ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]

[Soner Tari]

Due to unexpected reaction from the leader of the OpenBSD project
(please read below), I am terminating the ComixWall project. I will keep
the project server running until the end of this month. I might
resurrect the project in the future with another host OS perhaps.

I am going to unsubscribe from this list after posting this last
message. He apparently prefers reading messages from 'pricks' (to use
his terms) rather than release announcements from people trying to help.

Good luck, and goodbye...

On Wed, 2009-12-09 at 09:04 -0700, Theo de Raadt wrote: 
 On Wed, 2009-12-09 at 14:03 +0200, Soner Tari wrote:
  On Wed, 2009-12-09 at 10:29 +0200, Soner Tari wrote:
   On Tue, 2009-12-08 at 23:46 -0700, Theo de Raadt wrote:
Don't you dare post that that to our lists again.
   
   I don't understand, what's the problem?
   
   If you think that I am making money out of ComixWall, you are completely
   wrong. I have not made a penny out of it, ever (this is just a homemade
   project by an OpenBSD enthusiast). In fact, I was doing this to help
   uninitiated people use OpenBSD, instead of something else. Is it so hard
   to believe?
   
   I can't believe what you just said...
  
  If you don't tell me that you were just joking, I have decided to
  terminate the ComixWall project.
  
  Given that my sole purpose was to help promote the use of OpenBSD, I
  will feel stupid continuing with this project while I am not even
  allowed to post its release announcements to the OpenBSD mailing lists.
 
 Take your advertisements OFF OUR LISTS

ComixWall 4.6 released, December 8, 2009

[Soner Tari]

I am pleased to announce the release of ComixWall 4.6. This is the 7th
public release of ComixWall ISG. Please go to http://comixwall.org to
download the installation CD image, via bittorrent.

ComixWall is still the only fully FOSS and freely available UTM firewall
running on OpenBSD. You can use the web administration interface to
configure and monitor your system and the network. Supported
architectures are amd64 and i386 (ComixWall is one of the few UTM
firewalls with 64-bit support).

There are major changes in this version. Updated web user interface is
the result of a 4+ months of intense refactoring and development effort.
There are changes to other parts of the system too. The changes are too
numerous to list here.

The following are a few of the web user interface features:

- Most system and service configuration can be achieved on the web
interface, including pf rules.
- System, network, and internal clients can be monitored via graphs.
- Logs can be viewed and downloaded on the web interface. Compressed log
files are supported.
- Statistics collected over logs are displayed in bar charts and top
lists. Statistics over compressed log files are supported.
- Web interface provides many help boxes and windows, which can be
disabled.
- Man pages of OpenBSD and installed software can be accessed and
searched on the web interface.
- There are two users who can log in to the web interface. Unprivileged
user does not have access rights to configuration pages, thus cannot
interfere with system settings, and cannot even change user password
(i.e. you can safely give the unprivileged user's password to your
boss).
- Web interface supports languages other than English: Turkish, Chinese,
Dutch, Russian, French, Spanish.
- Web interface configuration pages are designed so that changes you may
have made to the configuration files on the command line (such as
comments you might have added) remain intact after you configure a
module using the web interface.

ComixWall 4.6 includes all -stable patches to OpenBSD, as of December
1st.

Here is the list of software installed by default:

- OpenBSD/pf
- OpenSSH
- OpenBSD/ftp-proxy
- OpenBSD/httpd: Apache web server
- DNS server
- DHCP server
- DansGuardian 2.10.1.1: web filter, anti-virus using ClamAV 
- Snort 2.8.5.1: intrusion detection system, with latest rules
- SnortIPS 4.6: intrusion prevention system
- ClamAV 0.95.3 with periodic virus signature updates
- SpamAssassin 3.2.5: spam scanner
- P3scan 2.3.2: anti-virus/anti-spam, transparent POP3 proxy
- Smtp-gated 1.4.16.2: anti-virus/anti-spam, transparent SMTP proxy
- Dante 1.2.0: SOCKS proxy
- Squid 2.7.STABLE7: HTTP proxy
- IMSpector 0.9: IM proxy which supports MSN, IRC, Yahoo, etc.
- OpenVPN 2.1_rc22: virtual private networking
- Symon 2.79: system monitoring via graphs
- Pmacct 0.12.0rc3: network monitoring via graphs
- PHP 5.2.11: free OOP scripting language

