marginal boot CD #1 in OpenBSD 4.2 sets

[RW]

On Mon, 29 Oct 2007 10:49:09 -0700 (MST), Austin Hook wrote:

I understand that some people have experienced boot problems with CD #1 in
the new 4.2 release set, mainly with older machines.  There are cases
where the same CD works with a newer machine, but fails to boot with an
older one.  I presume this means the track alignment is marginal in some
cases.

I am not tracking misc@

We would like to send out replacement CD's for anyone with those problems
so that we can see if the problem is with all CDs of the current release,
or only with some of them.

Please contact me if you have seen this problem.

Austin Hook
OpenBSD distribution
Milk River, AB

I have good reason to believe that it isn't a physical problem with the
CDs.

Here are my reasons:
 I have 5 machines around here that won't boot on a 4.2 CD and one that
will.

The won'ts have a variety of CD drives, most pertinently one is a
brand new Liteon DVD+/- with all the bells whistles. Not likely to
have read problems..

The CD can be read from start to finish with zero errors on any of the
drives using dd.

I can make a copy of the CD on a windows machine by saving an ISO image
and burning that to a CD using imgburn. Zero errors copying or burning
but boots new box won't boot any old box.

Now here is my suggestion. Because I'd like to see this fixed from a PR
point of view before Nov 1 and the install42.iso won't be available
until then, please have a copy of it put on an ftp server in a location
not publically known and let me download it and test it.

That will be clear of the entire commercial pressing process and will
possibly save the project a lot of money shipping out new CDs which may
not work when they get to the end users.

I'll be on standby ready to do the download and testing at any time I'm
awake over the next couple of days.

Austin/ OpenBSD team can please use ash2 at witworx dot com rather than
the list.
misc readers with comments can reply to the list, please no CC.

Regards,
Rod Whitworth.


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Google employment opportunity

[RW]

On 10/28/07, Karel Kulhavy [EMAIL PROTECTED] wrote:
On Sun, 28 Oct 2007 12:15:28 +0530, Karthik Kumar wrote:

Loads of irrelevant waffle which belongs somewhere else.

How about you two start your own blog somewhere and recruit a willing
coterie who are at least mildly interested.

Anybody here who is interested will follow but it looks like the total
crowd would fit in an old English public phonebox.

Rants about OpenBSD are bad enough but this has no relevance at all.

Goodbye.


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Problems booting 4.2 CD on two older machines.

[RW]

On Sun, 28 Oct 2007 11:51:37 +, Edd Barrett wrote:

Hi,

On 28/10/2007, RW [EMAIL PROTECTED] wrote:
 So maybe that narrows it a bit if we can find out what relevant factor
 changed between those and release.

I guess it would be around here somplace:
http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/

I had a quick look in the i386 folder but dont see any obvious relevant 
changes.

Do newer snapshots work on this hardware?


Well, install42.iso from Oct 26 does.
Don't know about others, sorry,
Rod
(please don't CC me. I'm on the list and the reply-to is a limited use,
burn when spam arrives facility 8-) ) whereas the list mail always get
through due to classy filtering.


In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: Problems booting 4.2 CD on two older machines.

[RW]

On Sun, 28 Oct 2007 22:48:20 -0400, Nick Holland wrote:

This thread is a bit bothersome for a lot of reasons.  However, there
is a lack of hard info so far.

When you say it isn't booting the CD, what does this mean?  Does it try
but fail with some error?  Does it not even stop at the CD on the way
to attempting to boot the hard disk?

It says: Bootable CD does not exist ...
and goes off to the HDD.



And let's see what the actual scope of the problem is:

Does the official CD boot?  (I think the point of this thread
is for some people, no it doesn't).

For me: No


Does a copy of the official CD boot?  (Is there any error reported
when trying to make a copy?)

I didn't make the copy but simply imaged the release CD to an iso file.
Zero errors.


For the people that say the official CD doesn't boot, do they have other
machines they /can/ boot the official CD?

Yes.


If people are spotting some machines that do and some that don't, what
happens if you move the CD drive from one that does boot to one that
doesn't?  Does the problem follow the machine or the drive?

I can't do that test. I have 4 identical no-go machines and only one
other that I may not swap the drive out of plus 2 laptops that won't
swap drives with the desktops.

Besides I have the 4 identical boxes with MX36LE A-Open mobos that I
posted dmesgs from yesterday. There are 2 with Diamond 52X CDR, one
with a combo drive and the one that made me think I had a buggy DVD 2
layer/dvd-ram/+/-/cdr/rw/ latest and greatest.

They all fail on the release CD or a copy of it.

I don't believe it is drive related. BIOS maybe ?

Whoops! I just remembered an old clunker around here where I am. 766
Celeron + combo drive.

It won't boot release but does do the others.


Does a CD made from install42.iso boot?

Can't test that until Friday (Australian time)  when it gets onto ftp.
8-)
BUT install42.iso from Oct 26 snapshot does boot!
As does install42.iso from Aug 24  (which had a build #374 kernel)



Does a CD made from cd42.iso boot?
Can't tell atm.


Does a CD made from cdemu42.iso boot?
Can't tell atm.

I'm away from the necessary resources for a while.



If install42.iso or cd42.iso boot, don't be looking for code changes,
sounds like we had a bum pressing of CDs or some other quirk in the
way the master was made, as they all use the same boot process.  Still
needs to be identified and fixed for 4.3, but it wouldn't be a code
problem.

It would look like a crook boot track  except for all the boxes that it
works on, including that one I was trying to get four copies onto ;-)

Anything else I can assist with? It's my job to help wherever I can, is
it not?
I can get the OS onto any of those boxes without a CD but not everyone
is as well placed.

ttys,
Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Problems booting 4.2 CD on two older machines.

[RW]

On Sat, 27 Oct 2007 19:30:27 -0400, Barry Miller wrote:

On Sat, Oct 27, 2007 at 07:01:04PM +0100, Edd Barrett wrote:
 A couple of friends have been wanting to try out OpenBSD 4.2 on their
 machines, but the 4.2 disk will not boot whereas the 4.1 disk will.
[...] 
 Has anyone else had problems booting the 4.2 CD? And is there a workaround?

I have the same problem.  My 4 year old i386 test box doesn't see it as
bootable (4.[01] CDs work fine).  The CD seems ok - no problem pulling
kernels, sets, and packages off it.  It boots on my newer machines, and

Another one (user but 4 identical PCs).

The first (to exhibit the problem) machine I tried to upgrade to 4.2
had a CD drive that was dead some time ago but I only replaced it when
I took it out of service to upgrade.

When it failed to boot the 4.2 release CD I figured that a fancy DVD
burner with all the bells  whistles must have scared the old BIOS. I
just planted a bsd.rd onto it across the network and upgraded using the
CD which as the others have said mounts and reads perfectly.

I cannot see any pertinent difference in 4.1cd boot dmesg and 4.2
installed dmesg but my eyes may have missed something so here is one of
each:

4.2 installed.

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(TM) CPU 1300MHz (GenuineIntel 686-class) 1.31
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR,SSE
real mem  = 259555328 (247MB)
avail mem = 243314688 (232MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/27/02, BIOS32 rev. 0 @
0xfb4b0, SMBIOS rev. 2.3 @ 0xf0800 (35 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date
02/27/2002
bios0: VIA Technologies, Inc. VT8601
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xde94
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde10/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05
ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: ST340016A
wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LITE-ON, DVDRW LH-20A1P, KL0N SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 12
uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 12
viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40: 24-bit
timer at 3579545Hz
rl0 at pci0 dev 17 function 0 Realtek 8139 rev 0x10: irq 11, address
00:01:80:20:88:ab
rlphy0 at rl0 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0: VIA UHCI root hub, rev 1.00/1.00, addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1: VIA UHCI root hub, rev 1.00/1.00, addr 1
biomask f765 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b


4.1 CD booted to shell:

OpenBSD 4.1 (RAMDISK_CD) #248: Sat Mar 10 19:32:46 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Celeron(TM) CPU 1300MHz (GenuineIntel 686-class) 1.31
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR,SSE
real mem  = 259555328 (253472K)
avail mem = 230711296 (225304K)
using 3199 buffers containing 13103104 bytes (12796K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 02/27/02, BIOS32 rev. 0 @
0xfb4b0, SMBIOS rev. 2.3 @ 0xf0800 (35 entries)
bios0: VIA Technologies, Inc. 

Re: Problems booting 4.2 CD on two older machines.

[RW]

On Sun, 28 Oct 2007 01:48:54 +, Edd Barrett wrote:

But why are these machines not booting the CD's properly?

I was testing snapshots up to build #374.

One of my no-boot on #375 (release) boxes was installed from either
#373 or #374 (can't tell now) using snapshot .iso file

So maybe that narrows it a bit if we can find out what relevant factor
changed between those and release.

I have a spare box that will let me provide testing assistance if
required.

Mind you, if the problem never gets fixed it is not the end of the
world. When it comes to installs TIMTOWTDI prevails.

I wish I'd had the time to do the snap that was #375 as my test box for
snaps was one of the problem varietyand that's why we do
snapshot testing, innit?

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: cp(1) bug ?

[RW]

On Sat, 20 Oct 2007 09:59:26 +, Tom Van Looy wrote:

on unix everything is a file?

Always has been.
At least as far back as I can remember - about early 1978.
Probably always will.

And, given the thread running here, my second edition of the Unix
Programmers Manual vol 1 from those days states baldly:
Cp (sic) refuses to copy a file onto itself.

