Re: Keeping track of MAC addresses

[SJP Lists]

On Thu, 21 Feb 2019 at 07:15,  wrote:
>
> > did you take a look at net/arpwatch?
>
> Too many emails; email to root is not a useful mechanism for me.

arpwatch could be configured to send emails to an address other than root.

At the time I was using it, the --help showed a command line option for
specifying
alternative email addresses, but it did not work then.

It's been many years since I used it, so this may have changed, but I had
to adjust
#define's for WATCHER and WATCHEE, to hard code alternative email addresses
into
the binary.

Combined with an email to SMS text message gateway service, this gave my
manager
and I almost instant notification when staff with physical access added
hosts to certain
networks they were not permitted to.


Shane

Re: Upgrading to current prep

[SJP Lists]

> On Sat, Mar 10, 2018 at 11:42:55PM -0500, Rupert Gallagher wrote:
>
> > only as originally intended for unix systems. Further, variable
> > content partitions such as /var and /home should be large enough to
> > allow for ssd wear levelling, or you will toss away expensive ssds
> > like autumn leaves. Finally, all games should be moved from the

I keep hearing about longevity issues with flash based storage. It seems
this paranoia just won't die.

I'm coming up to 13 years of installing OpenBSD onto flash based storage
and I've not had a failure yet.  Only ever used softdep and noatime.
Installed into Sun Ultra's with IDE-CD adaptors, Soekris 5501 and 6501,
ALIX 2's and 3's and now also running off thumb drives in these sweet
little EdgeRouter LITE's.  Always stuck to SanDisk and Lexar.

https://marc.info/?l=openbsd-misc=113148165022620=2

I had one 2.5" Corsair SSD fail outside of OpenBSD usage, but it was a
sudden death and well within the infant mortality stage of the bathtub
curve.

And on a note related to SSD longevity, I've run Samsung SSD's in my
Sony PS4 and PS4 Pro since both were released and they both constantly
write video capture data to "disk" while on and this is a feature I
cannot switch off.  They're both still working fine too.  My PS4 would
have hammered that SSD for hours most days for about 4 years.


Shane

Re: Kernel memory leaking on Intel CPUs?

[SJP Lists]

On Saturday, 6 January 2018, Eric Furman  wrote:

> I always love threads like this. :)
> Doesn't it tell anybody anything that none of the developers have
> commented?
>
>
Theo talked about how scary some bugs in some Intel CPU’s were, a decade
ago...

https://marc.info/?l=openbsd-misc=118296441702631=2

So I will be most interested to see the OpenBSD take on this after the
embargo period is over.

Re: Kernel memory leaking on Intel CPUs?

[SJP Lists]

On Friday, 5 January 2018, Rupert Gallagher  wrote:

> The Intel flop hits the US .mil as well,  because they depend on COTS
> Xeons.
>
> I pity the Russians. I wonder if they pay through the nose for Oracle's
> power hungry hardware, or make it cheaper and power efficient of their own.
>
> On Thu, Jan 4, 2018 at 18:28, Jordan Geoghegan 
> wrote:
>
> > The Russians heavily use SPARC for aerospace/military applications as
> well as their in house domestic-use-only Elbrus machines, for what I
> imagine to be reasons precisely like this.  @mail.com>


SPARC architecture is open to others to develop their own CPU designs.  The
Russians are not forced to buy SPARC from Oracle.

Re: OpenBSD 5.3 released May 1, 2013

[SJP Lists]

On 1 May 2013 23:42, Stuart Henderson st...@cvs.openbsd.org wrote:

 
 May 1, 2013.

 We are pleased to announce the official release of OpenBSD 5.3.
 This is our 33rd release on CD-ROM (and 34th via FTP).  We remain
 proud of OpenBSD's record of more than ten years with only two remote
 holes in the default install.

 As in our previous releases, 5.3 provides significant improvements,
 including new features, in nearly all areas of the system:



Another awesome release!  You guys rock!

Especially love the Full Disk Encryption!

Re: OpenBSD forked

[SJP Lists]

On 18 June 2012 15:46, Raymond Lillard rlill...@sonic.net wrote:
 On 06/17/2012 12:31 PM, Peter J. Philipp wrote:

 Having followed OpenBSD for quite some time I noticed that good developers
 come and go.  They come in, make something great happen, and disappear
 again.
 Also there have been forks and I also noticed that no fork gets a light
 judgment.  Rightfully so.  And then I always appreciated the permanent

 element in OpenBSD that guides our attention to areas we as users and
 sideliners don't always see immediately.  I'll keep buying CD's when
 available
 and I do donations here and there when I feel like it, and I don't regret
 it.


 ditto.

 I almost always remain silent in political matters,
 (relating to OpenBSD that is).

 I will list some reasons why I am not going anywhere
 soon for a free OS.  I have been using, donating
 hardware and purchasing CDs since 3.0.


 Reason 1:  Legacy Architectures
 I have many legacy  machines in service because they
 can be acquired for next to free (sometimes just free).

 These legacy machines are very good at exposing subtle
 bugs not found by compiling and running on Intel/AMD
 hardware.

 Since these legacy architectures are strange in the
 i386/AMD64 context, exploiters are unlikely to bother
 with them.  None of my Internet facing machines are on
 popular architectures.

 I have seen attackers come and leave as soon as they
 figure out what they are up against.  The combination
 of OpenBSD and uncommon architectures is a very tough
 nut to crack.


 Reason 2:  Security
 This is an unknown.  All FOSS claims to be free, fast
 and secure.  Even Microsoft claims to be secure. Maybe
 the new team will be as fanatical as Theo, likely not
 if their FAQ is to be believed.  Their reputation for
 security will be revealed with the passage of time.


 Reason 3:  Crypto
 I don't know where the new project is located, but
 they seem to have a server in Southfield, MI USA and
 another in Denmark. I hope none of the developers is
 subject to US export laws regarding cryptography and
 that the code is maintained on servers also not subject
 to those laws.

 Just look at the recent MegaUpLoad case.  That case
 is reportedly about a bunch of ripped off movies.
 I have googled a bit and have not found a physical
 location for the project or its code.


 Reason 4:  Stability
 The new project FAQ states they intend to be less
 restrictive with the codebase when it comes to
 experimenting with features.  Maybe in the long run
 some of the new features may be introduced into OBSD,
 but in the near term I expect much instability given
 the broad range of deeply embedded things they intend
 to change.


 Reason 1 is a big problem for me and my crusty old war
 horses.  Reasons 2  3 may be unfounded, the secrecy
 here (there are no developer names listed on the project
 web site) is not very confidence building.   As to
 reason 4, I am only mildly interested in fast.  I want
 correct and stable execution above all else.  For this
 reason I expect to continue with OBSD for a long time.

 I do have considerable sympathy for clearing GNU out
 of the code base though.

 Now going back into lurker mode.
 Regards,
 Ray

The secretive nature is concerning.  But I hope that this situation
can somehow turn out to be beneficial to both projects in the long
term.

As long as my favourite and most relied upon OS continues to evolve, I
will be happy.  And I will certainly continue to buy from and donate
to the OpenBSD project where possible.


Shane

Re: OpenBSD on EC2/Amazon

[SJP Lists]

On 26 April 2012 17:56, Otto Moerbeek o...@drijf.net wrote:

 In an ideal world, availability of source code should not matter.

 Most interesting exploits are probably guest1 - hypervisor (and then
 - guest2).

 I refuse to believe that the glued on hardware suppport for
 virtulization on modern i386/amd64 processors have a real value wrt
 security. This kind of thing can only be done right if it's done from
 the start when designing the processor architecture.

Yes that's what I'm nervous about.  Guest-Guest and
Guest-Hypervisor(-Guest).  Especially after Tavis Ormandy's paper
from a while back...

http://taviso.decsystem.org/virtsec.pdf


And now, we have things like Vasto and vulnerabilities that have
enabled the download of VM's to steal the cloud.


Shane

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[SJP Lists]

On 8 November 2011 23:25, Mostaf Faridi mostafafar...@gmail.com wrote:
 Thanks
 My problem is this I do not enough time to start from scratch and make new
 rule

Your philosophy is not compatible with OpenBSD.  Grabbing a random
incompatible ruleset from the Internet and then trying to fix it is
going to take more time that learning how to deal with this from
scratch.




So find the time for:

http://www.openbsd.org/faq/pf/nat.html


and especially:

http://www.openbsd.org/faq/pf/nat.html#binat


and this for reference:

http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confmanpath=OpenBSD+5.0


Or otherwise the answer to your questions is, no.

Re: Would you accept a free guest article or blog post for openbsd-wiki.org?

[SJP Lists]

On 10 June 2011 07:45, Ingo Schwarze schwa...@usta.de wrote:
 Stuart Henderson wrote on Thu, Jun 09, 2011 at 09:21:38PM +:

 Seriously, if whoever maintains openbsd-wiki.org is reading,
 do us all a favour and take it offline unless you have time to look
 after it...

 Even if you have the time to maintain it,
 take it offline all the same.
 Your time is better spent helping nick@ to improve the FAQ
 and helping jmc@ to improve the manuals,
 because there you don't start from scratch
 and users actually find your documentation.
 And it is checked by developers for relevance and accuracy
 and kept up to date.

 To re-iterate what i said here:

 http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html (page 2)

 Make documentation easily accessible:
  Have it at as few places as possible,
   and as much as possible at one single place.
  In OpenBSD, almost all documentation is manuals,
   and the little that doesn't fit there is all in the FAQ.

 Well, there's a bit more, but not much.
 Like /usr/local/share/doc/pkg-readmes/.

 We most definitely do *not* want documentation scattered around
 half the web, ending up with most of it utterly outdated and
 unmaintained.

At least phallus pills are available there.

Re: vmmap: bad software everywhere

[SJP Lists]

On 4 June 2011 08:48, Amit Kulkarni amitk...@gmail.com wrote:
 How comes nobody in other OSes noticed ? Well, people probably did, and
 tweaked their allocators to work, by using preferably the low address 
 space,
 and having addresses that increase slowly, so that a lot of pointers are 
 below
 4GB, and a lot of pointer diffs are under 4GB.

 Or you could just be engaging in an ad hominem attack without actually
 looking at their implementations and assuming they're not doing it
 right because they're not you or your favorite platform. But hey, we
 don't know anyone who'd do *that* in the OpenBSD community. Right?

 This is baiting.

 There might have been instances of attacks in the past, I don't know.
 But in this particular case, Marc is absolutely right. OpenBSD is late
 to the bigmem party but when they get there, they try and raise issues
 which benefit everybody.