Installation of ComixWall has been greatly improved in 4.6 too:

- Thanks to a modified auto-partitioner of OpenBSD 4.6, the disk can be
partitioned with a recommended layout for ComixWall, so most users don't
need to use the label editor at all.
- All install sets including siteXY.tgz are selected by default, so you
cannot 'not' install ComixWall by mistake now.
- OpenBSD installation questions are modified according to ComixWall
needs. For example, X11 related questions are never asked.
- ComixWall installer asks only 2 questions: internal/external interface
and admin/user password. The rest of the configuration is handled
automatically.
- User can complete the installation by accepting the default answers
(by just hitting ENTER) all the way from the beginning of the OpenBSD
installation, with obvious exceptions like network configuration and
passwords.

I would like to thank all the seeders of the torrent downloads, and also
those who contributed translations to the project.

I have never asked monetary contributions to the ComixWall project. If
you wish, donate to the OpenBSD project instead. However, the project
desperately and urgently needs server hosting somewhere. This little guy
could do only this much with what he had.

I enjoyed developing ComixWall, and hope you enjoy using it.

Re: Open Source hardware (Re: can't get vesa @ 1280x800 or nv)

[Soner Tari]

On Sat, 2009-12-05 at 17:08 -0500, Ted Unangst wrote:
 On Sat, Dec 5, 2009 at 4:09 PM, Soner Tari so...@comixwall.org wrote:
  On Sat, 2009-12-05 at 21:30 +0100, Matthieu Herrb wrote:
  Making hardware is a lot more difficult than writing software. So it takes
  more resources and more skills.
 
  Sorry Matthieu, but I have to say that this is utter bullshit, and I
  believe such underestimation is the underlying reason that many software
  suck.
 
 I think the point is the tools to make software are more readily
 available than the tools to make hardware.  Let's say so you want to
 make a graphics card.  Let's also say that you're only interested in
 playing quake3.  What does it take to party like 1999?  About 150 MHz
 on a 180nm process.  And what does it cost to fab some 180nm chips?
 More than I've ever spent on all the computers I've ever written
 software with.

To read his comments with such meaning, I would have to replace the
words difficult and skills in his sentences with others.

However, assuming that's really the intended meaning, yes you are right,
investment to produce hardware or semiconductors is very high (so I
cannot do it at home). But that's hardly a concern for venture
capitalists or corporations like IBM, Intel, etc., hence hardly a reason
for the lack of open hardware. (Unless of course the definition of
open here is equated to homemade.)

On the other hand, when I look at open source software, things do not
seem too bright either (although I can do it at home):
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

So, I believe the reasons behind these should be searched somewhere else
other than skills or costs.

(Looking at other posts in this thread, I regret that I've ever sent my
first reply. So, back to silent mode again...)

Re: Open Source hardware (Re: can't get vesa @ 1280x800 or nv)

[Soner Tari]

On Sun, 2009-12-06 at 10:16 -0500, William Boshuck wrote: 
 Since your reply implicitly replaced making with designing,
 that shouldn't prove to much of a stretch.

My reply explicitly emphasizes the difficulty in designing software,
which is part of writing it. Otherwise, I mention I am against
comparing making hardware with writing software (i.e. comparing
apples with oranges). This is completely OT now anyway.

Re: Open Source hardware (Re: can't get vesa @ 1280x800 or nv)

[Soner Tari]

On Sat, 2009-12-05 at 21:30 +0100, Matthieu Herrb wrote:
 Making hardware is a lot more difficult than writing software. So it takes
 more resources and more skills.

Sorry Matthieu, but I have to say that this is utter bullshit, and I
believe such underestimation is the underlying reason that many software
suck.