8-)

Rod


In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

ntpd error message filling logs

[RW]

I have a GENERIC 4.1 box running ntpd as a server that is now part of
au.pool.ntp.org and suddenly (once the world discovered it) the logs
began to fill with entries like:
Oct 19 16:46:05 freya ntpd[12012]: malformed packet received from
121.216.235.111
Oct 19 16:46:19 freya ntpd[12012]: malformed packet received from
144.131.135.143
Oct 19 16:46:25 freya ntpd[12012]: malformed packet received from
58.173.48.94
Oct 19 16:46:46 freya ntpd[12012]: malformed packet received from
58.168.107.247
Oct 19 16:47:20 freya ntpd[12012]: malformed packet received from
144.131.135.143
Oct 19 16:48:21 freya ntpd[12012]: malformed packet received from
144.131.135.143
Oct 19 16:48:29 freya ntpd[12012]: malformed packet received from
58.168.107.247
Oct 19 16:49:22 freya ntpd[12012]: malformed packet received from
144.131.135.143

So I went running to Mrs Google and she didn't say much really but one
entry showed that somebody found that one version of Debian could deal
with an early OBSD ntpd but a later Deb could not.

I followed up some cvs entries for our ntpd and I can see the message
text there but nothing much to let me figure out if it can be mitigated
in any way.

Ohh whoops! I just saw the tail -f daemon stop scrolling and it's now
been silent for several minutes after nearly an hour where a bunch of
Telstra (not my ISP) adsl customers repeatedly hammered the box.

Anyway can someone please give me a clue as to what the effect is at
t'other end clients?

If it starts again what is the best tcpdump recipe to capture data that
smart people need?
I did a tcpdump -X -s 1500 -nettti rl0 udp and dst 218.214.194.118 but
the output did not mean much to me .

Any other clues?

Thanx,
Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: lookup option in /etc/resolv.conf ignored

[RW]

On Sat, 13 Oct 2007 11:43:46 +0200, Karel Kulhavy wrote:

I want to make my OS return 127.0.0.1 on google-analytics.com and
ad.doubleclick.net to speed up the work with Sourceforge.

I put 
127.0.0.1 google-analytics.com
127.0.0.1 ad.doubleclick.net
into /etc/hosts

and checked that /etc/resolv.conf contains
lookup file bind

According to man resolv.conf this should result in /etc/hosts having priority
over the DNS system. However, it simply doesn't work. Both Firefox and the
host command behave as if I didn't do anything.

Why doesn't it work when man resolv.conf says it should?

CL

Run dnsspoof on your firewall. Works like a charm. Part of the dsniff
package. Includes a ready made hostfile that contains loads of the
annoyances and you add your own. Does wildcard names too, like
*.adserver.* 

 Also resolves names for LAN hosts if you add them.

Easy, but remember to pkill dnsspoof and restart it after any update to
the spoofing config file.




From the land down under: Australia.
Do we look umop apisdn from up over?

Multi booting OpenBSD and OpenBSD and

[RW]

I have seen plenty of QA about multibooting OpenBSD and
Windows/Linux/whatever and although I did a lot of that stuff way back,
I generally don't need it in the days of almost zero cost PC that are
plenty good enough to run OpenBSD.

So why this question? Well I was blessed by a client who had some
troubles with a fairly recent grunty Intel mobo and donated it with its
RAM to me for past favours.

I figured it would make a pretty nice build machine, tossed a 160G SATA
in and voila!

Then (the devil made me do it!) I thought: Why not four OpenBSDs  as in
Release, Release minus one, current and some experimental stuff. Just
multiboot to whichever and away.

Pretty soon the Release would be stable for latest and one back etc.

I know that something like GAG would handle the boots but how would I
slice and dice the drive?

I managed to play with fdisk and set up partition 3 with about 40G at
the end of the disk and use the b command in disklabel to describe
the disk and whacked in a bunch of filesystems. Pretty standard install
- booted and ran just file.

Then I fdisked again to do partition 0, easy. Even remembered the 63
offset.

BUT (and I can see Nick Holland smiling here) when I get to the
disklabel phase and use b to describe the disk, I still end up with all
those other partitions visible.

I don't want to cream the first install unnecessarily so I'm here to be
told.

Is it at all possible? If so what is the trick? I did flag the new
MBR entry as active and I can't see anything in the docs that
contemplates this kind of set-up.

If there is an answer at Mother Google's I cannot construct a smart
enough query to  not be drowned in all the OpenBSD and some other OS
questions.

Anybody successful at this task?

Thanx,

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Multi booting OpenBSD and OpenBSD and

[RW]

On Wed, 10 Oct 2007 22:51:26 +0200, Tilo Stritzky wrote:

On 10/10/07 21:37  RW wrote:
 Then (the devil made me do it!) I thought: Why not four OpenBSDs  as in
 Release, Release minus one, current and some experimental stuff. Just
 multiboot to whichever and away.
 
 Is it at all possible? If so what is the trick? I did flag the new
 MBR entry as active and I can't see anything in the docs that
 contemplates this kind of set-up.
 
It's actually not very difficult  but ... 
If you have to ask, you shouldn't be doing it

Pushing boundaries on a machine without internet connection and (unless
it works) not a part of critical infrastructure is just fun for
learning. If it blows up an OpenBSD flush and install another way is
not exactly the punishment that Linux or Windows would inflict.
;-)


Start your first install. Make one fdisk partition (OpenbSD type).
disklabel as many slices as you want OpenbSD releases (plus swap, plus c).
Install one on slice a.

Hmmm. Right there is the showstopper. I did say it was so I could
build stable for at least a couple of releases. I have 9 slices on my
present builder and could probably lose a couple. but only one to build
and clean on? Not for me. I have listened to the experienced crew about
having filesystems you can just flush rather than rm -rf * on.

Looks like a lost cause. I did really want to get out of all the drive
swapping with wear on the connectors (the old IDE trays at least had
rugged sockets like the old centronix ones, the SATA trays have an
edgecon and I don't rate edgecons as suitable for lots of insert/remove
cycles with a heavy mechanical load) but if it don't fly, c'est la vie.

Thanx,
Rod


When done, start the next install.

Before doing the actual install, jump into shell, hack the install-script's
ROOT_DEVICE (or something like it) to a different slice (say d).
Exit shell, proceed with install. This installation will end up on that very 
slice.

And so on.

Now every time you want to a boot any installation other then the one on
a-slice you use the boot loaders set device .. to select the kernel you
want.  *AND* you have to tell that kernel which root partition to use (-a
flag in boot).

That's it.

 If there is an answer at Mother Google's I cannot construct a smart
 enough query to  not be drowned in all the OpenBSD and some other OS
 questions.

I don't think there is one and there is reason for it too.
This is unsupported. This is weird. This is outright dangerous.
The potential for holes in your feet is really high.

Sooner or later you will end up running current binaries on a release
kernel or vice versa. You will probably get your packages mixed up.
There have been changes in the disklabel which are compatible one way
only. There is probably a lot more.
The failuremodes of all this are subtle and mean. You will spend more
time scratching your head and thinking WTF? then it would cost you to
re-install from scratch everytime you like to run a different release.
(Well, maybe I'm exaggerating but in hindsight it really feels like this)
 
 Anybody successful at this task?
 
I ran this for same time on my laptop. I wanted to run current on it,
but also have fallback release installation. In the end it turned out I
never used the release. So after spending some serious time and learning
a lot more then I ever hoped for (but nothing of this is lost) I scrapped it.

If you really must do this (I recognize there is must and *must* ;) I
reckon you go for seperate media. Seperate disk drives, or even better
removable media (USB sticks, clearly labeled; maybe live-CDs). 

I just got a brand new office PC, 64bit CPU. But I'm stuck with some
Apps in i386 compatibility. So I installed i386 for work. Next week I'm
going to get an USB stick and put an amd64 install on it, for play :)


regards
tilo

 Thanx,
 
 Rod/
 
 From the land down under: Australia.
 Do we look umop apisdn from up over?


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: 4.2 song

[RW]

On Mon, 8 Oct 2007 20:04:15 +0200, ropers wrote:

On 08/10/2007, Tom Van Looy [EMAIL PROTECTED] wrote:
 I think it should have been 101 instead of 11.

Gord wrote:
 Someone is giving it a go:
 http://slashdot.org/~TheRaven64/journal/184027

That's real interesting, guys.
TheRaven64 writes that (0)11 1010101 is (caesar-)ciphertext for Au.
But going with Tom's suggestion of a missing 0, 101 1010101 is
plaintext for AU.

So is Gold the answer or is it not you?
I dunno, but me likey! :)

--ropers


Well back on last Sunday I put my guess on undeadl
at:
http://undeadly.org/cgi?action=articlesid=20071007002942mode=expanded;
count=26
and it was Gold as you can easily see.

I didn't explain my reasoning because it might have been a spoiler but
now there are two others getting gold, both differing from mine in the
method.

Listen to the song. The two strings are broken and come out as:
100  001 that gives 41 which is A in hex
101  0101 that gives 55 which is U in hex.

Gosh, three ways to make gold.
OpenBSD is Alchemy!

I'd award it gold in the marathon for sure.


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: SMTP flood + spamdb

[RW]

On Wed, 26 Sep 2007 17:26:22 +0200, Peter N. M. Hansteen wrote:


 Or take advantage of the (by default) 25 minute window to use other
 means to detect that this address is sending spam.  Perhaps spamd should
 be extended to look for excessive attempts to send messages from an
 address during that period?  (How often do spammers' lists contain only
 one or two addresses from a domain?)