Tortoise / Hare.

Could it be that all the hares are partying just before the finish
line which none of them yet bothered to cross and none of them have
noticed that the careful tortoise has cautiously made his way past
their drunken fluffy arses and is crossing the line to take the win?

: - )

Re: full disk encryption google chrome on OpenBSD!

[SJP Lists]

On Sunday, 20 March 2011, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote:
 On Sat, 19 Mar 2011 08:29:13 -0700
 Ben Calvert wrote:

 On Mar 19, 2011, at 7:49 AM, Kevin Chadwick wrote:

  On Fri, 18 Mar 2011 16:58:59 +
  Kevin Chadwick wrote:
 
  I do get a fair increase in cpu usage for a disk at full speed disk with
  vnd but it's acceptable. Have people already done cpu usage and
  transfer speed comparisons to save me further tests.
 
  Well I was about to run a comparison test on vmware and I'm well
  confused unless it's a strange vmware bug or maybe the dynamic size disk
  mechanism. I might have to pull out a box.

 Why do people do this?

 when you're running more than one OS at a time, there's no way to control
 what's running on the other system(s) and interfering with the process you're
 testing. or what vmware subsystem is thrashing around and creating overhead.


 Surely that would affect both partitons inconsistently. Of course I see
 the point but if you get a good idea of it quickly especially if there's
 a big difference and have lots to do and bear it in mind and can control
 your host (ignoring vmware) then it should be fine. I'm still confused
 why it isn't but I could probably just use one partition to reinforce
 the results at marcos link. I am definately far more worried about
 vmware bugs than my host systems doings when testing, though it's
 usually just configs and so doesn't matter unless something crashes.
 One of the relayd socket engines started crashing recently but it's
 stopped now and obviously I'd test that on a real system if it reoccurs.

 p.s. Thanks marco

Bear in mind that as great as the benefits to virtualization can be,
or appear to be, it introduces some quirky edge cases that make it
especially bad for benchmarking.

I've seen benchmarks performed in VMware which return results that are
far far faster than when the benchmark/app/OS is running on the bare
metal.

And others where the realworld performance is bad, but the benchmark
numbers are good, due to timing lies.

If something interesting came out of a benchmark under VMware, I'd be
wondering if it was significant or just a virtualization quirk.  But
worse still, performance issues can also be masked and thus missed.

Unknowns that invalidate benchmarking period for me.


Shane

Re: Specs for a firewall.

[SJP Lists]

On 1 March 2011 14:11, Nick Holland n...@holland-consulting.net wrote:

 DO NOT jump on the
 Alix/Soekris/Other-wacko-low-power-low-performing-specialty hardware
 train until you know what you are doing.  It is good to see that people
 aren't automatically recommending Soekris for everything (the answer is
 Soekris.  What's your question?) so much anymore... unfortunately, now
 it's Alix.  Stick to standard computers until you are really comfortable
 with OpenBSD (or ANY OS you are planning on using).

I agree that it is best to avoid the Soekris and ALIX for a newcomer,
due to the serial console and PXE boot requirements.  But although
they are low power and low performance, the current models are more
than a match for typical ADSL2+ requirements.

With my link at about 12Mbit/S worth of web traffic and altq keeping
my VoIP calls nice and clean, my Soekris 5501 with OpenBSD 4.6 hovers
around 85% idle.

Yes, I need to pull my finger out and upgrade.

Re: Specs for a firewall.

[SJP Lists]

Okay, someone asked me for this a while back and I promised them I'd
get back to them once I'd updated to 4.8.  Still haven't updated, so
apologies for that.

This may well be an abomination to the pf Gods, but it works for me.

On 2 March 2011 00:37, Michael Grigoni michael.grig...@cybertheque.org
wrote:
 On 1 Mar 2011 at 21:19, SJP Lists wrote:

 With my link at about 12Mbit/S worth of web traffic and altq keeping
 my VoIP calls nice and clean, my Soekris 5501 with OpenBSD 4.6 hovers
 around 85% idle.

 Would you please describe what you do for inbound traffic shaping /
 rate limiting; do you route through a loopback interface and do outbound

Like you mention below with the lack of end-to-end QoS, since I don't
control the upstream router I also don't do anything for inbound
traffic shaping, since by the time a packet is received at my
firewalls end of the last mile, it is too late to control the
bandwidth that was now already used.  It's history by the time my
firewall knows about it.  I realise I can shape it on the way out of
an internal interface and thereby slow down the follow-up packets in
the flow, assuming a well behaved non-malicious remote host, but I
don't bother.  That is something I'd like to play with if I can ever
find the time.

 shaping?  VoIP is such a compromise for voice quality when there is
 no national end-to-end QoS on IP traffic -- and to think that Obama's
 FCC is/was seriously proposing VoIP as a mandate? Gads! It never
 ceases to amaze me what people will settle for in voice link quality --
 cell phones' convenience seems to have destroyed expectations of
 uninterrupted and clear voice channels and VoIP may work most of
 the time but just wait until you are in an important conversation with
 a client and suddenly you sound like a Klingon, or the echo sounds
 like the traffic was routed to the moon and back or dropouts and
 resulting predictive reconstruction makes you sound like a Munchkin --
 or worse, the data is lost (all this still happens on cell phones too)
 I find myself warning the other party at the start of every conversation
 that I am on a VoIP link.

Day to day, I forget that I'm a VoIP user until a balance reminder
email comes through telling me that I still have 9 months or so of
credit to go.  Audio quality for me with G.729(a?) is as good as or
better than a land line and it is consistent, regardless of how busy
my link is.

And my yearly phone bill is half of just my old telco's line rental
for the year!  Before even considering the call costs that came on top
of that.  That VoIP cost includes local, mobile and interstate calls
(little to no international, although that's cheap too).

 -- what we're they thinking

 Anyway, whatever altq approaches that have worked for you would
 be great to know...

 Michael

The most important thing I found, was to measure your upstream
bandwidth to have a starting point to work down from to see at what
point altq starts to work.  The point here is to avoid saturation.  I
find that point and then move down a bit more to build in some margin
for link performance fluctuation.  You are trading a little off your
maximum speed to gain a lot of control.  I was performing multiple
simultaneous FTP uploads and downloads while testing VoIP calls.

I employ Empty ACK prioritisation as Daniel details at:
http://www.benzedrine.cx/ackpri.html  which seems to give the feel of
doubling my link performance as far as interactivity goes.

For the portion of my upstream bandwidth I dedicate to realtime
applications such as VoIP and fast paced gaming, I do not allow other
queues to borrow from.  So I'm giving up even more speed from regular
traffic to reserve to the realtime apps.

Might seem like overkill, but I'm happy with my general usage download
speed of 11-12Mbit/S and would not want to add a little to that to
have a crappy phone service.

My queues can be found at:  http://www.flashbsd.net/altq

BTW, having ADSL2+ Annex M with about 2.3Mbit/S upstream helps.  And
my ISP (Internode) is super reliable too.  In more than 3 years I've
only noticed 2 or 3 outages and each time they only lasted minutes.

Cheers,


Shane

Re: ALIX/current as an Access Point

[SJP Lists]

On 28 February 2011 10:12, m brandenberg mcb...@panix.com wrote:
 On Sun, 27 Feb 2011, Jan Stary wrote:

 I have been using www.pcengines.ch/alix2c1.htm
 as my home router for years. It is runnig current/i386.

 Have you been running from Compact Flash?  I am interested in
 hearing about your experiences getting maximum life from the
 CF cards.  I've started playing with one of these and they're
 looking good.  (I knocked mine to the floor twice while
 compiling GENERIC and it didn't even notice.)

 --
 Monty Brandenberg

I've been running OpenBSD from CF coming on 6 years at my home and
client sites, with Sun's, PC's and little Soekris and ALIX machines.

http://www.mail-archive.com/misc@openbsd.org/msg11452.html

Not a single failure yet.

The limited writes issue is a non-issue, since write wear leveling
algorithms serve to evenly distribute writes over the entire media.
With typical endurance of 100,000 erase/writes per flash block, that's
400TB to kill a 4GB card.

On a card that can write at 30MB/s, you would have to write to it in
it's entirety, non-stop for 154 days before you killed it.  Without
even stopping to read from it.

And some parts support 1,000,000 write cycle endurance, so that
ridiculous constant flat-chat worst case scenario becomes over 4 years
to part death.  If you throw in 50/50 read/write duty cycle then now
it's 8 years.  In reality, what small device would have a really busy
CF?

Just use them, enjoy and don't worry.

I use softdep and noatime mount options, to reduce writes just because
I can, but they're not needed.


Shane

Re: ALIX/current as an Access Point

[SJP Lists]

On 28 February 2011 10:12, m brandenberg mcb...@panix.com wrote:
 On Sun, 27 Feb 2011, Jan Stary wrote:

 I have been using www.pcengines.ch/alix2c1.htm
 as my home router for years. It is runnig current/i386.

 Have you been running from Compact Flash?  I am interested in
 hearing about your experiences getting maximum life from the
 CF cards.  I've started playing with one of these and they're
 looking good.  (I knocked mine to the floor twice while
 compiling GENERIC and it didn't even notice.)

 --
 Monty Brandenberg

SanDisk Write Leveling White Paper showing use cases closer to real World...

http://www.sandisk.com/Assets/File/OEM/WhitePapersAndBrochures/RS-MMC/WPaperW
earLevelv1.0.pdf


Shane

Re: Security List

[SJP Lists]

On 9 February 2011 12:37, woolsherpahat woolsherpa...@gmail.com wrote:
 On 6 February 2011 05:23, Alessandro Baggi alessandro.ba...@gmail.com 
 wrote:
 Hi List, i had registered me to the security list:
 security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my
 account. Some that had security list subscribtion, can tell me if since
 09/01/2001 at today there are mails?

 I use a script which scrapes http://www.openbsd.org/errata48.html
 daily and emails me the changes as they occur.


 Shane

 That sounds pretty cool... any chance you would be willing to share?

Okay, I'm probably not doing this the best way, so as embarrassing as
this is, it might hopefully get improved by someone...

#!/bin/sh
#
# OpenBSD_errata48.sh
#
# Check for any changes to the OpenBSD 4.8 Errata list and email
# an alert if so.