Read this for a summary of cognitive requirements of software design:
http://argouml.tigris.org/docs/robbins_dissertation/diss2.html

And yes, I did hardware design too. But no, I have no intension to
compare hardware and software development like you did.

I usually resist replying such threads and keep my silence, but your
comment above begged for it.

Translators needed for upcoming ComixWall 4.6

[Soner Tari]

I am planning to release ComixWall 4.6 in December. (Please see further
below for a summary of upcoming release announcement.) I am happy to
announce that I have frozen the web user interface strings as one of the
final few stages of the release process.

The ComixWall ISG project needs your help. Please contribute to the
project by translating the web user interface into your native language.

BENEFITS OF LOCALIZATION:

If you are reading these lines, you probably do not need any
translations from English to your native language. However, the benefit
of a localized firewall user interface may be two folds, at least:

1. Unprivileged user on the web user interface is for your boss, and
s/he may not speak English
2. Government organizations in your country may require or prefer IT
systems with localized user interfaces

After all, I was able to complete 50% of translations into Turkish in
1-2 hours, and this percent completion is enough for most purposes.

NEW TRANSLATION SCHEME:

A new scheme is in place to help you with translations. Strings on the
web user interface are now divided into files based on where they are
used. There are mainly four benefits of this scheme:

1. Translator knows what kind of user interface item s/he is translating
(menu, button, title, help box, etc.) even without knowing anything
about the web user interface
2. Files have priorities, and completing high priority translations is
easy, and also enough for most purposes
3. Translator may choose files based on how much time s/he can dedicate
for translations
4. Clear separation enables us to have multiple translators working on
the same language very easily without any conflicts (there are only a
few overlaps, which are easy to handle using gettext tools).

Po files to be translated can be downloaded at this link:
http://comixwall.org/dmdocuments/translations/

Following information and the list of current translators can be found
on the Translations page too:
http://comixwall.org/index.php?option=com_contenttask=viewid=58Itemid=51

Explanations for each file are as follows:

  _MENU: Left and top menus, 94 x mostly 1-word strings
  _CONTROL: Controls such as buttons, 38 x mostly 1-word strings
  _NOTICE: Warnings, 24 strings
  _TITLE: Important titles or captions, 101 x mostly 2-word strings
  _STATS: Statistics, 105 x mostly 2-word strings
  _HELPBOX: Important help boxes, 24 strings
  _TITLE2: Secondary titles, 393 x mostly 2-word strings

If above translations are complete and help boxes are disabled (on 4.6
help boxes can be disabled), the web interface can be considered as
localized. 

  _HELPBOX2: Secondary help boxes, 236 strings
  _HELPWINDOW: Help windows, 185 strings

If above translations are complete, the web interface can be considered
as localized, even when the help boxes are enabled. 

  _: Rest, 246 strings 

These files are combined into comixwall.po file before the final mo file
is created.

Please contact me if you want to be a translator. All languages are
welcome. I hope to have all translations ready by the end of November.

UPCOMING RELEASE ANNOUNCEMENT:

If you are interested in what to expect in the upcoming ComixWall 4.6,
here is a quite short summary:

Software updates:

  OpenBSD 4.6-stable, i.e. with -stable patches as of December
  Snort 2.8.5.1
  SnortIPS 4.6 with the new Priority and Keyword based blocking
  ClamAV 0.95.3
  IMSpector 0.9 with patches from cvs
  Dante 0.12.0
  Pmacct 0.12.0rc3
  OpenVPN 2.1_rc20
  PHP 5.2.11 with exec() patch
  Better ports

Web Administration Interface:

  MVC-like design pattern
  Controller validates all input from View
  Controller accepts commands defined by Model only
  OOP in the Model, and some in the View
  Common PHP code base used by Model, View, Controller, and Installer
  New statistics pages
  New logs pages
  New configuration pages
  Incremental statistics, stats are saved and updated incrementally
  New login method over HTTPs without problematic HTTP authentication
  Sessions timeout, and help boxes can be disabled now
  Pfw understands new match action now
  Much faster, more robust, stable, and consistent user interface
  Higher quality source code

Full changes to the new web user interface is impossible to list here.
The new look-and-feel may be relatively familiar, but the current user
interface is the result of a 4 months of intense refactoring and
development effort. In short, you should have a much pleasant experience
using the web user interface on 4.6.