You could probably use straight rdr instead of rdr pass to feed spamd,
then in the relevant pass rule apply your source tracking options and
overload and some table magic for that

Have you been looking at my ruleset?  ;-)

I took out the pass on the rdr ages ago because unless I did my
personal blacklist could not be used to block things like stormers and
some tedious twits like a movie-house chain which keeps on sending to a
long gone client of mine even though the address returns a 554 every
time.

I blacklist those permanently to stop log clutter.

Rod/

_
Depressed? Me?
Don't make me laugh!
:Spike Milligan:1918-2002:

Re: SMTP flood + spamdb

[RW]

On Tue, 25 Sep 2007 09:38:10 +0100, Craig Skinner wrote:


Greylisting is of no use whatsoever because the servers sending the 
bounces to you are actual smtp boxes (sendmail, extrange, ), not 
malware, so they will quickly bypass spamd. Spamd greytraps will help a 
great deal, but you say that the addresses are random.


I've snipped all the content (which I largely  agree with) above and
below this paragraph to recount my experience which started about a
fortnight ago and ran for about a week.

Log analysis showed that there were two classes of incoming unwanted
crap.

One was bounced mail that should have been rejected as invalid
recipient mail at the original target. That included an mx at
aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies
who want ISPs to block websites on request and who spent $84mil on a
kiddie-filter that some 10-year old bypassed in ten minutes,

The others were from bots as far as I could tell but they were not
being sent by MTAs which had received them.

My defence was to write a couple of scripts. One parsed the output of
spamdb looking for GREY with sender  and then tested the intended
recipient against the postfix valid mailbox database. If it failed then
the sender IP was added to a pf table that was outright blacklisted for
24 hours. The other script did housekeeping and added sender IPs to the
TRAPPED category in case they retried later.

The blacklist grew rapidly to over 1200 unique addresses but then
petered out after a few days and I turned off the cron jobs running the
scripts at day nine.

So greylisting/spamd did a hell of a good job for me. I would not have
been able to block traffic from all those crappily configured boxes
(MTAs mostly qmail or windows) unless I had a greylist database to scan
every few minutes.

Peter H and Beck@ know what they are doing alright and do good papers
on it.
Thanks.
R/

Me...a skeptic?  I trust you have proof.

Re: SMTP flood + spamdb

[RW]

On Tue, 25 Sep 2007 12:40:50 +0100, Craig Skinner wrote:

RW wrote:
 
 The others were from bots as far as I could tell but they were not
 being sent by MTAs which had received them.
 

Yes, but the OPs problem is back scatter, and that does not come from 
bots, they don't retry.


What I was getting looked like backscatter and smelled like backscatter
it is just that some of the IPs sending it didn't check out as MTAs.
i.e. they were not listed MXs for the domain they came from AND the
domain was not likely someone with separate outbound senders.

They all retried too and when I had them as TRAPPED entries the logged
data included typical failed-to-deliver messages.

If the OP was repeatedly getting mail to a few addresses from different 
hosts, he could use grey trapping. But he said that they are all random.

My experience entirely. I trapped them by looking for  as sender,
parsing the recipient as invalid (using a postfix lookup) and then
inserting the IP into spamdb as TRAPPED.

Later I firewalled them out for 24 hours. It cut the log clutter.

The scripts are still there but the crontab lines are commented out
until needed again.
R/



A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: SMTP flood + spamdb

[RW]

On Tue, 25 Sep 2007 14:14:46 +0300, Liviu Daia wrote:

On 25 September 2007, RW [EMAIL PROTECTED] wrote:
[...]
 My defence was to write a couple of scripts. One parsed the output of
 spamdb looking for GREY with sender  and then tested the intended
 recipient against the postfix valid mailbox database.
[...]

With Postfix you can use anvil(8) to control concurrency.


Yep, you could. BUT
1- why let it get to postfix? This is crap that spamd can deal with,
with a bit of scripting help for extra functionality.

2- What concurrency?
We had a mailstorm of backscatter from hundreds of IPs each trying to
send one or two messages. We had over a thousand IPs marked TRAPPED in
spamdb at one time. Postfix would just be rejecting them and filling
its logs.

As far as I'm concerned filling the logs of mailservers that are
backscatter generators is A Good Thing .


In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: SMTP flood + spamdb

[RW]

On Wed, 26 Sep 2007 03:16:35 +0300, Liviu Daia wrote:


 Postfix would just be rejecting them and filling its logs.

Oh come on, these days you're probably rejecting  95% of messages
anyway. :)

Nope. Every day at log reading time I do grep reject maillog and very
rarely do I see a result. spamd is the genius.


 As far as I'm concerned filling the logs of mailservers that are
 backscatter generators is A Good Thing .

Unfortunately the people in charge with these servers either don't
have a clue, or don't care.

If even one sees a lot of greytrap try-again messages followed by an
entry when it gives up, then it will be worth it if it causes a config
to be fixed.
R/

Me...a skeptic?  I trust you have proof.

Re: 4.1 on ALIX.1C - recommendations?

[RW]

On Fri, 21 Sep 2007 23:48:11 -0500, Aaron wrote:

... SNIP

Is anyone using solid state drives yet?

CF is effectively IDE.
Witness (a firewall here):
# disklabel wd0
# Inside MBR partition 3: type A6 start 63 size 1000881
# /dev/rwd0c:
type: ESDI
disk: ESDI/IDE disk
label: SanDisk SDCFB-51
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 993
total sectors: 1000944
rpm: 3600
8 snip!

But I also have a customer using a flash based drive that looks like a
3.5 IDE job.
It cost heaps but she loves the speed of random access and I love the
cool quiet(er) machine.

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: help needed with laptop hdd

[RW]

On Thu, 20 Sep 2007 10:26:14 -0500, [EMAIL PROTECTED] wrote:

You'd be unhappy with the write cycle longevity of a flash drive for 
regular use anyway. Flash and super dense mag drives seem fine for use
if write/erase only happens occasionally (i.e. embedded/mp3 etc...)

The next step:

The next step is to find some justification for your statement about
longevity.

I remember early nand tech that wore out in a few days or maybe hours.

That isn't now. I have attempted to wear out an Apacer CF 512MB by
doing a regular install of OpenBSD (no memfs, no mount ro) and then
turning the most verbose logging possible for spamd with daily
rotations. I then used it to run a firewall in front of a moderately
busy mailserver that had hundreds of spamtrap addresses.

After fourteen months I gave up and put the spamd stuff on the
mailserver (simply to keep all the email process on one box) at the
next OS update.

I have about a dozen client sites for one company that store all their
inventory data on CF at their branch firewalls on a similar CF. Updates
daily from head office overwrite the data.
No problems.

I saw some info recently that showed that flash technology is now less
likely to fail than a spinny disk. Wish I'd kept a link to it because I
don't really have time to Google it ATM.

Price is the killer on the basis of storage size but it is heading down
fast. We already have one flash drive in a desktop PC and it is slick.

For laptops the ruggedness is tops.

R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: help needed with laptop hdd

[RW]

On Thu, 20 Sep 2007 19:25:40 -0500, [EMAIL PROTECTED] wrote:

I guess they are great and I'm an idiot, nuff said...

No. I don't think so.

There are lots of things (in techy stuff particularly) that are true at
some point.
Later on that thing becomes no longer true but the meme hangs around
and most of us at some time get caught by one of these outdated
facts.

I've seen Theo shoot down improvements suggested by people who
thought that code would be better written as it would have been to be
efficient back in the days when I did 4040 and 8080 assembler. His
explanation was an enlightenment because I had not kept up with modern
code generation technology and how CPUs help out.

Until the last few years I too had thought that flash memory was easily
worn out. Of course it isn't as good as it appears, at least at the
cell level. It is partly made to look better because not only has the
technology improved but there are stacks of spare cells on board tto
replace worn out ones. Read up on wear levelling for better info.

Ya just gotta keep on learning. No rest for us wicked older guys!

Rod/

A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: The Atheros story in much fewer words

[RW]

On Fri, 14 Sep 2007 16:06:56 +0100, Rui Miguel Silva Seabra wrote:

There's no blind so bad as that which refuses to see. There's nothing I
can do to change that.

Pot, Kettle, Black.

R/

Write a wise saying and your name will live on forever.  - Anonymous

Re: OpenBSD Install Goal

[RW]

On Thu, 13 Sep 2007 20:35:35 -0400, Stephan Andre' wrote:

 I hope one day soon OpenBSD will adopt a nice ncurses setup similar
 to something like FreeBSD with ease to it.

Honestly, I don't see why.  How does making the installer more
complicated is going to help anything.

I recently sat a friend down to show how easy an install was.  This
was on a 400MHz Dell with a 10G disk.  Putting the disk in the box
to having a system that booted up took 11 minutes, with me 
making comments about each step.  

Once the machine came up, I said it was done, the system was ready
to use.

blink blink  You mean, thats all?

Yes, I replied and left him to playing with Perl

Damn right STeve, I did a similar demo to the techs at the outfit that
builds boxes for me.

Install on a brand new box from CD with explanation of partitioning and
turning on httpd and having another box with a browser showing the It
worked! page in 15 minutes.

As to the original poster's something like FreeBSD with ease to it. I
have never been able to be confident in that piece of pretend gui-ness.
There is no clarity about it and I forever feel that it's the only
installer I've ever used where I wished for a comprehensive manual in
hard copy. Given that I joined IBM in 1962 and only quit instructing
for them a couple of years back, that covers a few installations

There are some things (very few) that I could use in Free that aren't
in Open. Spending loads of time with that crappy installer is too high
a price.
 