# Move the lastest successful OpenBSD errata grab so that is becomes
# the previous successful grab.

mv /home/scripts/OpenBSD_errata48_latest.txt \
   /home/scripts/OpenBSD_errata48_previous.txt

# Use lynx to just output to stdout the text of the OpenBSD Errata
# page, without a URL list.  Output the status to an error file so
# that sending bogus emails due to server being unavailable does not
# occur.
#
# Then filter out everything but the errata detail lines and output
# to a temporary file that will only be used if the web server status
# is 200 OK.

lynx -dump -nolist -error_file=/home/scripts/OBSD_errata48_err.txt \
 http://www.openbsd.org/errata48.html | egrep ^ \* ?|   ? \
  /home/scripts/OpenBSD_errata48_current.txt

# Check the error status file to make sure the file was successfully
# retrieved.  If successful, procede with comparison between the
# current and previous errata, to determine whether an email should
# be sent.

if egrep  200 OK /home/scripts/OBSD_errata48_err.txt
then
mv /home/scripts/OpenBSD_errata48_current.txt \
   /home/scripts/OpenBSD_errata48_latest.txt
if ! diff /home/scripts/OpenBSD_errata48_latest.txt \
  /home/scripts/OpenBSD_errata48_previous.txt  /dev/null
then
diff /home/scripts/OpenBSD_errata48_latest.txt \
 /home/scripts/OpenBSD_errata48_previous.txt \
 | egrep ^\ | sed 's/\  //g' \
 | tr -d \n | perl -pe 's/\* /\n\n/g' \
 | sed 's/  */ /g' \
 | mail -s OpenBSD 4.8 Errata! y...@yourdomain.net
fi
else rm /home/scripts/OpenBSD_errata48_current.txt
fi

rm /home/scripts/OBSD_errata48_err.txt

Re: Security List

[SJP Lists]

On 6 February 2011 05:23, Alessandro Baggi alessandro.ba...@gmail.com wrote:
 Hi List, i had registered me to the security list:
 security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my
 account. Some that had security list subscribtion, can tell me if since
 09/01/2001 at today there are mails?

I use a script which scrapes http://www.openbsd.org/errata48.html
daily and emails me the changes as they occur.


Shane

Re: Please help me decide: OpenWrt vs. OpenBSD

[SJP Lists]

On Friday, 21 January 2011, Aaron Glenn aaron.gl...@gmail.com wrote:
 On Thu, Jan 20, 2011 at 9:07 PM, Stuart Henderson s...@spacehopper.org 
 wrote:
 On 2011-01-19, S Mathias smathias1...@yahoo.com wrote:
 I have a RouterBoard 450G [680 Mhz cpu, 256 MB ram, 512 MB flash]. I just 
 can't decide what to put on it:

 OpenWrt or
 OpenBSD

 RB450G? OpenBSD, please. Send the diffs you use to tech@.

 it took a full 8 replies to get to the correct response?
 now I understand why enlightened people find misc@ complete noise with
 negligible signal.

Wasn't everyone else assuming the OP was going to port?

Re: Please help me decide: OpenWrt vs. OpenBSD

[SJP Lists]

On Thursday, 20 January 2011, S Mathias smathias1...@yahoo.com wrote:

 Purpose: Just a home router.

 Question:

 What is more secure/reliable in this case?
 OpenWrt or OpenBSD?
 Anyone got any opinions? What should i choose?

I've been using OpenBSD since 2.5, '99.

In that time, the only time I've seen it crash was due to hardware
failures or spectacular stuff ups on my part.

When you use OpenBSD for long enough and really come to appreciate it,
you won't look back.


Shane

Re: spamd in a cloud setup?

[SJP Lists]

On 29 December 2010 22:35, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
 On Wed, 29 Dec 2010 16:22:33 +0530
 Girish Venkatachalam girishvenkatacha...@gmail.com wrote:

 Dear folks,

 OpenBSD's spamd is a network level spam filter and consequently we
 need the MX records to point to spamd
 before it hits our mail server thereby achieving bandwidth protection
 as well as spam protection.

 This is really fantastic.

 Now the issue is this.

 Since MX records do not understand TCP port numbers, we cannot have
 different MX records point to different
  SMTP servers on the same IP address.

 The reason this is a problem is that assume that I have to run
 spamd(8) against 100 domains. Do I need to have
 100 different IP addresses in my cloud?

 I hope the question makes sense. Sorry for sounding confusing.

 don't see the problem,
 setup your mx records for all your zones to something like:
IN  MX 10   mail
 mailIN  A 192.168.0.1

 then make spamd  listen on the address, and you're done.

 --
 With best regards,
Gregory Edigarov

This raises the PTR problem.

Only one of those domains is going to have records that match forward
and reverse?  If not, some anti-SPAM gateways will drop.


Shane

Re: spamd in a cloud setup?

[SJP Lists]

On 29 December 2010 22:47, SJP Lists sjp.li...@flashbsd.net wrote:
 On 29 December 2010 22:35, Gregory Edigarov g...@bestnet.kharkov.ua
wrote:
 On Wed, 29 Dec 2010 16:22:33 +0530
 Girish Venkatachalam girishvenkatacha...@gmail.com wrote:

 Dear folks,

 OpenBSD's spamd is a network level spam filter and consequently we
 need the MX records to point to spamd
 before it hits our mail server thereby achieving bandwidth protection
 as well as spam protection.

 This is really fantastic.

 Now the issue is this.

 Since MX records do not understand TCP port numbers, we cannot have
 different MX records point to different
  SMTP servers on the same IP address.

 The reason this is a problem is that assume that I have to run
 spamd(8) against 100 domains. Do I need to have
 100 different IP addresses in my cloud?

 I hope the question makes sense. Sorry for sounding confusing.

 don't see the problem,
 setup your mx records for all your zones to something like:
IN  MX 10   mail
 mailIN  A 192.168.0.1

 then make spamd  listen on the address, and you're done.

 --
 With best regards,
Gregory Edigarov

 This raises the PTR problem.

 Only one of those domains is going to have records that match forward
 and reverse?  If not, some anti-SPAM gateways will drop.

Sorry, what I meant to say, is If so, some anti-SPAM gateways will
drop connections that don't match forward and reverse.

Re: spamd in a cloud setup?

[SJP Lists]

On Wednesday, 29 December 2010, Paul de Weerd we...@weirdnet.nl wrote:
 On Wed, Dec 29, 2010 at 10:47:11PM +1100, SJP Lists wrote:
 | This raises the PTR problem.
 |
 | Only one of those domains is going to have records that match forward
 | and reverse?  If not, some anti-SPAM gateways will drop.

 How so ?

 a.example.com.  IN  MX  10  mx.example.com.
 b.example.com.  IN  MX  10  mx.example.com.
 c.example.com.  IN  MX  10  mx.example.com.
 d.example.com.  IN  MX  10  mx.example.com.
 mx.example.com. IN  A   192.0.2.1
 mx.example.com. IN  2001:db8::1
 1.2.0.192.in-addr.arpa. IN  PTR mx.example.com.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.  
IN  PTR mx.example.com.

 Why does your MX have to live in the same zone as what it's MX'ing
 for ?

 Paul 'WEiRD' de Weerd

 --
[++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/


Ah yes, true.  Spoke too soon!  Appologies!

Re: 4.6 box periodic 100% cpu on vmware

[SJP Lists]

On 28 December 2010 03:33, Matthew Sullenberger su...@sadburger.com wrote:
 I will be updating to the latest version very soon to see if that resolves the
 problem. I wasn't aware of the VMT package that provides some of the tools and
 things, so that is good!

 I wouldn't normally utilize a virtual firewall, but this is not an edge
 firewall, and it is sitting inbetween two internal network segments that
 consist (primarily) of virtual machines on the same VMWare Infrastructure. All
 traffic inbound/outbound from external networks is still going through a
 physical firewall before it hits anything else!


Are there untrusted users on either of those internal networks?  Or
hosts in that network with services exposed to other untrusted users
elsewhere?

Is the VMware management interface exposed to any network or host that
is exposed to untrusted users?


If so, watch this for just one example to be wary of...

http://www.youtube.com/watch?v=60MDvnturZg


After acknowledging this vulnerability VMware took five months to patch it.


I realise the VMware management interface should not be exposed to
untrusted users, but given that it usually is (internal staff), this
remotely exploitable vulnerability is not exactly low impact.  I have
to wonder what they consider to be high impact and how quickly they
will patch then.


Oh and...

http://www.youtube.com/watch?v=rVXp9etCqMo


All eggs, one flimsy basket.


Shane

Re: OT - secondary DNS recommendations

[SJP Lists]

On 9 December 2010 13:26, Daniel Melameth dan...@melameth.com wrote:
 On Wed, Dec 8, 2010 at 9:49 AM, Scott McEachern sc...@blackstaff.ca wrote:
 Given the (general) support of WikiLeaks here, I was wondering if anyone
 could recommend a free alternative to replace EveryDNS.net?

 I know how to use Google to find free alternatives, I'm looking for
 *recommendations* for a simple two-domain home network.

 I don't care much for the propaganda on this list as of late, but,
 regardless, I've been happily using http://freedns.afraid.org for home
 use for several years.

Would this be propaganda too?

http://www.google.com.au/images?hl=enq=Iraqi+child

Re: Donations

[SJP Lists]

On 10 December 2010 03:42, Mehma Sarja mehmasa...@gmail.com wrote:
 On 12/9/10 4:54 AM, Chandrakant Kumar wrote:

 On Thursday 09 December 2010 05:39 PM, Hugo Osvaldo Barrera wrote:

 On 05/12/10 23:04, Adam M. Dutko wrote:

 I hope that one day due process is denied you.

 I am wondering what type of due process should be granted to these
 individuals.  What basis/jurisdiction of law are we talking about?
  Natural
 human rights? US law? International Law?  I'm just wondering because I
 think
 it's critical to the whole discussion.  Julian Assange isn't a US
 citizen so
 the US Government probably feels justified doing whatever they want even
 if
 it is unethical, yet many think he should be protected by some of the
 US
 justice code/process.  Is due process universal?


 If I kill a cow, should I be deported to India, and processed there for
 that crime?  (Note that in most parts of india, it IS a crime).
 Oh, I live in Argentina, the largest exporter of cow-meat.  Maybe we
 should all be deported there.

 --
 Hugo Osvaldo Barrera


 We are waiting for you here in India ;)

 That's why Americans call cowburgers hamburgers, for fear of repercussions
 from the holy land. But seriously, re-incarnation takes care of all that.
 Meaning, if you kill a cow in this life, you come back as a cow and someone
 can kill you. It's the Indian version of an eye for an eye.

Sarah Palin's coming back as a dung beetle then.

Re: Donations

[SJP Lists]

On 7 December 2010 02:42, Joe Barnett joe.barn...@mr72.com wrote:
 On 12/5/10 5:11 PM, Jamie Paul Griffin wrote:

 if nothing else think about the charges they put on every transaction: you
sell something on ebay, they charge you; you process their payment through
paypal (ebay) they charge you again. they're clearly ripping us all us all off
- fact! and to top it all of the charges have become extortionate.