Installer:

  OpenBSD installation is modified to customize and ease ComixWall
installation. Thanks to a modified auto-partitioner of OpenBSD 4.6, the
disk is partitioned according to ComixWall needs, so you don't need to
use the label editor at all.
  All install sets including siteXY.tgz are selected by default, so you
cannot 'not' install ComixWall by mistake now.
  OpenBSD installation questions are modified according to ComixWall
needs. For example, X11 related questions are never 

Re: apache1.3 without jail and PHP cannot execute some system binaries..why?

[Soner Tari]

On Fri, 2009-08-14 at 09:59 -0500, Andres Salazar wrote:
 Apache is running without jail (-d) due to special needs.

You mean -u, right?

Re: New Project - MICO

[Soner Tari]

On Tue, 2009-07-21 at 20:20 +, Astrid SC!nchez wrote:
 [1].
 http://www.openbsdcolombia.org/mico In spanish

Reads PFSENSE ... COMIXWALL ... son ... systemas operativos
modificados. With beginner level Spanish of mine, I understand there is
a confusion here. ComixWall approach is completely different from
pfSense. (In fact, that's why I started the ComixWall project.)

ComixWall is NOT a *modified* OpenBSD.

Underneath ComixWall is an untouched, pure -stable OpenBSD. In fact, if
you don't select siteXY.tgz install set, you can install OpenBSD only.
If you have doubts, just roll your own -stable sets, and upgrade a
ComixWall installation to them (MD5s should match as well, afaik).

For example, that's why siteXY.tgz set is not selected by default during
ComixWall installation. Why? Because that would mean that I modify the
install.sub in the original bsd.rd.

In short, ComixWall provides a web interface, some extra UTM services
(which do not exist in the OpenBSD ports collection yet), and default
configuration files. (Furthermore, ComixWall does not use any
intermediary between the web interface and configuration files, but
directly modifies the text configuration files, i.e. no XML as in
pfSense.)

Just wanted to clear the air.

LocalKeyword in CVSROOT/config

[Soner Tari]

I am trying to achieve a custom $Id$ keyword in my source files with a
cvs repository on OpenBSD, just like $OpenBSD$ keyword expansion.

- I've tried the instructions at
http://cvsman.com/cvs-1.12.12/cvs_104.php

- I've tried the FreeBSD way as in
http://www.freebsd.org/cgi/cvsweb.cgi/CVSROOT/options

- I've looked at the OpenBSD source tree for such keywords.

and other trials and errors... So I am giving up and asking to m...@.

Could somebody help?

(My guess is that OpenBSD/cvs does not have the patch to provide both
the KeywordExpand and LocalKeyword, or something similar, applied in
the src by default, mentioned in the first link above.)

Re: LocalKeyword in CVSROOT/config

[Soner Tari]

On Thu, 2009-07-23 at 12:49 -0400, Dan Harnett wrote:
 On Thu, Jul 23, 2009 at 06:44:31PM +0300, Soner Tari wrote:
  I am trying to achieve a custom $Id$ keyword in my source files with a
  cvs repository on OpenBSD, just like $OpenBSD$ keyword expansion.
 
 Did you create your repository on OpenBSD?  If so, then your
 CVSROOT/config should have already mentioned this at one point.  If not,
 here are the default comments.
 
 CVSROOT/config created by /usr/bin/cvs:
 
   # Set this to the name of a local tag to use in addition to Id
   #tag=OurTag
 
 CVSROOT/config created by /usr/bin/opencvs:
 
   # Set name of the local tag to use in addition to `Id'
   #tag=OpenBSD

You are spot on Dan, it was created on Linux a few years back, so I
don't have those comments in the CVSROOT/config file (how I wish these
were mentioned in the man pages or some other doc though). Funny thing
is that I had tried with tag keyword but used it similar to LocalKeyword
syntax, jeez... So it works now. Thank you.