Rod/

Me...a skeptic?  I trust you have proof.

Re: routing question

[RW]

On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote:

Hi

  I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?

I'll bet you don't have some flows set up in ipsec.conf to handle it.
 Here is a simple ipsec.conf from one end of an ipsec tunnel where
OpenVPN clients also login:
ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 250.101.222.1

The first line adds the OpenVPN network to the mix.

Needless to say the other end of the tunnel has an ipsec.conf that
makes sure that traffic can return.

Fictional addresses used to protect the innocent...

Does that help?
Please reply to the list. I am subscribed and don't need a cc, thanks.

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: routing question

[RW]

On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote:

Hi RW
 
  Except for the branch VPN to the main office subnet (line# 3) I have
the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice
versa on the main office VPN peer). Why do I need to setup a tunnel
between the branch firewall and main office subnet?




TIA
Paolo


RW wrote:

On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote:

  

Hi

 I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?



I'll bet you don't have some flows set up in ipsec.conf to handle it.
 Here is a simple ipsec.conf from one end of an ipsec tunnel where
OpenVPN clients also login:
ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 250.101.222.1

The first line adds the OpenVPN network to the mix.

Needless to say the other end of the tunnel has an ipsec.conf that
makes sure that traffic can return.

Fictional addresses used to protect the innocent...

Does that help?
Please reply to the list. I am subscribed and don't need a cc, thanks.

Rod/

I don't know your setup because you didn't explain it fully but what I
showed you works for my client.

Let's make a symbolic ipsec.conf out of what I have shown you:
ike esp from $OpenVPNlan to $HOlan peer $HOfirewall
ike esp from $Branchlan to $HOlan peer $HOfirewall
ike esp from $BranchFW to $HOlan peer $HOfirewall
ike esp from $BranchFW to $HOfirewall
You cannot use macros like that but perhaps it makes it clearer.

In our case we have servers on both office LANs and the roadies using
OpenVPN need to be able to get to both.

You will have to trim and tweak your rules to suit your own variation
but think about this.

Regular route table entries have no influence on what happens with
IPsec and do not need to.
IPsec configuration sets up flows and then the packets know how to
get to their target.
If they don't have a flow path, they won't know how and will be
routed out to the cloud via the default gateway and then get lost.

Rod/

Hint. Read this:
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: OT: recommendations for a serial/USB UPS?

[RW]

On Sun, 19 Aug 2007 14:42:31 +0900, vladas wrote:

 I am about to buy UPS, but would really appreciate your
 opinions to make sure I throw money away in the right
 direction.

Time is not on my side. I have got OMRON BX35F's.

(4.2 GENERIC #338)

/bsd: uhidev1 at uhub3 port 1 configuration 1 interface 0
/bsd:
/bsd: uhidev1: OMRON BX35F, rev 1.10/0.07, addr 2, iclass 3/0
/bsd: uhid0 at uhidev1: input=64, output=16, feature=0

Could please somebody enlighten me if usb upses need any
special treatment from kernel or it is all just about libusb (like
bluetooth afaik)?

 1. Can I just assume that device will work reliably if it is
 listed as supported in nut, upsd or apc-upsd? What should
 I avoid buying? (All machines involved are running -stable)

I am looking forward to hear from nut-upsdev soon if there is
interest in the hw from their side.

 5. Are there ways to monitor the UPS from two (or more) machines?

 (self-made, three-head serial cable, right ;) ?

What I have meant here is that I do _NOT_ want to run any
not-in-the-baseXX.tgz TCP services. Whether or not it is practical -
that is another question :)

You really should do a bit more reading of the readily available
information.
e.g. http://ports.openbsd.nu/sysutils/nut says:
 Nut also has a network communications layer that allows other
machines to
coordinate shutdowns with the machine that is physically attached to
the UPS.

Of course you would also look at the nut website and find:
http://www.networkupstools.org/client-projects/
which you can do your own research on.

Let your fingers do the walking... on your keyboard before you
ask more questions.
This isn't really a misc@ question. ports@ or at the nut mail-list
would be best IMNSHO.



Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: OT: recommendations for a serial/USB UPS?

[RW]

On Sun, 19 Aug 2007 16:33:58 +0900, vladas wrote:

 You really should do a bit more reading of the readily available
 information.
 e.g. http://ports.openbsd.nu/sysutils/nut says:
  Nut also has a network communications layer that allows other

nut was mentioned in my post.

 machines to
 coordinate shutdowns with the machine that is physically attached to
 the UPS.

I have explained my question about network in the second post.

And what, precisely, does nut use in the way of network functionality
that does not come with OpenBSD default install, other than nut itself?


 Of course you would also look at the nut website and find:
 http://www.networkupstools.org/client-projects/
 which you can do your own research on.

I did see the compat list before asking.

 Let your fingers do the walking... on your keyboard before you
 ask more questions.

Not to be not polite, but you are not answering any of
those questions either.
You want a how-to? Run Linux.
I pointed you not at nut but at some extra information that you showed
no sign of knowing.

The best help you can get when it looks like you have not done enough
research is a pointer or two so that you find the answers for yourself.

If you do research and read the man pages and mail archives you'll
become self sufficient in less time. I AM assuming you have the
potential to do that. Those who don't seem to wither away in OpenBSD.

There will often be a reason to ask for help. It comes more readily
when the question is accompanied by evidence of what the person has
done to get to where s/he is. Often it's then just a clarification
that's needed, or evidence like log entries will allow a guru to spot
the problem.


 This isn't really a misc@ question. ports@ or at the nut mail-list
 would be best IMNSHO.

Ok, point taken. I thought ports@ would not like it.

Well nut isn't part of the OS... I'd try the nut list first - they
are the people who work on the app.

Good luck.

BTW I am subscribed to misc@ so you can save the hassle of CCing me.

Rod/
A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: updating pf filter rules

[RW]

On Tue, 7 Aug 2007 18:31:53 -0500, Mike Piety wrote:

On Tue, 7 Aug 2007 15:46:41 -0400
Austin Murphy [EMAIL PROTECTED] wrote:

 I inherited a transparent bridging firewall running
 OpenBSD 3.8 and pf.   I would like to add two new filter
 rules without disrupting the current network traffic.  The
 pfctl man page did not seem to indicate a way to load a
 single filter rule to a running configuration.
 
 If I made a new file with a just the new rules and loaded
 it with something like pfctl -f two.pf.rules.conf, would
 all the existing filter rules be dropped and would only the
 two new rules be in effect?
 
 Let's say I updated the existing config file, /etc/pf.conf,
 with my new rules.  What would happen if I ran  pfctl
 -f /etc/pf.conf?
 
I'd suggest pfctl -n -f /etc/pf.conf

Lazy me likes to be safe and does:
# pfctl -f /etc/pf.conf -n
and if has no error output:
up arrowbackspacebackspaceenter
loads the rules.



 Would the existing state table be flushed?  Would there be
 a point in this time frame where there were no filter rules
 loaded and packets would get dropped?
 
 Thanks,
 
 Austin


Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: spamd question (4.1)

[RW]

On Tue, 24 Jul 2007 06:01:07 -0500, Jacob Yocom-Piatt wrote:

for domains that have multiple MX records, it might be nice to have all 
those IPs whitelisted when sending to that domain. maybe this is already 
done or there is a reason it isn't :). guess someone could publish a 
list of bogus IPs in their MX records...


Outgoing server pools do not have MX records .

Some biggies use SPF (Bob Beck has good info in a presentation about
why you would not use it at your own MX to check incoming mail) and
those usually provide records that you can access with dig or host. Use
-ttxt and see. e.g. _spf.google.com has a /16, a /17, a/ 18, two /19s
and a /20 which you can add by hand to your own whitelist if you trust
all gmail clients.

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: spamd question (4.1)

[RW]

On Mon, 23 Jul 2007 20:51:33 -0700, Darrin Chandler wrote:

Also, though spamd works GREAT, it is what it is. As I mentioned above,
it will not stop spam from real mail servers, whether open relays or
spam house servers. You may get to the point where you do want to add
ports/packages). I deal with a few different domains. On some I need
more filtering, and on others I use only spamd. Don't add extra stuff
unless you find you need it. Even so, having spamd take the major brunt
will let you do additional filtering without needing a beefy server.

Well I host two domains here and spamd stops plenty of mail from real
servers or spambots that use the host's idea of an outbound MX.

I do NO content inspection whatsoever and spam into mailboxes is almost
zero.

I hate spam but my philosophy is that deleting one spam every week or
so (actually I'm getting less than one a month) is better than losing
genuine mail and hardly qualifies as a stressor.

The default blacklisting of China and Korea is OK for me as I haven't
had work in Korea since well before spamd came along.

Greytrapping, using Bob Beck's list plus a bunch of locally harvested
never-been-used addresses that seem to be on many spam target lists,
added to the OK domains feature that came with 4.1, does the rest.

It can be a bit of a pain dealing with the outbound server pools but I
usually spot spamdb telling me that it has the one sender/ one target
combo listed from several IPs and then I go and get the pool details
(if I can) and whitelist it. Most get through eventually.

Content inspection is playing catchup and most of the well heeled
spammers own a bunch of hardware filters (Barracuda etc) and run
Spamass and other cpu wasters. All of them are kept right up to date
and the mailings are rapidly changed to address the latest hurdles.