 Perhaps everything should just be (lowercase) free?  No charge ever
 for anything.  Heck, if that is how it worked, then this entire

I think the main point was the double charging.  eBay owns PayPal.


 selective outrage.  Speaking of that outrage, I think it would be
 great if he put his money where his mouth is and not accept US
 dollars in support of OpenBSD... but I am not holding my breath).

From what has been said in the past, most donation money comes from
end user pockets and not big business or governments.  So the project
should snub US citizen donations because their government is corrupt?
All peoples under an unethical government should be treated as if
their governments secretive actions are all their fault?  I'd view
many US citizens as victims of that same government and given their
liberties deprived since 9/11, those who might get most benefit from
OpenBSD ought to be able to give back.

Theo did however protest US aggression, even while $2M of US fund
money was feeding the project.  Thankfully most of that cruise
missiles worth got used before it could be taken back.


Shane

Re: Donations

[SJP Lists]

On 5 December 2010 17:05, Theo de Raadt dera...@cvs.openbsd.org wrote:
 On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote:
  If you don't know why I am sending this mail.. you are reading US
  managed news, and need to much much more informed

 It's in the US news.  Even the mainstream news on TV.  At least in Silicon
 Valley. ;-)

 No, it isn't in the US news.

 The US news is all about the messenger, to distract you from reading
 the message.

 If you think it is in the US news, you have a long way to go.

 guardian.co.uk/world is the best place to read the *message*.

I would love to witness the theory that people can bring about change
by voting with their dollars, but nowadays there never seems to be
enough willing to prove that a big enough dent can be made to bring
about positive change.  I fear that convenience matters more to a lot
of people than say a political adviser publicly calling for the
assassination of a messenger who is just communicating the wrong
doings of the most powerful against the weakest.


Still, I want to continue to hope and where possible at least try to
be the change I want to see in the World, as that saying goes.

So,

1. login to eBay
2. Click the Profile tab
3. Click close account
4. Prove I am me
5. etc (wait for my last bloody transaction to complete before they
allow me to leave!)
6. Hopefully get presented with a Why? form so I can tell them to
burn in hell for selling out to the Worlds biggest and most dangerous
terrorist group.


My last donation recently to OpenBSD and the biggest since I started
using OpenBSD with 2.5 in 1999/2000, was via PayPal.  And I used
PayPal for lots of other things for years.  My next donation will be
via other means.

Cheers,


Shane J Pearson

---

When bad men combine, the good must associate; else they will fall one
by one, an unpitied sacrifice in a contemptible struggle.

Re: Donations

[SJP Lists]

On 5 December 2010 22:20, SJP Lists sjp.li...@flashbsd.net wrote:
 On 5 December 2010 17:05, Theo de Raadt dera...@cvs.openbsd.org wrote:
 On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote:
  If you don't know why I am sending this mail.. you are reading US
  managed news, and need to much much more informed

 It's in the US news.  Even the mainstream news on TV.  At least in
Silicon
 Valley. ;-)

 No, it isn't in the US news.

 The US news is all about the messenger, to distract you from reading
 the message.

 If you think it is in the US news, you have a long way to go.

 guardian.co.uk/world is the best place to read the *message*.

 I would love to witness the theory that people can bring about change
 by voting with their dollars, but nowadays there never seems to be
 enough willing to prove that a big enough dent can be made to bring
 about positive change.  I fear that convenience matters more to a lot
 of people than say a political adviser publicly calling for the
 assassination of a messenger who is just communicating the wrong
 doings of the most powerful against the weakest.


 Still, I want to continue to hope and where possible at least try to
 be the change I want to see in the World, as that saying goes.

 So,

 1. login to eBay
 2. Click the Profile tab
 3. Click close account
 4. Prove I am me
 5. etc (wait for my last bloody transaction to complete before they
 allow me to leave!)
 6. Hopefully get presented with a Why? form so I can tell them to
 burn in hell for selling out to the Worlds biggest and most dangerous
 terrorist group.


 My last donation recently to OpenBSD and the biggest since I started
 using OpenBSD with 2.5 in 1999/2000, was via PayPal.  And I used
 PayPal for lots of other things for years.  My next donation will be
 via other means.

 Cheers,


 Shane J Pearson

 ---

 When bad men combine, the good must associate; else they will fall one
 by one, an unpitied sacrifice in a contemptible struggle.

Oh and since PayPal are owned by eBay, here's a list of eBay
acquisitions, which might need to receive a message of some sort:

http://en.wikipedia.org/wiki/List_of_acquisitions_by_eBay

Re: OT: Disadvantages of using virtual firewalls like OpenBSd

[SJP Lists]

On 24 November 2010 01:12, Brad Tilley b...@16systems.com wrote:
 carlopmart wrote:

  Advantages are very clear for me: provisioning, administration tasks,
 etc ... But I will to know disadvantages. What is your opinion from the
 point of view of security?

 I use virtualization for many things (mainly for the productivity
 advantages that you list), but it has always bothered me because
 virtualization is pretending.

 In Java, for example, the VM pretends about a lot of things that are not
 true in the physical world. This makes it easy and convenient for
 programmers. The problem is that they come to believe that the pretend
 things are real and then make assumptions (when dealing with physical
 machines) that are incorrect.

Yes, the virtualization of the programmable interval timer is one
example where pretending makes for some crazy situations.  Only a few
nights ago, I patched a Debian ESXi 4.1 VM and when it rebooted it
would not boot, stating that the PIT was not functioning.

Time keeping is weird in x86 virtualization.  I've seen Windows ESX
VM's with time that not only stops and then suddenly jumps forwards,
but even goes back!

Seen the madness of a virtualized NTP server?  VMware have a
Timekeeping whitepaper that is sugar coated to say the least.

All anyone need do is watch the advisories for VMware to soon realise
that the choice is a trade off, where the drawbacks (security and
weirdness) are as big as the benefits.

And again, I say look at the Google research that found all
implementations vulnerable.  If security matters less than the cost of
dedicated hardware, then use it.


Shane

Re: OT: Disadvantages of using virtual firewalls like OpenBSd

[SJP Lists]

On 24 November 2010 07:28, Brad Tilley b...@16systems.com wrote:
 Nick Holland wrote:

 what's changed?
 Layering? Nope.
 Crappy programming?  Nope.
 Better hardware?  not really.
 Features-before-security?  Nope.

 Good points. The goals of virtualization are, easy management, power
 savings, quick provisioning and deployment, redundancy, etc. When you
 talk about security and virtualization at the guest level, the
 prevailing attitude is, If it gets hacked, we'll just restore it from a
 known good snapshot... problem solved.

 I don't hear much talk at all about the host machine and security (the
 real server that hosts all the pretend servers is just assumed to be
 OK). There just seems to be a lot of trust in the vendors.

I'm waiting for the worm that specifically attacks ESX, or the like
and takes out entire infrastructures that have been built on that
trust.


Shane

Re: OT: Disadvantages of using virtual firewalls like OpenBSd

[SJP Lists]

On 24 November 2010 19:34, SJP Lists sjp.li...@flashbsd.net wrote:
 On 24 November 2010 01:12, Brad Tilley b...@16systems.com wrote:
 carlopmart wrote:

  Advantages are very clear for me: provisioning, administration tasks,
 etc ... But I will to know disadvantages. What is your opinion from the
 point of view of security?

 I use virtualization for many things (mainly for the productivity
 advantages that you list), but it has always bothered me because
 virtualization is pretending.

 In Java, for example, the VM pretends about a lot of things that are not
 true in the physical world. This makes it easy and convenient for
 programmers. The problem is that they come to believe that the pretend
 things are real and then make assumptions (when dealing with physical
 machines) that are incorrect.

 Yes, the virtualization of the programmable interval timer is one
 example where pretending makes for some crazy situations.  Only a few
 nights ago, I patched a Debian ESXi 4.1 VM and when it rebooted it
 would not boot, stating that the PIT was not functioning.

 Time keeping is weird in x86 virtualization.  I've seen Windows ESX
 VM's with time that not only stops and then suddenly jumps forwards,
 but even goes back!

 Seen the madness of a virtualized NTP server?  VMware have a
 Timekeeping whitepaper that is sugar coated to say the least.

 All anyone need do is watch the advisories for VMware to soon realise
 that the choice is a trade off, where the drawbacks (security and
 weirdness) are as big as the benefits.

 And again, I say look at the Google research that found all
 implementations vulnerable.  If security matters less than the cost of
 dedicated hardware, then use it.

Oh and another thing, a colleague of mine and myself noticed on
separate occasions with different VM's and OS' under what probably
would have been ESX 3.5 at the time, that a scheduled task would not
run if the console was not open / have focus!

I also noticed that while time appeared to completely stand still in a
Windows VM under ESX, it could be made to tick again by generating
lots of interrupts.  Vigorous mouse movement barely made a difference,
however performing a file system search got the clock counting faster
than realtime.

I now wonder if this is due to dropped interrupts or lost ticks as
VMware refer to in [1], a document which describes the time keeping
weirdness that needs to be dealt with to get around the fact that the
x86 architecture was not designed from the ground up for this type of
virtualization.

So what other weird complexities do that need to employ to get around
other quirks?

Sorry, but as far as I am concerned, virtualization presents a new and
complex attack surface that no guest OS could control.  So if you're
using OpenBSD for a security focused role, I'd forget x86
virtualization.


Shane

[1] http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf

Re: Building a Practical Penetration Test Lab

[SJP Lists]

On 13 November 2010 01:50, Chet Langin clan...@siu.edu wrote:
 -Original Message-
 snip
I have run OpenBSD in production on both VMWare server and ESXi.  It was
 the only machine facing the Internet that the auditors had no findings on.

--

Edward Ahlsen-Girard
Ft Walton Beach, FL



 Which is good, but, then, it appears to me that  VMWare and ESXi become
 comparatively weak links in the setup.

True.  Based on the research performed by Tavis Ormandy at Google [1],
the weakest virtual machine can become an entry point to then be used
to subvert the host server or other adjacent virtual machines.

So it seems to me that security in a virtualized environment is
limited to the combination of the security of the least secure exposed
VM and the security of the host.

Exploit a vulnerable VM and then it's vulnerable host and you now own
all the VM's served by that host, including the OpenBSD ones.

If OpenBSD is not in control of ring zero, you lose.

Alas, sometimes we have no choice.