Re: brute force voip QoS

[Soner Tari]

On Wed, 2008-01-23 at 15:53 -0800, David Newman wrote:
 How you detect a VoIP flow may also be an issue. If your VoIP traffic 
 uses SIP, you can classify the signaling traffic on 5060/udp -- but then 
 the voice or video traffic will use RTP/RTCP and some ephemeral port 
 chosen during call setup.

...

 (If anyone has a method for RTP/RTCP awareness in pf -- including the 
 ability to set up and tear down rules for the call duration -- please 
 share it!)

I am just wondering if the RTP proxy in siproxd could help. I guess one
could write pf (altq) rules based on the RTP port range chosen. May not
be so flexible or even suitable in every scenario (since one needs to
setup a siproxd), then again... (See
http://siproxd.sourceforge.net/index.php?op=faq for RTP proxy details.)
What do you think?

ComixWall 4.2 released

[Soner Tari]

I am pleased to announce that ComixWall ISG 4.2 has been released.
ComixWall is an Internet Security Gateway (ISG): FOSS UTM firewall
running on OpenBSD, with a user-friendly web interface for
administration and monitoring. ComixWall is unique, first of its kind in
many ways.

Highlights of this release are:
- OpenBSD 4.2-stable, i.e. includes all of the stable patches as of
December
- Support for both amd64 and i386 architectures, thus there are 2
installation CD images
- Upgrade support, from ComixWall 4.1b amd64 to 4.2 amd64
- New install/upgrade scripts, based on OpenBSD installation scripts
- xbase install set stripped down to save space on the CD image and the
file system
- SnortIPS: Intrusion Prevention System (IPS) based on snort alerts,
totally relies on pfctl
- Snort 2.8.0.1: Intrusion Detection System (IDS), with alerts log
rotate and 64-bit time stamp patches
- ClamAV 0.92: Anti-virus scanner
- DansGuardian 2.9.9.2 with clamd: Content scanning web filter
- IMSpector, CVS build as of 20071130: Message logging IM proxy which
supports MSN, IRC, Yahoo, etc.
- pfw 0.7.8: Web interface for pf, patched for bugs
- Updated software packages from OpenBSD ports collection
- Additions, enhancements, and fixes to the Web Administration
Interface, too numerous to list here
- Full English, partial Turkish, and even less complete Spanish support
on the web interface
- Installation and System Administration Guides, both in English and
Turkish

ComixWall ISG comes bundled with other software too, which are either
included in OpenBSD and its ports collection or specifically ported to
OpenBSD for ComixWall:

- SpamAssassin: Anti-spam scanner
- OpenBSD spamd: spam deferral daemon
- P3scan: POP3 anti-virus/anti-spam proxy
- smtp-gated: SMTP anti-virus/anti-spam proxy
- Dante: SOCKS proxy
- Squid: HTTP proxy
- Apache Web Server (OpenBSD httpd)
- OpenBSD ftp-proxy
- DNS server
- DHCP server
- OpenSSH
- symon: System monitoring daemon
- pmacct: Network monitoring daemon

The Web Administration Interface is developed specifically for
ComixWall. In most cases, you won't have to go to the command line for
basic configuration of the system, but one of its most important design
goals is that you can use the web interface and the command line
completely interchangeably, namely it never recreates configuration
files, but modifies only the specific setting you want to change within
the configuration file (e.g. your custom comments remain intact). The
web interface provides statistics and logs pages for most modules. Its
other features are too numerous to list here.

ComixWall installation is designed so that the system is configured with
basic settings and usable out-of-the-box, right after first boot.

Please visit http://comixwall.org for further details and documentation.

Only bittorrent download is supported for CD iso files. You can obtain
the torrent files for both amd64 and i386 archs under ComixWall 4.2
Release Downloads section on the project web site. Please note that
ComixWall System Administration Guides (SAG), both English and Turkish,
are available in the CD image too (on the System  Downloads page of the
web administration interface), you don't have to download them
separately from the project web site.