I see this because I keep one remote mailbox entirely unfiltered in
another domain. It gets NO genuine mail but its address has been put
invisibly on webpages and seeded onto similar locations. Mostly I just
junk the entire contents regularly, but on an idle day I have a sniff
at a few to see what the bastards are up to. Very educational.

Of course there are poorboys who don't have any track on the latest
bayesian-guessing toys and they seem to persist but they don't get
through here either so why waste cycles?

It's all a judgement call but I'm very happy with what the devs have
provided for our use.

I only use one BL lookup on the MX and that is zen.spamhaus.org but I
never seem to see hits from it anyway.

Good luck!

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Access Control Mechanism (DAC x MAC)

[RW]

On Tue, 3 Jul 2007 22:32:01 -0300, Joco Salvatti wrote:

Hi all,

Having Read about computer security, one of the parts that mostly
called up my atention were the access control mechanisms. I've found
out that the mechanism used by mostly of the Unix-like systems is DAC
(Discretionary Access Control) and as I could see OpenBSD fits in that
mechanism as well. But the literature says that there is a more
sophisticated mechanism, called MAC (Mandatory Access Control). In my
studies, all the papers I have read explain that
MAC is much more sophiscitated that DAC. Thus I would like to know
from you why OpenBSD does not implement this type of mechanism.

Thanks.

STFA!
or
JFGI!
About the third or fourth hit will tell you.

Doing your own research before asking here is strongly recommended.

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: port knocking?

[RW]

On Mon, 25 Jun 2007 10:48:20 -0700, John N. Brahy wrote:

I was wondering what the general census on port knocking in the OpenBSD
community is. I like the idea of hiding services but I don't like the
idea of relying on a piece of code that's not part of the OpenBSD core.
I know when it comes down to it, it's only hiding ports and not actually
securing anything.

I am assuming that it's not practiced in the OpenBSD world because there
are no port knocking ports.

Anyone not agree with that summation?

Me. I'd guess that a better line would be that the reason there are no
port knocking ports is because OpenBSD developers think that port
knocking is a giant wank.

But that's just my guess and, if they do, I'd heartily agree.

Rod/
Me...a skeptic?  I trust you have proof.

Re: Spamd variation

[RW]

On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote:

Hi,
   From the man page it appears that spamd relies on 
static information about spam originators.
Why not a more dynamic scheme ?.

Why not run the content of the mail through a spam
detector (like dspam), find the spam score and make
decisions based on that. I know that spam detection
is no where near perfect but it can be used for
assigning a 'badness score' to a site(originator of
email). So a site keeps getting this score and the
average (per msg) exceeds a we black list the site for
fixed duration. Similarly for white listing.

'Badness score' and also be assigned for other things,
like trying to send to non-existant user (a typical
spammer probe), absence of mx entry etc.


A milter(sendmail/postfix) can be implemented for
this.
Thus decisions will be more dynamic and 'configuration
free'.

Does this sound reasonable ?


No.

That would make spamd into bloatware and much less efficient.

People who want milters, content-inspection, RBL lookups and whatever
can run them in conjunction with their MTA.

spamd does all I want it to do with no measureable load on my system. I
do NO content inspection and there have been only 3 spams total which
got to any user in this domain since 1/1/7.

Content inspection practitioners are always playing catchup and
fiddling with ham/spam training for their toys and then along comes the
next trick of the spammers = back to square one.

Thanks to beck@ and company I don't have to play that silly game.

R\/\/.

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Problem booting CD for serial console

[RW]

I have a Commell LE564 which will work happily with a serial console
including doing BIOS stuff.

The BIOS allows use of a USB CD drive and that works too. Well, it
works perfectly if you can just time it right and blindly type in the
magic string to redirect the console to com0 and then you can do all of
the install and thankfully some really kind dev gave us a choice to use
serial console for running the installed OS.

So I thought it would be cool to modify the CD boot to do the console
switch that I remembered somebody describing some time back, and did
the svnd mount of the cdrom41.fs, added /etc/ and put in a boot.conf
containing set tty com0. I noted that the image contained /boot and
/bsd as expected.

I then did mkhybrid with all the buttons and knobs and burned the
resulting ISO to a CD.
Mounting it shows the expected directory structure and when it is
booted it announces that it is using a 2.88 floppy image and then gives
out ERR M and locks up.

I haven't suffered that before and found it in the FAQ but I'm none the
wiser as to what could have happened in a CD boot situation.

Anybody who has had this problem and worked it through can feel free to
be very superior and lay a clue on me because I'm sure that it is a
painful thing to debug except for the authors of the boot processes.

Thanks,

_Rod
Depressed? Me?
Don't make me laugh!
:Spike Milligan:1918-2002:

Re: Problem booting CD for serial console

[RW]

On Mon, 04 Jun 2007 08:55:09 -0500, Jacob Yocom-Piatt wrote:

uh, pxeboot? you can put the CD contents on your pxeboot server and 
there's no need to hook up a CD drive. me thinks that's how you're 
supposed to do it for headless machines.

have had the same bad magic errors in the past when using usb cdrom drives.


Uhh, pxeboot? It MIGHT work if it was in the BIOS but it is not. The
local distributor has just got a copy of an update which he has
promised to test and to forward to me if it works.
To do the first install I pulled the card out of the 1U case, stripped
the plank off an fxp PCI card and installed from my pxe server. I'm not
doing that on a regular basis and in the field I don't have pxe servers
on tap anyway.

I have installed from the USB CD since but, as I said, it depends on
typing in the console switching line blindly at the boot prompt.

I can't expect junior admins to do that at customer sites and get it
right first time every time with a customer looking on.

Thanks,

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Addition to list of supported ral mini-pci cards

[RW]

The list of mini-pci cards that work with ral does not include one I
obtained recently.

It is an MSI  MP54G5 and it seems to work well as an AP. More testing
coming up and I'll send an alert if I see any problems.

It shows up in dmesg as:
ral0 at pci0 dev 20 function 0 Ralink RT2560 rev 0x01: irq 11,
address 00:13:d3:6a:5f:96
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525

About $AUD35+GST for the benefit of Aussies and nearby denizens.

Thanks to damien@ and others who helped.


Rod/
A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Boot mystery

[RW]

I am helping a friend by setting up dual boot HDDs to swap back and
forth between DOS (for a legacy data entry app) and OpenBSD (to push
the data to a backup box to burn CDs for short term archival use.)

It just works for every machine bar one. dmesg below.

The problem is that the drive boots to either OS and swaps on comand in
my LabRat but in its intended home it boots to DOS just fine and fails
totally when trying to boot to OpenBSD. Message on screen is No
operating system

The swapping is done by rewriting track 0 to suit. Every swap stores a
copy of the existing track 0 where the other OS uses it to rewrite for
switching back. There is no boot menu or grubby manager thingy. Just a
command of gobsd or godos as required from each of the running systems.

It has me stumped. Intel mobos have a nasty habit of rebooting instead
of powering down at halt -p commands but we do not have another that
won't boot this drive. We don't have an identical model  to try either.

Dmesg (from 4.1 floppy):
OpenBSD 4.1 (RAMDISK) #260: Sat Mar 10 19:38:22 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
cpu0: Intel(R) Celeron(R) D CPU 3.20GHz (GenuineIntel 686-class) 3.21
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID
,CX16,xTPR
real mem  = 257982464 (251936K)
avail mem = 231079936 (225664K)
using 3187 buffers containing 13053952 bytes (12748K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 04/14/06, SMBIOS rev. 2.3 @
0xe4d90 (29 entries)
bios0: Intel Corporation D945GTP
apm0 at bios0: Power Management spec V1.2
apm0: flags 30102 dobusy 0 doidle 1
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Intel 82801GB HD Audio rev 0x01 at pci0 dev 27 function 0 not
configured
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01
pci3 at ppb2 bus 3
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 0 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 1 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 2 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 3 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 7 not configured
ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci4 at ppb3 bus 4
fxp0 at pci4 dev 0 function 0 Intel 8255x rev 0x0c, i82550: irq 10,
address 00:02:b3:eb:e5:cd
fxp0: Disabling dynamic standby mode in EEPROM, New ID 0x50a0, cksum @
0x3f: 0x8404 - 0x8406
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM
disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: ACCUSYS ACS75130 1.4
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 11 for native-PCI interrupt
Intel 82801GB SMBus rev 0x01 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fbed netmask ffed ttymask ffef
rd0: fixed, 3800 blocks
dkcsum: wd0 matches BIOS drive 0x80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: ral AP Requires ifconfig down/up Daily (Kind of Solved)

[RW]

On Mon, 28 May 2007 16:38:31 -0600, Daniel Melameth wrote:
8--
snipped lots of good info, thanks.
8
Any thoughts... or anyone know of a 802.11g card/driver combination
with that legendary wi reliability?


I have an MSI PCI card in a Soekris 4850. It looks like this (in
dmesg):
ral0 at pci0 dev 10 function 0 Ralink RT2560 rev 0x01: irq 11,
address 00:13:d
3:6b:a9:be
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
and it works perfectly for me as an AP.

So good that I have just bought an MSI miniPCI to go in a Commell LE564
that will be my new firewall.

HTH,

Offline replies best sent to ash2 at witworx dot com.

Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Re: smtp auth + greylisting

[RW]

On Tue, 22 May 2007 16:08:10 -0600, Bob Beck wrote:

arlo guthrie

...
   We walked in, sat down, Obie brought up the the help desk page with
8snip

And you can get anything you want at Bob Beck's Restaurant,
as long as it's moose!

Loved it Bob!
You are not just a good coder.
Thanks, the day just got better,


_Rod
Depressed? Me?
Don't make me laugh!
:Spike Milligan:1918-2002:

Insecurity problem?