1. http://taviso.decsystem.org/virtsec.pdf


Shane

Re: Architeture Choose

[SJP Lists]

On 9 November 2010 04:44, Christopher Dukes pak...@pr.neotoma.org wrote:
 On Fri, 2010-11-05 at 14:30 -0400, Joe McDonagh wrote:
 If your Sun fails -- that's a big IF. It's approaching a possibility
 of 0 in my experience.

 If performance isn't an issue and stability is your chief goal, none of
 this hardware is as stable as a Sun.

 Not quite my experience.
 In 2001 I worked at a place with a lot of used Sun hardware courtesy of
 Fujitsu layoffs (Sparc 20s, Ultra 5s).
 Entirely too many fried ethernet ports on the sparc 20s.
 And it took too many iterations to find a sparc 20 that wouldn't crash
 and burn while building OpenBSD from source.
 A fidgety developer kicking an ultra 5 from a | orientation to a _
 orientation would reliably destroy the power supply and harddrives.
 On the bright side, I could repair the ultra 5s with power supply and
 drives scavenged from eMachines with ALI motherboards with the wonderful
 DMA that shoved garbage into memory for every OS we tried on them.

 I thought the Micro Channel based RS/6Ks (Before the horrid SMP ones
 designed by Group Bull) were a bit more bullet proof, with the only dead
 hardware I'd experience being.
 1) Rats pissing on the system boards, because the customer refused to
 keep the covers on their systems in manufacturing.
 2) A ladybird beetle invasion.
 The RT PC was pretty reliable too.  I had one manufactured in 1987 that
 was still trundling along in 2006 when I gave it away.

Maybe I got lucky, but all my Sun gear works nicely.  10x U10's/U5's,
a Blade 150, 2x Ultra 60's, 1x Ultra 80 and a Sun Fire V250.

This includes a U10 with an exploded yellow diode and the Sun Fire
V250 having been dropped (presumably in transit) causing the LOM card
to rip off the plastic from one end of it's mate connector in the
motherboard.  Not knowing that, attempting to power it up caused smoke
and a really bad feeling.  I had to do some MacGyver'ing to fix that,
but it's working fine.


Shane

Re: 4.8 arrival!

[SJP Lists]

On 27 October 2010 10:14, Rod Whitworth glis...@witworx.com wrote:
 On Tue, 26 Oct 2010 17:36:00 -0500, Neal Hogan wrote:

Chicago . . . THANKS!


 And all the way through customs to Sydney Australia.
 WOW!

Me too.  And more nice shirts and a 2.5 CD for old times sake and to
get my hands on my favorite stickers!


Shane

Re: Nobreak

[SJP Lists]

On 2 October 2010 02:16, Henning Brauer lists-open...@bsws.de wrote:
 * Gregory Edigarov g...@bestnet.kharkov.ua [2010-09-30 16:13]:
 nut is in ports, though I would recomend to build it by hands.

 sigh. cut the crap. the package is fine. and handbuilding is stupid,
 pretty much without exceptions.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting

I don't know about nut, but I have come across one package where I'd
prefer to build as a port.  arpwatch, destination email address is
hard coded in.  Unless I missed something obvious.


Shane

Re: undeadly article

[SJP Lists]

On 18 August 2010 23:57, Jacob Meuser jake...@sdf.lonestar.org wrote:
 On Wed, Aug 18, 2010 at 04:28:57PM +0300, Mihai Popescu B.S. wrote:
 Hello,

 My post was not intended as a direct hit for the article. I told my
 opinion to misc@ because undeadly ask for subscription, no more
 anonymous coward post. Am I wrong ?

 I target airport behaviour with my comment. I use the airport for 6
 flight until now, no problem at all with security teams. I was quick
 and polite in answers and the time with them was short. Most of them
 have the nose to see what they are dealing with.

 bullshit.  sorry, but that is not true.

 I regularly get picked on by authority, but it's alwasy just been
 a pointless hassle.  I'll never forget the time a cop stopped me
 in my own neighborhood, in the rain, for walking against a signal,
 when his car was the only moving vehicle within a half mile.  the
 best part was when he dropped his papers in a puddle.

Flying from Melbourne to Sydney, at the Qantas baggage scanner I was
very sternly challenged as to what exactly an item was on my keyring
(a rubber Corsair Flash Voyager GT 16GB thumbdrive).  Before I could
answer, she said is this an MP3 player!?, as if it was a crime.
No, it's a thumb drive storage device, oh okay then.

Seriously.  I'd hate it to have been one of the new Corsair Padlock2
drives, complete with number pads and blinken lights that blinken with
key presses without the need for power from a computer.  I'm sure it
would have been taken for a wireless detonation device.

Then when I carry on lots of explosives (spare Li-ion laptop batteries
on account that we can't courier them any more with laptops between
offices!), nobody blinks an eye!  Even though I now know that I had
too many of them.


Shane

Re: dmesg of Dell Optiplex 780 + problem with xlock(1)

[SJP Lists]

On 12 August 2010 21:15, Tomas Bodzar tomas.bod...@gmail.com wrote:
 Hi all,

 bellow is dmesg of OpenBSD running on corporate desktop. Everything is
 running fine including web camera or USB headphones. There is just one
 small issue. I can't use xlock(1) for locking of screen. After I use
 xlock(1) it's not able to wake up anymore. I will investigate later.

 OpenBSD 5.8 (GENERIC.MP) #356: Mon Aug  9 00:28:02 MDT 2010

Wow OpenBSD 5.8.  Man that REALLY must have been one hell of a bender
I had last Friday night.

Re: OpenBSD Training

[SJP Lists]

On 29 July 2010 01:39, Robert info...@die-optimisten.net wrote:
 On Wed, 28 Jul 2010 15:59:33 +0100
 Michal mic...@sharescope.co.uk wrote:
 Apart from ESXi is free but the management isn't...you need vSphere to
 manage the thing. This seams like a very expensive way to learn an

 Just a note:
 You don't need vSphere for this setup; only if you have to manage a
 couple of vmware servers (= real hardware) you would need it.
 In the free version you have to manage each vmware host (not virtual
 machine) manually through a web interface, which unfortunately only
 runs under Windows...
 So, yes, you can run this at without any vmWare licence cost.

You can still use the vSphere Client and point it to the ESXi server,
instead of a vSphere server.

In fact, from the free ESXi web interface you can download the vSphere
client to use in that fashion.


Shane

Re: OT (kinda): someone else killed a ssd while running openbsd on it?

[SJP Lists]

On 23 July 2010 06:28, roberth rob...@openbsd.pap.st wrote:
 Lo,

 anyone ever killed a SSD while running OpenBSD ontop of it?


Been running OpenBSD systems from compact flash for more than 6 years.
 Sandisk and Lexar.  I have not managed to kill one yet.

Just using softdeps and noatime as a precaution, although I'm told
they're not necessary.


Shane

Re: [Fvwm][Bug?] Keyboard layout changes when fvwm restart

[SJP Lists]

On 19 July 2010 18:07, Bruce Khereid bruce.kher...@gmail.com wrote:

 QWERTY layout. But after I restarted the fvwm (by typing restart in
 FvwmTalk), things changed, it began to interpret the configurations in
 Dvorak layout, that is, Ctrl-F and Ctrl-D in Dvorak layout, which are Ctrl-Y
 and Ctrl-H in QWERTY, started to turn the page.

 Is that a bug of Fvwm? Is anybody encountered this problem before?

Oh that's just Theo...


HE'S IN UR ROUTR


REMAPPIN UR KEEZ

Re: traffic management

[SJP Lists]

2010/6/2 irix i...@ukr.net:
 Hello Misc,

  But at least you can say why?

no kidding.  As we've told irix before, it will not happen.

 --
 Best regards,
  irix  mailto:i...@ukr.net

Because it makes my VoIP phones at home and a friends workplace go
from hit-and-miss to... ohh yeah, that's right, we're using VoIP now!
 I forgot!, every time I receive a bill from my PSTN Telco with $0
for phone calls (for the past years).  ie, pf/altq works so well for
me that VoIP becomes so well behaved that I forget I'm even using it,
even when uploads and downloads are going like the clappers.

Once I go ADSL2+ Naked, then I hopefully won't be getting bills from
that crusty money grubbing old Telco ever again, so I might almost
completely forget how much pf/altq rocks (until obvious troll is
obvious comes back of course).

So, like others have said, it seems pretty far from broken to me.

Maybe you have mis-configured it.


Shane

Re: traffic management

[SJP Lists]

2010/6/3 irix i...@ukr.net:
 Hello Misc,

  Ideally this control altq the similarity in the tc tool in Linux.

 --
 Best regards,
  irix  mailto:i...@ukr.net

Nobody here is stopping you from using Linux.

Re: Help contacting Richard Stallman

[SJP Lists]

 On 26 May 2010 23:13, Brad Tilley b...@16systems.com wrote:
 Julian Acosta wrote:

 Really we need to contact with Richard Stallman, just for give us his
 opinion and answer us some questions about free software,
 How can I contact him?
 What's his real email?

 Just talk a lot about open source and the Linux operating system. He'll
 show up.

Yes, one of his minions will stumble across this thread while they are
performing Google searches for him and deliver these most important
advocacy results to him with freshly hand peeled and pitted grapes.

Re: cd arrived in Italy, and in Sweden too

[SJP Lists]

On 11 May 2010 00:37, Benny Lvfgren bl-li...@lofgren.biz wrote:
 matteo filippetto wrote:

 Hi all,

 today cd arrived in Italy

 ...and mine came today as well, together with two mugs and two t-shirts
that
 my girlfriend immediately banned from use in public amongst non-nerds. :-)

 Thanks, folks.

No stranger ever went out of their way to say something about any of
my generic printed t-shirts or even any of my old Linux t-shirts (back
when I was still finding myself :).

But OpenBSD t-shirts?  Strangers go out of their way to comment on my
OpenBSD t-shirts over the years.  I remember once a baker leaned over
the counter after I'd bought a pie, raised his finger to his lips and
went sshh.  I thought, WTF? Then he points to my OpenSSH t-shirt!
Ahhh.

But even better, even a hot young Asian chick commented about my
cool Puffy t-shirt.  Let me set the scene here, hot young Asian
chicks don't go out of their way to talk to me.

THANK YOU OpenBSD!!!

I reckon your girlfriend knows this and that's why she does not
wanting you wearing them.


Shane

Re: Is this a case of paranoia?

[SJP Lists]

Hey Danny,

This list strips attachments, but I would like to see that screenshot.

Can you send it to me?