You can download the torrent files on torrentbox tracker web site too:
http://torrentbox.com/download/161535/comixwall42_amd64.iso.torrent
http://torrentbox.com/download/161536/comixwall42_i386.iso.torrent

All of the software running on ComixWall are BSD, GPL, or similarly
licensed. The web interface is released under BSD license too.

Downloads on the project web site include all of the ports packages of
the software not in the OpenBSD ports collection yet. Binary packages
are in the installation CD images, naturally.

Anonymous CVS is available for the latest web interface source code. You
can use the CVSweb on the project web site to browse the source code
too.

The project has misc@ mailing list, where you can receive announcements
and get community help. (However, if possible, be sure to whitelist
comixwall.org and its IP address if your MTA rejects e-mails coming from
ADSL connections. Also check your Spam/Junk folder if your MTA or mail
client considers such e-mail as spam.)

If you want to support the ComixWall project, please:
1. Seed the torrent files
2. Translate the ComixWall web interface into your native language (it's
easy, and main menus and labels are enough)
3. Purchase an official OpenBSD CD set, if you haven't done so yet
(rhymed nicely too :))

Soner Tari, The ComixWall project.

disklabel (?) issues during upgrade to 4.2

[Soner Tari]

The problem I am facing happens during installation of OpenBSD 4.2
-release, -stable, or -current as of January 1st (both amd64 and i386).
I can very easily reproduce this issue every time. I've been testing for
the last 48 hours, and can confirm that it never happens on 4.0 or 4.1.
Happens with SATA drives, never with PATA. See the dmesg with SATA at
the bottom (dmesg is for -stable, no custom changes otherwise).

Firstly, while I try to upgrade my 4.1/amd64 box to 4.2/amd64, the
upgrade script tries to fsck /dev/wd0a, but gives me the following:

wd0a: id not found reading fsbn 128 of 128 143 (wd0 bn 8755093022399; cn
547... tn 80 sn 4), retrying
wd0: transfer error, downgrading to Ultra: DMA mode 4

It downgrades down to DMA mode 2, finally gives up as FAILED, and
instructs me to fsck manually (which doesn't work either).

And, disklabel output at this point looks strange:

#size   offset  fstype [fsize bsize  cpg]
  a:  40365128755093022271  4.2BSD  0 0  256 

The expected offset for partition a is of course 63. (disklabel in
4.2/i386 does the same too.)

Just to confirm my observations, I managed to replace disklabel binary
of 4.2 installation (in /sbin of rd0a) with the one from 4.1, and it
does not have this issue.

4.2 disklabel behaves the same in install mode too. I mean, if I give up
on upgrade (which is every time) and choose to install instead, after I
drop to disklabel editor, and print the existing partitions, I see
exactly the same huge number as the offset. But the difference is that
if I continue with install without changing anything in disklabel
editor, newfs cannot format the partition, and gives me the same id not
found... downgrading ... DMA mode to... errors as above, and finally
gives up.

Therefore, the only way to install 4.2 (on my system with SATA HD
already partitioned) is to zero out the partition table and recreate all
the partitions in disklabel editor, and everything works fine
thereafter.

If this issue did happen with 4.0 and 4.1 too, then I could blame my
hardware (perhaps nvidia chipset). But upgrading from 4.0 to 4.1 is
fine. Up/downgrading from 4.2 to again 4.2 works fine too. And,
otherwise this system has been running fine for more than a year now.

Also, trying to *fake* downgrade from 4.2 to 4.1 fails during fsck (did
not really downgrade, just wanted to test disklabel, fsck, mount, and
newfs of 4.1). But downgrade from 4.2 to 4.0 seems to fsck fine.

I have tried with many different partitioning, enabled/disabled IDE and
SATA ports in bios, and used install42.iso (-release), cd42.iso
(snapshot), etc.

disklabel output after first boot seems fine, i.e. the issue I am
reporting is only during installation of 4.2.

I have seen that there are major changes to disklabel (and related
tools) since June. Could this issue be related with those?

I would appreciate any help. I can file a bug report if this is really a
bug.