[RW]

In the past I have always applied relevant patches and recompiled
whatever was needed to take care of errata items.

Nearly a week ago I decided to use a spare machine to track  i386 4.1
stable, did what I was told (FAQ, thanks Nick et al!) : untarred
sources, cvs updates, makes all went without hitches and just used a
fair few hours.

The build box now sends me email every day saying:
Checking setuid/setgid files and devices:
Setuid/device find errors:
find: fts_read: No such file or directory
 I ran sh -v /etc/security 21 |less and searched for fts_read but the
context is just waht you'd expect from the output above.
I know that fts_read is a part of find but what is it looking for in
vain?

I get an itchy feeling that everything did not go as expected during
update but the box seems to do whatever I try with no problems.

Cluebat?

_Rod
Depressed? Me?
Don't make me laugh!
:Spike Milligan:1918-2002:

Re: Routing to host over IPsec

[RW]

On Mon, 7 May 2007 23:01:15 -0600, Joel Knight wrote:

--- Quoting RW on 2007/04/30 at 16:52 +1000:

 Existing setup:
 
 Head Office: 
 WAN IP=165.x.y.z
 LAN = 172.22.22.0/24
 Extranet gateway = 10.x.y.1
 
 Branch Office:
 WAN IP=150.x.y.z
 LAN= 172.22.23.0/24
 
 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is
 fine.
 
 My challenge is to get traffic to pass from a host on the Branch LAN
 over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1.
 
 If I could add a route entry that used  the LAN IP of the H/O firewall
 life would be easy but of course addresses the are only visible through
 IPsec don't appear in the routing table to be used as the next hop.
 
 Is there a way to do this using either route or pf or ipsec itself?
 Some other method?
 
 I have to be able to get traffic to several hosts on the extranet (and
 get the replies back!) and they are only reachable via the extranet
 gateway on the head office firewall.
 
 Cluestick, anybody?


Setup your flows appropriately on the branch ipsec gateway to get
traffic over the tunnel and to the head office. On the HO endpoint,
setup a normal route to push the traffic to the extranet gateway.


Thanx for replying.

For the record:
All the flows needed to do FW-FW + LAN-FW + FW-LAN + LAN-LAN
were already setup and working just fine.

A route doesn't need to be added at HO to find the extranet as it
terminates on the firewall just as the tunnel did.

What solved it for me was to add a flow from the branch LAN to the
extranet IP on the f/wall and vice versa.

That is probably bleedin' obvious to IPsec gurus (which I ain't) but
intuition said that I should be able to do it with some routing entries
alone.

Not so, it seems.

Rod/
Write a wise saying and your name will live on forever.  - Anonymous

Routing to host over IPsec

[RW]

Existing setup:

Head Office: 
WAN IP=165.x.y.z
LAN = 172.22.22.0/24
Extranet gateway = 10.x.y.1

Branch Office:
WAN IP=150.x.y.z
LAN= 172.22.23.0/24

IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is
fine.

My challenge is to get traffic to pass from a host on the Branch LAN
over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1.

If I could add a route entry that used  the LAN IP of the H/O firewall
life would be easy but of course addresses the are only visible through
IPsec don't appear in the routing table to be used as the next hop.

Is there a way to do this using either route or pf or ipsec itself?
Some other method?

I have to be able to get traffic to several hosts on the extranet (and
get the replies back!) and they are only reachable via the extranet
gateway on the head office firewall.

Cluestick, anybody?

Rod/
Write a wise saying and your name will live on forever.  - Anonymous

Re: Static Ip's: Routing and Fowarding

[RW]

On Wed, 18 Apr 2007 17:40:49 -0700, Bryan Vyhmeister wrote:

On Apr 18, 2007, at 5:31 PM, Bray Mailloux wrote:

 shared-network LOCAL-NET{
option domain-name theamericanbray.com;
option domain-name-servers 208.204.224.11, 208.204.224.33
  subnet 192.168.0.0 netmask 255.255.255.0 {
   options routers 192.168.0.1;

range 192.168.0.14 192.168.0.23;
 }
 }

On the third line, you need a semicolon after the second DNS server.  
I would typically do this whole thing in a subnet declaration that is  
at the root of the file. Take out the shared-network statement and  
the last closing brace. See if that makes a difference. After you do  
that, run the following commands:

pkill dhcpd
/usr/sbin/dhcpd
tail -f /var/log/daemon

Look for any errors with the last command.


You have pulled one of my tricks - writing a quick helpful reply and
forgetting something you never would when doing it at the console of
your own machine.

dhcpd needs to be told what interface(s) to listen on.
R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: SSH/SFTP question

[RW]

On Fri, 13 Apr 2007 09:37:14 -0400, stuart van Zee wrote:

Sorry if this belongs elsewhere but I was sure someone here would know.

I was under the impression that when using SFTP to transfer files they 
were automatically treated as Binary files.  So if the remote file uses
CRLF to terminate lines, the downloaded file would have CRLF terminating
it's lines.  So I have a vendor that has replaced his FTP with SSH/SFTP.
my code is written to expect CRLF because that is the way the files
were when using the old FTP system to download.  Now, when I use SFTP
the files just have the LF.  The vendors answer is that we need to use
ASCII mode to transfer the files to get the CRLF.  I didn't know that 
there WAS an ASCII mode in SFTP let alone that using ASCII as opposed to 
Binary would change the line terminators.  The files in question are
technically ASCII text files but shouldn't I be getting an EXACT copy of
the file when I use Binary mode (assuming that I am right and that is
indeed the default with SFTP)?

What I really need is an explanation or a pointer to where I can get an
explanation so that I really know what I am talking about when I talk
to this vendor (and KNOW that I know what I am talking about).

Stuart van Zee

I cannot duplicate your findings. maybe we need to know a bit more
about what is running at each end.

I did:
Make short file with CRLF at end of each line except last.
That used a windows text editor (UE).
Used winscp to send it to an OpenBSD box using sftp (you can choose
that or scp).
Note: Winscp does offer Text mode, Binary mode and Automatic.
I chose binary. Note that the conversion happens in winscp if you let
it do Text or Auto.
Then I used sftp on another OpenBSD box to get the file from the other
one.
All of the CRLF pairs were intact.

Conclusion: My theory is that the conversion happens at the other
end.
Insufficient data to speculate further but the CR stripping does NOT
happen in OpenBSD's sftp.

HTH, HAND. More testing if you'd like to spec it. 

Rod/

A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: spamdb: convert greylisted addresses to whitelisted servers?

[RW]

On Thu, 5 Apr 2007 18:06:29 -0700, John N. Brahy wrote:

I've been looking at the source and I've read the man page but I don't
see a way to convert a greylisted entry to a whitelisted entry.

Is it possible or just unnecessary?

# spamdb -a 12.34.56.78
# spamdb | grep 12.34.56.78
WHITE|12.34.56.78|||1175817375|1175819030|1178929430|1|2
GREY|12.34.56.78|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1175815019|1175829419|
1175829419|4|0
#

Unnecessary. The WHITE entry wins when a lookup of 12.34.56.78 is done
in the database.

R/

A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: IPsec gone assymetric

[RW]

On Thu, 22 Mar 2007 05:30:45 -0600, Jacob Yocom-Piatt wrote:

RW wrote:
 I have a simple setup.
 Sydney to Melbourne and the ipsec.conf is one of the nice easy ones
 whilst I learn to do more complex setups. It has been working for
 months.

 Today doing ipsecctl -s all at either end generates the expected
 output. Each is a mirror of the other.

 netstat -rnf encap shows expected output at both ends. Again mirrors of
 the other.

 However sshing into each and doing a traceroute to t'other end gives
 madly assymetric results.

 With the distant gateway as the target Syd gets to Mel in one hop, as
 expected.
 Mel gets to Syd going out the $ext_if rather than the encap. As the
 LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel.

   

i wouldn't expect you to have a route not set on the isakmpd endpoints,
but i have a route add remote net internal private IP in the
hostname.if files for the internal interfaces on both endpoints. that's
the only thing i can think of that would work for a while (manually
added routes) and then stop working after, say, a reboot of one endpoint.

No, not the problem here. It works without any extra route lines, but
read the update at the bottom of the quoted stuff.

cheers,
jake


 Killing (desperation set in) isakmpd and restarting both ends did
 nothing to change the situation.

 What kind of diagnostics can I use to debug this? Extra points for a
 correct guess as to the cause all this time after installation.

 Thanks,

OK, a night's sleep led to an early morning Eureka moment.

I should have said What changed? and I did. The mistake that dummy me
made was not to consider a change made ages ago. That change did not
break ipsec for the clients but did for the firewall endpoint at one
end.

For the benefit of others here is the detail:

Originally Mel (bourne) was on an ADSL connection running half-bridge
so the OpenBSD firewall had the WAN IP on $ext_if and the first
(usable) of a /29 on the server LAN NIC.

Due to problems with the modem we swapped it out for one that does not
do half-bridge.

So I gave $ext_if 192.168 addr to mate with the one on the modem. I
then did  all the NAT stuff based on $svrlan_if
e.g.
nat on $ext_if from $fwext to any - $svr_if
nat on $ext_if from $lan_ip to any - $svr_if
where fwext is the IP on $ext_if and lan_ip is the /24 for the LAN
users.
So all outbound packets look like they come from the svr_lan nic.
That works sweetly and I have a similar setup at home. Neither of those
has the /30 that would be preferred to make everything work but that's
IP scarcity for you.