Cheers,


Shane


On 24 April 2010 23:20, Danny dannydeb...@gmail.com wrote:
 Hi guys,

 Here is a screenshot of what the IT guys at my work thinks of OpenBSD. Before 
 I
 took this screenshot I could access www.openbsd.org for about an hour. After
 that I started getting the message you see on the included pic.

 Is this a bad case of paranoia? :-)

 Thank You

 Danny

 [demime 1.01d removed an attachment of type image/x-ms-bmp]

Re: Is this a case of paranoia?

[SJP Lists]

Crap, sorry all!



On 24 April 2010 22:12, SJP Lists sjp.li...@flashbsd.net wrote:
 Hey Danny,

 This list strips attachments, but I would like to see that screenshot.

 Can you send it to me?

 Cheers,


 Shane

Re: Is this a case of paranoia?

[SJP Lists]

On 25 April 2010 00:14, Danny dannydeb...@gmail.com wrote:
 My apologies then. It is just a screenshot of our IT guys classifying OpenBSD 
 as
 a Hacking website.

 Attachments are not passed along on misc@

Okay, if it makes them feel better, maybe you'd like to inform them
that Cisco [1], Sun [2] and even Microsoft [3] (among others [4])
trust the people behind the OpenBSD project.

1. 
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml

2. http://hub.opensolaris.org/bin/view/Community+Group+security/SSH

3. http://technet.microsoft.com/en-us/library/bb463209.aspx

4. http://www.openssh.org/users.html
   http://www.openbsd.org/users.html


Shane

Re: OpenBSD culture?

[SJP Lists]

On 14 April 2010 19:11, Zachary Uram net...@gmail.com wrote:
 As a long time Linux user I will soon try out OpenBSD, I have been
 reading the list emails and contacted 1 OpenBSD top person who was
 very rude. There is some of the RTFM or get lost attitude in
 Linux, but if a questioner seems sincere there is usually a certain
 level of friendliness in Linux community towards them. Just what I
 have briefly observed the OpenBSD community is more abrupt and less
 interested in helping newbies, they prefer one find the answer solely
 on their own if possible. I must say I detect a certain attitude that
 smacks of superiority and even condescension at times. Is this a fair
 assessment of 6the OpenBSD culture?

 Zach

The developers don't make OpenBSD for you, but they are good enough to
give away the fruits of those efforts for free.

You think people work hard on the code and documentation and then
should not be annoyed when someone does not have the decency to do the
minumum amount of work required to help themselves?  Especially given
the fine documentation?

Why shouldn't you be expected to put in some effort to get something
out of OpenBSD?  If you're not willing to RTFM, then it probably would
be best to get lost.


Shane

Re: Still going strong

[SJP Lists]

On 25 March 2010 02:33, m brandenberg mcb...@panix.com wrote:
 On Wed, 24 Mar 2010, Theo de Raadt wrote:

 These things make me smile.

 OpenBSD 4.7 (GENERIC) #300: Fri Mar 19 08:58:21 MDT 2010
   dera...@vax.openbsd.org:/usr/src/sys/arch/vax/compile/GENERIC
 VAXstation 4000/90 [13000202 04010002]

 They were built slow but they were built well.
 (Almost makes me want to dig mine out)

Yeah?  Have you seen an Alpha can clean up a liquid spill?

Vax's can do dry and wet!

Re: $100 to configure ALTQ on a 4.6 router

[SJP Lists]

On 23 February 2010 12:59, Ted Walther t...@reactor-core.org wrote:
 I have a simple setup; a soekris box running 4.6 doing NAT for my local
 network.

 I'd like a configuration to give skype traffic top priority, then my DNS
 server, then ssh sessions, then http and SSL, then everything else, and
 bittorrent.  I have so little upload bandwidth I don't want to waste
 any; only 80k up on a good day, and the web server is hosting stuff
 almost constantly.

 If this is up your alley, and you know this stuff inside out, please
 contact me and I'll fill in a couple more details of my internal network
 and provide the current NAT configuration in use (which has some stuff
 in it to work with the special DNS setup)

You'll have to ask yourself, do you want a secure network, or do you
want to use Skype?

Also, Skype can be awkward to prioritize against HTTP and HTTPS, since
it very often uses ports 80 and 443.

http://www.m86security.com/kb/article.aspx?id=12084


I suppose you could configure a local proxy to only be used by Skype
and then prioritize port 443 from that proxy to the Internet.

But, really, yuck.

Re: Jacek Books

[SJP Lists]

On 16 February 2010 06:33,  open...@e-solutions.re wrote:

 If you want i can send you my Paypal receipts to prove it. I never received
 the books.
 It is a swindle ! nothing else ...

I have been waiting too.  But I have heard people speak of Jacek being
ill a few times over the years, to the point that his publications get
delayed.  Leading me to think that he has something more serious than
a cold.

I'm concerned about his health first and foremost.  I'm looking
forward to the book but I don't want it hurried if the cost is his
health.


Shane

Re: Jacek Books

[SJP Lists]

On 16 February 2010 19:34, Otto Moerbeek o...@drijf.net wrote:
 On Tue, Feb 16, 2010 at 07:06:32PM +1100, SJP Lists wrote:

 On 16 February 2010 06:33,  open...@e-solutions.re wrote:

  If you want i can send you my Paypal receipts to prove it. I never
received
  the books.
  It is a swindle ! nothing else ...

 I have been waiting too.  But I have heard people speak of Jacek being
 ill a few times over the years, to the point that his publications get
 delayed.  Leading me to think that he has something more serious than
 a cold.

 I'm concerned about his health first and foremost.  I'm looking
 forward to the book but I don't want it hurried if the cost is his
 health.

 I agree that it is not good to pay and not receive anything.  So you
 dispute the deal via the proper channels to get your stuff or your
 money back.

 Breaking copyright law to get your goods is not the right way.

I agree.  But for the record, I personally never suggested or
supported the idea that copyright infringement is a solution to this
problem.

In fact, I have worked in landmark copyright cases for one of the
Worlds most successful IP lawyers (and continue to do so).  Including
tendering evidence to court as a witness and being cross examined.

So for many reasons, I wouldn't dare.


Shane

Re: Is OpenBSD + PF accredited or certified in any way ?

[SJP Lists]

On 2 February 2010 10:06, Keith ke...@scott-land.net wrote:
 I've used OpenBSD  PF for a number of years without issue and am now in the
 position that I want to create a dmz between the Internet and my
 organisations WAN. Our security people are asking if the firewall that we
 use is accreditated by ITSEC and I am pretty sure it isn't but it turns out
 that our security people will be happy is the firewall is accredited for use
 by another government !

For the interest factor (and since I can't find the email it's just
hearsay), I sent an email to the OpenBSD sparc mailing list in
December 2005 and to my surprise, received an out-of-office
on-holidays bounce back from someone in the Pentagon Army Operations
Center!

However, governments the World over staffed with people who hate their
jobs, have difficulty getting public transport working.  So how
they're supposed to accredit something as complex as an OS is beyond
me!

That sort of crap is for arse covering anyway.  For washing ones hands
of the problem and being able to claim to have performed due
diligence, even if they know it's a bullshit exercise.

Re: ouch

[SJP Lists]

On 5 February 2010 05:01, J.C. Roberts list-...@designtools.org wrote:
 I just finished installing the most recent snapshot, rebooted and
 ran sysmerge. I powered down the system, booted it up again, logged
 into my account, and was greeted by:

panic: kernel trap (ignored)

 The timing was absolutely perfect, and for half a moment I wondered, so
 I wish to thank the the hilarious nameless bastard with the foresight to
 add the above text to the default input file of fortune(6).

 -jcr

Is this because OpenBSD users feel left out of the fun of kernel dumps?

Feel the need to reminisce the good old days of lesser systems?

Re: obsd as domU?

[SJP Lists]

2010/1/13 Ciprian Dorin, Craciun ciprian.crac...@gmail.com:

 3.) Many of the benefits you gain by running a stable and secure
 operating system like OpenBSD are lost when you run it as a guest on
 top of some other insecure host operating system.

This is only true if either:
* there is a security bug in the virtualization software (highly
 improbable, and maybe easibly fixed);

http://taviso.decsystem.org/virtsec.pdf

No virtual machine tested was robust enough to withstand the testing
procedure used, and multiple exploitable flaws were presented that
could allow an attacker restricted to a virtualised environment to
reliably escape onto the host system.


http://www.vmware.com/security/advisories/VMSA-2009-0006.html

A critical vulnerability in the virtual machine display function
might allow a guest operating system to run code on the host.


http://www.vmware.com/security/advisories/VMSA-2008-0019.html

A memory corruption condition may occur in the virtual machine
hardware. A malicious request sent from the guest operating system to
the virtual hardware may cause the virtual hardware to write to
uncontrolled physical memory.


Shane

Re: VLANs, OpenBSD, Cisco HP

[SJP Lists]

2010/1/14 James Peltier james_a_pelt...@yahoo.ca:

 on the HP ProCurve I have added the VLANs to the switch and ports and it 
 works but not the way I would expect.

 Port B4 has VLAN 301 tagged and A1 is the port on which the OpenBSD box is 
 connected which is also tagged VLAN 301.

It's been a while since I did this with a ProCurve and OpenBSD, but
have you tried setting A1 as a trunk?

Lanner FW-8760 1U firewall platform.

[SJP Lists]

Howdy folks,

I thought some on the list might find this embedded bare bones 1U
firewall product interesting.

They claim it supports OpenBSD, has 8x Intel 82574L GbE (expandable to
16), a CF socket, 2x SATA and support for Intel Core i3, i5, and i7
processors up to 3.33GHz.

Looks like it might have a serial console too...

http://www.lannerinc.com/expansion/FW-8760

Cheers,


Shane

Re: Lanner FW-8760 1U firewall platform.

[SJP Lists]

2010/1/12 Diana Eichert deich...@wrench.com:
 On Tue, 12 Jan 2010, SJP Lists wrote:

 SNIP

 Looks like it might have a serial console too...

 just a headsup

 probably redirection of video to serial, better than a sharp
 stick in the eye, but not a ROM monitor.

Bummer.  Hope not.  I've been spoiled by Soekris and ALIX machines.


Shane

Re: help to keep disk spinning

[SJP Lists]

2009/12/25 Paul M l...@no-tek.com:
 Here we're talking about 2 separate cases, electrical and mechanical.

 In electrical componentry, it's power up/power down that compromises the
 reliability of a part (circuit). This is primarily due to heat - it's the
 temperature cycling in the circuit components thats the bad guy.

Highest current is drawn at spin up and therefore highest load on the
motor and supporting components.  In addition, spin up and down causes
head load and unload cycles in modern drives, which vendors quote a
given number before failure.