So ipsec works just fine for everything on Mel and its mate, Syd.
Except for packets I generated at Mel using ssh login. Until I woke up
and used the -I flag in ping and the -s flag in traceroute to source
the packets from the svrlan_if address, that is.

I don't know what, if anything, can be done to ensure that packets
generated in the firewall Mel can be forced to use the tunnel when the
destination is Syd, but it isn't a showstopper (fingers crossed!)

So, there was a change ages ago and I had never after it, until now,
tried to ping up the tunnel from the firewall so I didn't know that it
was kinda broken, and if anybody knows how to unbreak it I'll be
pleased just in case

Thanks Jacob for your reply.

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

named stopped with error

[RW]

On a firewall that is not mine but where the admins run to me for help
8-) somebody noticed that name resolution was not working.
rc.conf.local says:
named_flags=
named.conf is the default (caching with recursion only for local
clients)
uname says:
OpenBSD fw.example.com.au 3.9 GENERIC#617 i386
/var/log/daemon says:
Mar 23 00:13:03 fw named[13888]:
/usr/src/usr.sbin/bind/lib/isc/mem.c:628
: INSIST(((unsigned char *)mem)[size] == 0xbe) failed
Mar 23 00:13:03 fw named[13888]: exiting (due to assertion failure)

It started up manually and ran as it has for the past (nearly) year, so
it looks like a one-off but I'd love to hear of possible causes.

Thanks,
Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

IPsec gone assymetric

[RW]

I have a simple setup.
Sydney to Melbourne and the ipsec.conf is one of the nice easy ones
whilst I learn to do more complex setups. It has been working for
months.

Today doing ipsecctl -s all at either end generates the expected
output. Each is a mirror of the other.

netstat -rnf encap shows expected output at both ends. Again mirrors of
the other.

However sshing into each and doing a traceroute to t'other end gives
madly assymetric results.

With the distant gateway as the target Syd gets to Mel in one hop, as
expected.
Mel gets to Syd going out the $ext_if rather than the encap. As the
LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel.

Killing (desperation set in) isakmpd and restarting both ends did
nothing to change the situation.

What kind of diagnostics can I use to debug this? Extra points for a
correct guess as to the cause all this time after installation.

Thanks,
Rod.

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: No Blob without Puffy

[RW]

On Tue, 20 Mar 2007 03:54:41 -0400, Gordon Willem Klok wrote:

I'm one of those users with my atheros-based
 wireless card I'm using right now. I know what I'm doing. I don't feel
 less safe. I don't audit every single driver I use. And I'm happy to use
 OS which gives me the choice.

I'm one of the other users with an atheros wireless card in an IBM
Thinkpad I'm using right now on another desk.

And I know what I'm doing and I feel really safe because I'm happily
using an OS which really gives me lots of choice and doesn't force
blobs down my throat.

OpenBSD.

BTW the fact that some people are great programmers doesn't mean that
they are great judges of ethics or art or politics or anything outside
their area of expertise.

Judging their nous about other subjects by their code is like taking
corporate investment advice from a teenage rockstar.

That comment doesn't imply that they cannot have any other skills like
being clueful about really open code. It is just the case that you
cannot imply it where no evidence exists.
R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: No Blob without Puffy

[RW]

On Mon, 19 Mar 2007 11:59:51 -0400, Dan Farrell wrote:

I thought it was free as in beer, but because of the blobs, not
necessarily free as in you can do whatever you want with it...

Because what can you do with a blob? Are you allowed to use a blob
anywhere you want, in any situation? Are you allowed to crack open a
blob and use parts of its code to re-write your own software/drivers?
Are you even allowed to have documentation regarding a blob? These are
all defined by license restrictions... that restrict your freedom
concerning the use of the blob.

So IMHO FreeBSD is only free to obtain... but not fully 'free' to use
in any way you want.

Please follow the simple formula-

   License Restriction = Not Free.

You've been so involved in this discussion I thought you wouldn't need
this simplistic review... or maybe you're just trolling.

Yes, he is just trolling.

And for the other mentally challenged who think that FREEbsd has any
real freedom, cop this quote from their website:
While you might expect an operating system with these features to sell
for a high price, FreeBSD is available free of charge and comes with
full source code. If you would like to purchase or download a copy to
try out, more information is available.

Full source code? For all the blobs? Really? Or do you accept entries
in the Obfuscated Code Contest as real, usable, and fixable if needed,
source?


From the land down under: Australia.
Do we look umop apisdn from up over?

Re: OpenBSD speed on desktops

[RW]

On Mon, 19 Mar 2007 16:26:12 -0500, Marco Peereboom wrote:

Yes but since these are production machines in a lab that requires
clearance I can't share.  We keep backups around for all these machines
since every now and then we lose one for no good reason.  In contrast
the windows  and openbsd machines we have deployed do not share this
behavior.

You are the one making bold statements based on a non representative
sample.

production server != home computing != desktop

On Mon, Mar 19, 2007 at 05:31:11PM +0100, RedShift wrote:
 Marco Peereboom wrote:
 If you like losing data ext3 and reiserfs work just fine.  I manage to
 lose Linux installations pretty often by doing crazy things like
 rebooting.
 
snip rest of long thread we have all read

Here is a quote from Theodore Tso (http://thunk.org/tytso/ for bio) a
few months back in kerneltrap:
quote
The fact that reiserfs uses a single B-tree to store all of its data
means that very entertaining things can happen if you lose a sector
containing a high-level node in the tree.  It's even more entertaining
if you have image files (like initrd files) in reiserfs format stored
in reiserfs, and you run the recovery program on the filesystem.

Yes, I know that reiserfs4 is alleged to fix this problem, but as far
as I know it is still using a single unitary tree, with all of the
pitfalls that this entails.

Now, that being said, that by itself is not a reason not to decide not
to include reseirfs4 into the mainline sources.  (I might privately
get amused when system administrators use reiserfs and then report
massive data loss, but that's my own failure of chairty; I'm working
on it.)  For the technical reasons why resierfs4 hasn't been
integrated, please see the mailing list archives.
/quote

Enough said? I think that backs up Marco pretty well, given that Tso is
a Linux kernel dev since '91.

I used to be an IBM Linux instructor until a few years ago and we
always warned about Reiser FS being too bleedin' edgy. Seems it hasn't
matured yet.

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: a few questions on spamdb

[RW]

On Wed, 28 Feb 2007 11:48:52 -0800, Tom Bombadil wrote:

I wonder how people are coping with master downtime when using spamd?

Is it a good idea to regularly dump spamd-white into a file, rsync it
to the backup carp server, and load these IPs in a separate table?
I was thinking of lowering whiteexp on spamd as well (to have a leaner DB)

From what I gather from old posts, there is no safe way of copying
/var/db/spamd to the backup server. Am I wrong here?


On the advice of Bob Beck I did it when changing firewalls a while
back. I took the old one off the internet, copied the file to the new
one, swapped the two boxes, plugged in the ADSL and voila!

Nothing broke. I think there is a caveat about differing arches but
that is probably not a prob for you.

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: spamd-white

[RW]

On Tue, 27 Feb 2007 13:55:50 -0800, Tom Bombadil wrote:

Greetings...

By any chance, will spamd delete any IPs that I add manually to spamd-white?

spamd(8) says:
spamd regularly scans the /var/db/spamd database and configures all
 whitelist addresses as the spamd-white pf(4) table.

How exactly does spamd configure spamd-white table?

The objective is to safely add my own IPs to the whitelist.

Thanks :)

Try looking at /etc/spamd.conf (the default copy from install)
The spamd-white table expires entries in 36 days (default)

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: binary updates

[RW]

On Mon, 26 Feb 2007 22:31:08 -0600, Default User wrote:

When will we ever see binary updates for OpenBSD?  Taking a system
off-line for over 20 hours to do a source code rebuild is just too long,
and just tracking RELEASE means running an insecure system.

Binary updating - try it, you'll like it! 

Troll /dev/null
Plonk!
From the land down under: Australia.
Do we look umop apisdn from up over?

IPsec intermittent failure

[RW]

We have an IPsec tunnel setup between two OpenBSD firewalls and
normally it just works (thanks developers!)

Over the past day or so the tunnel breaks. 
ipsecctl  -sa shows no flows or SADB entries.
The log entries at the Sydney end show lines like:
Feb 24 05:59:21 pps35001 isakmpd[9204]: rsa_sig_decode_hash: no public
key found
Feb 24 05:59:21 pps35001 isakmpd[9204]: dropped message from
xyz.101.222.1 port
 56858 due to notification type INVALID_ID_INFORMATION
Feb 24 05:59:32 pps35001 isakmpd[9204]: rsa_sig_decode_hash: no public
key found
Feb 24 05:59:32 pps35001 isakmpd[9204]: dropped message from
xyz.101.222.1 port
 56858 due to notification type INVALID_ID_INFORMATION

There are batches of such messages, some quite short (1 or 2) but some
go on for long periods. The batch including the above sample started at
05:10:57 and is still (06:13) going.

The Melbourne end log looks like:
Feb 24 06:13:04 PPS35004 isakmpd[23508]: transport_send_messages:
giving up on
exchange peer-abc.228.107.202, no response from peer
abc.228.107.202:500
Feb 24 06:13:32 PPS35004 isakmpd[23508]: transport_send_messages:
giving up on
exchange peer-abc.228.107.202, no response from peer
abc.228.107.202:4500

The pubkey for Melbourne is in place and readable at
/etc/isakmpd/pubkeys/ipv4/

Any clues? Any other pertinent info needed?