Checking a random Seagate drive, I see 300,000 cycles quoted and 34
Watts to spin up versus 5 Watts to idle.  For arguements sake, if
Frantisek's drive had similar load/unload limits and sleeps for 10S
and works for 10S constantly, with that qouted value it could be
expected to last less than 70 days.

26 times less than the warrantee of this Seagate drive.

Re: Looking for Secure Architectures with OpenBSD pdf.

[SJP Lists]

2009/12/11 jackwssp q jackw...@gmail.com:
 2 Tomas Bodzar:
 Why you so ugly? I don't looking for pf manual. As you can see above, i'm
 not alone. When i got it, will share it for all on misc@, and you may
 furiously try to stop me.

Funny.  When you need help beyond the books and come here for it, I
imagine few who remember you would *want* to help you with that
attitude.

You wanna talk about ugly?  You're crapping on the community and
asking them to help you do it, while trying to suggest they'll benefit
from it.

The book is good and cheap and the free docco is more up to date.

Re: Looking for Secure Architectures with OpenBSD pdf.

[SJP Lists]

2009/12/10 Tomas Bodzar tomas.bod...@gmail.com:
 This book is not for free download.

 On Wed, Dec 9, 2009 at 9:36 PM, jackwssp q jackw...@gmail.com wrote:
 Sounds like piping.

 You should share it for us or shut the mouth.

You can have this for free, along with the software!...

http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf


What a bargain.

Re: Open Source hardware (Re: can't get vesa @ 1280x800 or nv)

[SJP Lists]

2009/12/6 rhubbell rhubb...@ihubbell.com:
 Another sensitive type. Guess there are always a few on every list.

Your manner is counter productive, including for yourself.  So why do
you persist?

Unless of course you're more interested in causing mischief than
getting anything out of OpenBSD.

Please, either adjust your attitude or leave.

Re: How to determine what ports are being used?

[SJP Lists]

2009/11/28 Christoph Leser le...@sup-logistik.de:
 1723 is PPTP. This uses GRE ( generic routing encapsulation ).

 You must allow this protocol.

 And, as far as I know, openBSD cannot NAT this protocol ( it is possible to
 nat GRE for pptp if you peek into the next higher level protocol ( ppp in this
 case ? ) but this is not implemented )

pf can NAT GRE, but I beleive only one session per endpoint.

http://monkey.org/openbsd/archive/misc/0403/msg01041.html

Re: OT: Have you hugged your local OpenBSD dev lately?

[SJP Lists]

2009/11/20 rhubbell rhubb...@ihubbell.com:

 Definitely not missing the point. Maybe you missed mine. Not worrying
 because you trust everything about OpenBSD and everyone that's worked on
 it and every package you've installed and every piece of hardware you've
 installed, etc., etc.  It's naive to point elsewhere and say see, they're
 not secure. For example should I trust you and the other tooters just
 because you insist OpenBSD's secure?

It's not about absolute trust, or faith, it's about playing the odds.

You can choose a OS built with security as the primary focus at one
extreme, or one that's insecure by default at the other.

No OS will be absolutely secure, but at least one tries to be.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[SJP Lists]

2009/11/5 Justin Smith odnomz...@gmail.com:

 By default, Ubuntu 8.04 and later with a non-zero
 /proc/sys/vm/mmap_min_addr setting were not vulnerable.

 Ubuntu 8.04 released in 2008 april.


They've moved on from this then...

http://ubuntuforums.org/showthread.php?t=143334

Re: Installing OpenBSD on SSD drives

[SJP Lists]

2009/11/5 Jean-Frangois SIMON jfsimon1...@gmail.com:
  Hello,
 Is there any particular problem with installing OpenBSD on a SSD HD ?

I've been using flash based SSD's in OpenBSD systems for 6 or 7 years,
starting with small CF in firewalls and now SATA SSD's in desktops and
laptops.

Never had a problem installing to them and never had one go bad.  I
just use noatime, softdep and no swap (but I guess looking at the
opinions of devs here, no swap is now just a bad habit).


Shane

Re: Porting HammerFS

[SJP Lists]

2009/7/22 Henning Brauer lists-open...@bsws.de:
 * Christiano Farina Haesbaert christiano...@gmail.com [2009-07-21 21:02]:
 openbsd usually runs on small underpowered servers/routers

 rright.

 it's also slow, ya know.

 and beer is dry.

This multiple choice exam is easy...

http://theinspirationroom.com/daily/print/2007/2/carlton-dry-fishbowl.jpg

; - )

Re: pf, altq, packet rate

[SJP Lists]

2009/5/28 irix i...@ukr.net:

 Okey,  i  see.  But I can not understand why you are sure that traffic
 can only outlet Shape , You can say that's silly to try to Shape traffic
that came,
 but  if  it works it's worse than outgoing (if only for tcp) it is not
 stupid ?

How do you shape traffic that you have already received?  Or to put it
another way, how do you alter the past?

Re: pf, altq, packet rate

[SJP Lists]

2009/5/28 Johan Beisser j...@caustic.org:
 On Wed, May 27, 2009 at 11:04 AM, SJP Lists sjp.li...@flashbsd.net wrote:
 How do you shape traffic that you have already received?  Or to put it
 another way, how do you alter the past?

 I've always just assigned inbound traffic to the existing outbound
 queues. My assumption is that the responding traffic would use the
 queues appropriately, and the results (watched via pftop) seem to bear
 this out.

Thanks Lars and Johan,

I was trying to highlight to irix that once traffic is received, it is
too late to alter the bandwidth it already used coming in.

In other words, doing it on the incoming is pointless.  Thus, as in
your examples, the logic behind shaping only on the outbound.

i.e.You can easily delay sending something you have, but you have
little to no control over the ingress traffic of a link where only the
local host you have control of.


Shane

Re: pf, altq, packet rate

[SJP Lists]

2009/5/28 Johan Beisser j...@caustic.org:

 I was trying to highlight to irix that once traffic is received, it is
 too late to alter the bandwidth it already used coming in.

 In other words, doing it on the incoming is pointless.  Thus, as in
 your examples, the logic behind shaping only on the outbound.

 You can always inform the other end that your window is smaller than
 it is (pf.conf(5) red/rio/ecn on the queue).

 Or, simply randomly drop some incoming packets for that protocol to
 force retransmission (see pf.conf(5) probability flag for a given
 line) which should cause the remote end renegotiate its link to you as
 unreliable, and retransmit. A probability of 5% would prevent inbound
 connections from fully saturating.

I know this is an option, but forcing the resending of traffic doesn't
seem to be the most efficient method to me, when I could instead just
shape that same traffic when it leaves another interface.

Re: OpenBSD ESXi VMware image on Soekris Net5501

[SJP Lists]

Hi,

2009/5/21 Obiozor Okeke obiozorok...@yahoo.com:
 Hi Diana (and Stuart) thanks for all your advice.

 The problem or nut we're
 trying to crack is that we're trying to deploy OpenBSD to remote clients
and
 we wanted an inexpensive but very high reliability system with the
flexibility
 to change configurations (switch in/out different VMs) and add/modify
services
 remotely on-the-fly.  For example we could upgrade a client from 4.4 to 4.5
 along with all the custom apps and client data packaged in a VM.  We would
 grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure
it
 the way we wanted to and drop it back on the ESXi.  Then just change the
 network configs and switch the old for the new all remotely without ever
 visiting the client

 Thanks again all.

Even if this were feasible (given the hardware limitations of the
5501), you would still have to maintain ESX in a manner which requires
console access.

Wrapping OpenBSD up in ESX defeats the typical purpose of using
OpenBSD.  ESX and other x86 virtualization software introduces a whole
new vulnerable layer of software which requires patching and
rebooting.

Take it from the horses mouth...


A critical vulnerability in the virtual machine display function
might allow a guest operating system to run code on the host. The
Common Vulnerabilities and Exposures Project (cve.mitre.org) has
assigned the name CVE-2009-1244 to this issue.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp
layKCexternalId=1009853


A memory corruption condition might occur in the virtual machine
hardware. A malicious request sent from the guest operating system to
the virtual hardware might cause the virtual hardware to write to
uncontrolled physical memory.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2008-4917
to this issue.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp
layKCexternalId=1007507


VMware addresses an in-guest privilege escalation on 64-bit guest
operating systems.  VMware products emulate hardware functions
including CPU, memory, and I/O.  A flaw in VMware's CPU hardware
emulation could allow the virtual CPU to jump to an incorrect memory
address. Exploitation of this issue on the guest operating system does
not lead to a compromise of the host system, but could lead to a
privilege escalation on guest operating systems. An attacker would
need to have a user account on the guest operating system.  Affected
guest operating systems include 64-bit Windows, 64-bit FreeBSD, and
possibly other 64-bit operating systems.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp
layKCexternalId=1007090


This is just a small sample.  All this will get you extra complexity
and the doubt that a problem with the guest software is really with it
or the host.


Shane

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[SJP Lists]

2009/5/5 Mischa Diehm m...@mailq.de:
 On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote:
   Look dude, that ftp site made something available before any of the
 second level mirrors were even opened up to other sites to retreive
 it. Deliberate action was taken to release something early without
 mirroring it from a credible source. Judging by the contents, not all
 of it was exactly 4.5. This is cause for concern to anyone using the
 mirror.

 How many unofficial ftp servers are there on this dangerous
 internet which are or might or could be having wrong packages? This is
 what ftp.html is all about right? Why is there a list of official
 mirrors anyway?

This was a special case though, since kd85.com was previously listed
as hosting a second level mirror.

Surely it deserves special mention, since so many people would have
developed a lot of trust in that mirror.

Re: 4.5 delivery - How do they do it?

[SJP Lists]

2009/4/21 Theo de Raadt dera...@cvs.openbsd.org:

 precognition means that we can identify an upcoming
 period when such packets will come in -- packets which would
 defragment and subsequently arrange themselves into an attack above
 the socket layer.  since we can precognitively pre-identify the risk,
 we can drop them right on the ethernet card and avoid even having them
 dma into memory!

 Well, we have only parts of this working in the tree.  A few pieces
 are still missing, but Austin is trying a prototype of the algoritms
 and heuristics in his shipping operation.

Do I feel a theo.c commit coming on?

Re: Low power OpenBSD machine

[SJP Lists]

2009/4/17 Nenhum_de_Nos math...@eternamente.info:

 that I was known, I just want to be sure it won't die out of a sudden.
 thanks anyway.