Please reply on list. The sender address is filtered to allow
connections only from the list server. The spammers know it  well
enough. ;(

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: rsyncing -current packages -- pattern matching problems

[RW]

On Sun, 18 Feb 2007 16:30:36 +1300, [EMAIL PROTECTED] wrote:

hi,

i am rsyncing -current packages  taking advantage of rsync's pattern 
matching to avoid specifying the package versions, to make a local 
repository for upgrades.

there are several packages that i _don't_ want to retrieve flavours for, 
e.g. cyrus-sasl as an example. but i haven't been able to force just the 
base package, without specifying identically the filename - which 
defeats the purpose of what i was trying to achieve.

here's my current go, trimmed to show the specific problem:

$ cat snapshot.inc
# include file for rsync
cvsync-*
cyrus-sasl-*
- cyrus-sasl-*db*
- cyrus-sasl-*mysql*
- cyrus-sasl-*ldap*
db-4*
- *.tgz

$ rsync -thrivz --stats --del -n 
rsync://rsync.de.openbsd.org/OpenBSD/snapshots/packages/i386 
/var/tmp/packages/ --include-from=snapshot.inc 

[...]

 f+++ i386/cvsync-0.24.19.tgz
 f+++ i386/cyrus-sasl-2.1.21p2-db4.tgz
 f+++ i386/cyrus-sasl-2.1.21p2-ldap.tgz
 f+++ i386/cyrus-sasl-2.1.21p2-mysql.tgz
 f+++ i386/cyrus-sasl-2.1.21p2.tgz
 f+++ i386/db-4.2.52p11.tgz
 f+++ i386/index.txt

[...]

but I _don't_ want to retrieve all the{db4,ldap,mysql} flavors - just 
the base one. can anybody help?

I don't have a chance to check (no rsync file or man page to check)
but:

Maybe in the rules you constructed first match wins. Once a match
happens no further rules are evaluated?

Otherwise you might go ask on an rsync list - I'd guess the folk there
wouldn't have to go look at the manpages It really is OT here.

Please reply to the list only. Due to the nicely open list (which I
heartily approve of) being archived with unmasked addresses, all mail
to the sender address is /dev/null

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: is there an install packages file list?

[RW]

On Wed, 14 Feb 2007 17:00:55 -0800, Bryan Irvine wrote:

I'm going to be installing on a soekris box (probably on flash media),
and I'm trying to figure out what the bare minimum I need to install.

Is there somewhere I can see what files are included in the
base40.tgz, etc40.tgz etc... so I know what don't fill up the flash
card at the start?

They are going to be a pf firewall, and ipsec vpn (with one of them
running poptop for roadwarriors).

Any pitfalls I should watch out for on this? fstab options etc..?


Don't even consider reducing the base install. There is no reason to.

On a Soekris 4801 here I have been running OpenBSD 3.9 and 4.0 for more
that a year (3.9 beta was running before release) on a Apacer
PhotoSteno CF card with verbose spamd logging (until a month ago  when
I moved spamd onto our new MTA).

I do pxe boot installs and I leave out all the X sets and the comp set.
Xis not needed for anything on that host and compiling is best done on
a build host we keep here with lots more RAM and grunt in the CPU.

The CF is 512MB but any new boxes will have 1024MB simply because they
are now cheaper than the 512 was when I bought it and also the
wear-levelling is better on larger CFs. Pretty soon we won't see
smaller cards easily bought.

I don't run httpd or use sendmail for anything except the
daily/weekly/monthly/security reports but it is more work trimming
stuff than the benefit of smaller filesystems when I'm not short of
space anyway.
Here is the end of disklabel followed by mount and df -h.
Note that I have an unused 68.9 MB partition and that /usr has ALL the
manpages loaded and space for any packages I may need to add.

Swap is never used. I just tossed a bit in because (1) it stops the
system whinging about it not being there and (2) I don't need the
space, as you can see.

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  a: 60.0M  0.0M  4.2BSD   2048 16384  122 # Cyl
0*-   121
  b:  9.8M 60.0Mswap   # Cyl   122
-   141
  c:488.7M  0.0M  unused  0 0  # Cyl 0
-   992
  d: 99.9M 69.9M  4.2BSD   2048 16384  204 # Cyl   142
-   344
  e:250.0M169.8M  4.2BSD   2048 16384  328 # Cyl   345
-   852
  f: 68.9M419.8M  4.2BSD   2048 16384   16 # Cyl   853
-   992
[puffy:/var/log]
$ mount
/dev/wd0a on / type ffs (local, noatime, softdep)
/dev/wd0e on /usr type ffs (local, noatime, nodev, read-only, softdep)
/dev/wd0d on /var type ffs (local, noatime, nodev, nosuid, softdep)
[puffy:/var/log]
$ df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a 59.0M   27.3M   28.8M49%/
/dev/wd0e  245M163M   69.6M70%/usr
/dev/wd0d 98.3M6.6M   86.8M 7%/var

Any questions?

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Problems with routing

[RW]

On Thu, 15 Feb 2007 01:08:28 +, Jamie Penman-Smithson wrote:

On 15/02/07, Stuart Henderson [EMAIL PROTECTED] wrote:
  I'm attempting to setup openbsd 4.0 as a router, the system has two
  interfaces, rl0 and rl1. It looks something like this (apologies if
  this looks really odd):
 
  router [x.x.58.129] --- router2: rl0 [x.x.58.130]
 router2: rl1 [x.x.58.140] ---

 Not so much odd as lacking information. Post ifconfig output instead.
 Presumably the OpenBSD box is 'router2', though you don't actually say.

Yes, router2 is the OpenBSD box.

That ain't gonna work.

Your configuration of the two nics on router2 is wrong.

My guess is that you have a routed subnet supplied by your ISP and that
you have taken the first usable one (xx.xx.58.129) and used it on the
LAN i/f of your (ADSL?) modem.

Router 2 now gets .130 on its rl0 and that's fine but you have applied
.140 to rl1 and both interfaces are in the same network:
xx.xx.58.128/28. You cannot do that and expect routing to work in r2.

2 ways (maybe more possible but I don't have all day 8-) ) to get
around it.

1 alias ALL of your IPs except .129 onto rl0 and then use RFC1918
addrs on rl1 and its attached hosts. You can then rdr or binat them to
the correct addresses on rl0.

2 You can use a pair of RFC1918 IPs on the modem and rl0, static route
the /28 to rl0, configure rl1 to use .129 and hang all (up to 13) hosts
on a LAN there.

Case 2 requires tricky NATting and pf rules but I have done it several
times and it just works but your original post makes me think you'd
need a few more clues first. 
So go with #1 for an easier life.

Any replies/questions on list please. Offlist replies /dev/null
Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: remove sendmail/install postfix

[RW]

On Wed, 7 Feb 2007 11:49:07 +0100, Toni Mueller wrote:

Hi,

On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus [EMAIL PROTECTED] wrote:
 But the mailwraper provides a more generic way for
 OpenBSD to use mail without dealing much about
 the uses mail system. (sendmail,postfix,exim,qmail, ...)

this is probably correct (or that's what it was created for), but I
have yet to overcome my inertia against implementing this, for marginal
benefit.

Hell, that's funny. I installed the postfix package and used the
recommended (and supplied) script to make postfix the default mailer.
There is one to switch back.

Apart from that there was only (IIRC) one manual thing to do: change
the queue-runner or something like that. So easy I forget: no pain = no
brain (storing horror tales).

Trivial for me and I thought that I had a very large inertia to mass
ratio as I only weigh in at 66.x kg. 8-))

Anyway jakob@ has (for me) done a fine job of making it painless.

R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Nearly 1/4 of New Filesystem Gone

[RW]

On 01 Feb 2007 12:26:09 +0100, Artur Grabowski wrote:

[EMAIL PROTECTED] writes:

 I just moved a 200GB hard drive from a 3.7 box to a 4.0 box, and since
 my data was all backed up, I decided to run disklabel, create a fresh
 partition that spanned the whole disk, and then run newfs on that
 partition. I expect to not have all 200GB, between the whole issue of
 poorly labeled disk sizes and the 5% reserved by default. What I don't
 expect, however, is to see ** 22% ** of my disk already in use:
 
 -bash-3.1$ df -h
 Filesystem SizeUsed   Avail Capacity  Mounted on
 /dev/wd0a  7.3G   78.9M6.9G 1%/
 /dev/wd0d 22.0G512M   20.4G 2%/usr
 /dev/wd0e  7.2G6.7M6.8G 0%/var
 /dev/wd1a  183G   38.0G136G22%/mnt
 
 Can anyone explain this? Have I done something wrong here? More
 importantly, is there a simple way to remedy this and get my 38GB back?

$ bc
2000/(1024*1024*1024)
186

Talk to the marketing department of your disk manufacturer.

Uh, I think he wasn't worried about the 183G but was worried about the
38G that left him with only 136G. At least that is his question. 

$ bc
136*1024*1024*1024
14602064
and that's quite a bit short of where you started.

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: spamd openbsd 4.0 query

[RW]

On Sun, 28 Jan 2007 19:19:09 +, John wrote:

The only other thing I'm trying to find out now is whether whitelist.txt
can use domains rather than dotted quads

No. It doesn't do DNS as it is a fast lightweight single purpose
MTA-like daemon.
Besides which: Are you expecting to trust the domain in the HELO
transaction? Or maybe you trust the envelope sender?

Both are easily and commonly forged.

R/

From the land down under: Australia.
Do we look umop apisdn from up over?