I've been using CF cards in OpenBSD firewalls for about 4 or 5 years.
I have yet to see a failure with SanDisk and Lexar CF cards.

As a precaution, I only use softdeps and noatime to address write limits.


Shane

Re: donation

[SJP Lists]

2009/4/10 Michiel van Baak mich...@vanbaak.info:

 I'm very happy how stuff went with kd85 and I got info about what
 happened with my money and it's exactly as it was advertised on both the
 official openbsd website as on wim's website.

Ingo rightfully requested an account of what happened to money he
donated more than a year ago and stated that he reserved the right to
a refund of that money with interest, had the transaction not been
completed.

The best case scenario to vindicate Wim, was for Ingo to receive that
proof.  But he then receives the refund plus interest from kd85!  In
my mind, that heavily suggests that Wim either sat on the money all
that time, or otherwise did not make or retain good book keeping and
therefore without being able to provide proof, had no other recourse
but to refund the money to Ingo.

Does this not ring alarm bells for you?  Or is there a more innocent scenario?


 Why send theo a CC if you have trouble with kd85 ?

Because Theo is one of the two most important entities in such a
transaction?  The other being the donor?  Theo should be allowed to
have visibility of the actions of a middle man who is responsible for
such an important part of the project.  Especially a middle man who
has almost admitted to sitting on money for at least one donation, for
more than a year.

I understand this logic, but it up to Theo to protest if it is not
wanted.  Not you.


 If you have trouble with kd85 it's an issue between them and you, and
 noone cares cept you and kd85.

In this matter, I care and I am just a happy OpenBSD user who has
never needed to use kd85.  It seems that Theo cares too.

Re: Games

[SJP Lists]

2009/4/9 STeve Andre' and...@msu.edu:

 Nah, its Systemagic. ;-)

Yeah, my favourite too.

Re: Stupid Ideas - softraid and ExpEther

[SJP Lists]

2009/4/7 J.C. Roberts list-...@designtools.org:

 The design involves a technology called Express Ether though it is
 typically written as ExpEther, and it is basically a way to run a
 PCIe bus over ethernet. Though this might be the first you've heard of
 it, ExpEther has been in development at NEC for the last five years,
 and yes, I'm currently working on getting the documentation released for
 the existing silicon.

DMA to host memory via Ethernet?

O_o

Re: European orders

[SJP Lists]

2009/4/2 Daniel Seuffert d...@praxisvermittlung24.de:

 Why are you on this list?

 Because Mr. de Raadt accuses Mr. Vandeputte in public for having done some
 bad things without any evidence yet.

Did you not think that this is an event in progress?  It appears that
neither side has finalized this matter.  So involvement from outsiders
can only interfere.

If Theo felt he needed to stop shipments to Wim, then he had an
obvious question to address.  Which he has done.

They should be allowed to sort this out privately.

Re: European orders

[SJP Lists]

2009/4/1 Daniel Seuffert i...@praxis123.de:

 Mr. de Raadt,

 I don't care what you do for a living.  If it's not enough get a job and
 work like anybody else.

 Daniel Seuffert

Theo works hard and from the goodness of his heart we all benefit from it.

But you have a problem with him expecting to receive payment for
delivered products?  Something which assists him to continue the
development and running of the project we love?

Re: hier command not found: ksh: hier: not found

[SJP Lists]

2009/3/24 my mail am...@yahoo.com:
 How to use hier?

The hier manual page nicely describes the filesystem hierarchy.

Not all manual pages describe a tool.

Re: hier command not found: ksh: hier: not found

[SJP Lists]

2009/3/24 patrick keshishian pkesh...@gmail.com:
 On Mon, Mar 23, 2009 at 11:40 PM, Theo de Raadt dera...@cvs.openbsd.org 
 wrote:

 Yeah, it happens to me too:

 # strcpy
 ksh: strcpy: not found

 Very strange...


 why the fuck are you guys logged in as root? use sudo(8); see afterboot(8)

Theo is allowed to be logged in as root, at all times.

I don't think he will accidentally dial his hard drive with AT commands.


Shane

Re: openbsd in virtualization

[SJP Lists]

2009/3/20 Markus Hennecke markus-henne...@markus-hennecke.de:
 Guido Tschakert wrote:

 the question is: do you use the vmware-tools from server 2.0 and if you do
 so, how did you manage it?

 No, we are running server 1.0.8 for our OpenBSD vmware installations. We
 have some laptops with our Windows client software that needs fast access to
 a database on an OpenBSD server. All setup for evaluation of the whole
 packet. So we need the ability to gracefully shutdown the vm if the laptop
 is powered down. The vm must start when the laptop is started. It is a setup
 for users with low skills on computers (medical personel mostly), so the
 ability to start and shut down a vm is not something I can expect.

 OpenBSD 4.4 or newer will run happily with the vmware server 2.0, but no
 automatic shutdown is a real show stopper.

VMware Workstation 6 and VMware Server 2 provide command line options
for controlling specific VM's with the vmrun command.

http://www.vmware.com/products/beta/ws/vmrunCommand.pdf

You could script VM suspends for when the host is being shutdown and
VM unsuspends when the host starts up.  I use vmrun to shut VM's down
to prepare them to be rsync'ed with remote copies.


Shane

Re: openbsd in virtualization

[SJP Lists]

2009/3/18 Michiel van Baak mich...@vanbaak.info:

 I'm running OpenBSD 4.4 and -current under KVM here at home.
 I wont run it in production tho. Real hardware is much more stable.

I agree.  I use VMware Workstation at home/work and ESX3 at work.  I
had a lot of distrust initially (2004), but over a few years I had
developed confidence that it could be reliable for test systems and
servers where I was being forced to use VM's.

However I have seen performance quirks with ESX3.5 and when I patched
my 6.5 Workstation to 6.5.1, OpenBSD -stable gets ddb when trying to
build release.

Now my paranoia is back and I think it was healthy paranoia all along.

Plus, besides the reduced stability, there is all the research that
has proven that this new complex software layer has introduced a whole
new realm for attack.  Anyone just needs to take a look through the
descriptions of VMware's patches.  Descriptions which state that
exploitation of x vulnerability can cause arbitrary code execution
outside of the rooted guest and into other guests and even the host.

Re: Ramifications of blocking SYN+FIN TCP packets

[SJP Lists]

2009/3/13 Rod Whitworth glis...@witworx.com:

You could have scrubbing turned off at the bride

 So what's she going to do? Just the dishes?
 Why did he marry her anyway?

 Grinning, running and ducking

Careful Rod, from memory Diana is a crack shot and packs!

Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)

[SJP Lists]

2009/3/12  dt...@drizzle.com:

 I discovered a severe performance problem, wherein an OpenBSD guest would
 run fine for some period of hours, and then become horribly bogged down
 during disk operations, to the point of unusability.  This was true even
 when the guest was nearly idle and the VM host had abundant uncommitted
 resources, and was equally true on 32 bit and 64 bit OpenBSD guests.

 This was a showstopper, but the problem appears to have been resolved by
 lying to the hypervisor.  Since I told it that the guest was Red Hat
 Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far
 not recurred.

Thanks David,

I came across this problem a few days ago and have yet to get back
looking at it.

So I'm glad for this tip!


Shane

Re: PF firewall system capable of handling a multi-gigabit link

[SJP Lists]

2009/3/9 Alface Voadora alface.voad...@gmail.com:
 Thanks,

 but stating the obvious is not very helpful.

And failing to state how and what you researched is not helpful to
people who might be interested in helping you.  A consequence of that
is that others need to state the obvious since they don't know where
to start with where you are at in the process of helping yourself.

Re: pfsync vs contrackd

[SJP Lists]

2009/2/19 Mikel Jimenez mi...@irontec.com:

 What are the limitations of contrackd?

Maybe this is a better place to ask...

http://conntrack-tools.netfilter.org/support.html

Re: Car is limiting speed

[SJP Lists]

I've narrowed it down to my car. My speed is limited to 80kph on a
110kph highway. What should I check?

Re: pf.conf and tags

[SJP Lists]

Hi Steve,

2009/1/23 Steve Laurie st...@foo-unix.org:

 I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM.
 Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the
 moment?

I'd be surprised if that U5 was faster than the 1GHz x86.

Back with OpenBSD 3.7 or so, I found with Ultra 5's that those which
had the lower sized L2 cache, were a lot slower than those with the
2MB L2 cache.

Direct crossover connection: 94.1 Mbits/sec (end-point directly to
end-point).
360MHz in the Ultra 5 (256k L2):   pf OFF: 67.2 Mbits/sec   pf ON:
47.3 Mbits/sec.
333MHz in the Ultra 5 (2M L2):   pf OFF: 77.0 Mbits/sec   pf ON: 74.0 Mbits/sec.

The 270MHz UltraSPARC in your Ultra 5 probably has 256k of L2 cache,
so I think you'll get a speed penalty due to cycle speed and the small
L2 cache size.

Although lots of pf performance gains have been made since then and I
don't know if any of them would have made the L2 difference less
dramatic.


Shane

Belkin F5D5005 has switched from sk(4) to re(4) RTL8169

[SJP Lists]

Hello all,

Just a heads up if anyone specifically tries to get sk(4) by sourcing
Belkin F5D5005 cards.

I just purchased a pack of 10, since I had others which were sk(4),
but these new cards are all RTL8169 based.

The box shows Ver.2001


Shane

Re: PPTP Server behind PF firewall

[SJP Lists]

2008/12/12 cbc ccapo...@gmail.com:
  Hello,

  I have a PPTP server (running Windows Server) behind PF (OpenBSD
 4.4). I tried 'rdr pass' on 1723/TCP and all GRE traffic, without
 success. Then, I tried to set up an alias on WAN interface and create
 a binat rule, doesn't work too.

  Is there any limitation with PF? I wouldn't like to use Netfilter
 (ip_gre module) to solve this problem. Any idea?

  Thanks in advance,

http://marc.info/?l=openbsd-miscm=119549491121338w=2

Re: 4.4 arrived in New Zealand

[SJP Lists]

Got mine today.  Sydney Australia.

Thanks to all the devs and supportive user community! Another
brilliant set and release!

Re: Random crashes with Intel D945GCLF2

[SJP Lists]

2008/10/10 Damian Gerow [EMAIL PROTECTED]:
 Mark Kettenis wrote:
 Boy, those Intel-branded boards have shitty BIOSes...

 And support.  They've basically said that OpenBSD is not a supported OS, so
 they won't help me.  Neither do they support diagnostics from third-party
 programs or companies.

 I think I've learned my lesson here.

I thought it odd being an Intel board not using an Intel NIC.  Not
really their board?



Shane