(I myself have tried a patch before submitting this post, namely, a
typecast to u_int64_t for the starting_sector in find_bounds() in
editor.c, but it did not fix the disklabel offset. Lines 1649 and 1650
in -stable.)

OpenBSD 4.2-stable (STABLE) #6: Sun Dec  2 17:51:00 EET 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/STABLE
real mem = 1073278976 (1023MB)
avail mem = 1030926336 (983MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf (75 entries)
bios0: vendor Phoenix Technologies, LTD version ASUS A8N5X ACPI BIOS
Revision 1003 date 06/01/2006
bios0: ASUSTeK Computer INC. A8N5X
acpi at mainbus0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 Processor 3700+, 2211.58 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
cpu0: Cool'n'Quiet K8 2211 MHz: speeds: 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0
iic1 at nviic0
pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xf2: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-RW GCE-8527B, 1.02 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xf3: DMA
pciide1: using irq 11 for native-PCI interrupt
pciide2 at pci0 dev 8 

Re: FAM issue; how to fix

[Soner Tari]

On Sat, 2007-11-17 at 07:56 -0800, badeguruji wrote:
 Nov 16 22:43:23 myopenbsdpc famd[1183]: kqueue can't monitor more than 886 
 files

Setting 'kern.maxfiles=1' in sysctl.conf has solved that issue in my
case. (But I still have problems with files on mounted ext3 partitions.)

Re: how to create cdrom42.fs?

[Soner Tari]

On Wed, 2007-11-07 at 13:45 -0500, Steve Shockley wrote:
 The drivers are in bsd.rd, not in the floppy image specifically.  The 
 other images just have smaller bsd.rd files so they fit on a floppy. 
 Try using cdbr as the boot record in no emulation, and put cdboot in the 
 root directory of the CD.

As it has become usual, you are right. I've tried as you suggested, and
it works (I didn't really install, but booted the system up with that CD
and dropped to shell, this should be enough evidence). Thank you.

Here is my mkhybrid line, I would welcome other suggestions you might
have ($BOOT_IMG is now cdbr per your suggestion):

mkhybrid -f -l -J -T -r -L \
-c boot.catalog \
-sysid $SYS_ID \
-p $PREP_ID \
-P $PUBLISH_ID \
-V $VOL_ID \
-A $APP_ID \
-b $BOOT_IMG \
-o $ISO_FILE \
$SRC_PATH

(I need to follow symlinks and allow leading dots.)

Re: apm -S freezes the laptop

[Soner Tari]

My situation is a bit different. Because it seems like apm -S just
blanks the screen, and pressing the power button shuts down the system
immediately (of course, I get fsck on bootup, etc).

If I enter apm -z, the system looks like really suspending, i.e. screen
blanks, the system spends some time and finally shuts itself down, and
power led starts to blink as it should (this sequence of events is
exactly the same on Windows or Linux on the same laptop).

But after that I cannot wake it up. Pressing the power button does not
do anything, nor do the other buttons. In fact, I have to unplug the
system to wake it up (my battery died years ago). And when it wakes up
it behaves like I did apm -S instead with blank screen, no boot-up bios
strings at all (thus, go to first paragraph to see what happens).

Since it seems like apm -z works during suspending (?), I am hopeful.
It's like while suspending the bios should be instructed as to which
button-press (or event) to wake up with. I don't know how apmd/apm
works/suspends, but can I fix this issue somehow? Any hope? I am willing
to test/implement.

Btw, halt -p works without powerdown hack in sysctl.conf, and apmd
otherwise seems to be running fine in cool running mode, it adjusts the
CPU speed according to load, etc. So I am really hopeful.

Here is my dmesg:

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz (GenuineIntel
686-class) 1.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 535846912 (511MB)
avail mem = 510488576 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/15/02, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xd8010 (37 entries)
bios0: vendor vpr Matrix, Inc. version 03AB date 10/15/02XX
bios0: vpr Matrix, Inc. 120-180B5
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev
0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x4000 0xd8000/0x4000!
0xdc000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04
ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M7 LW rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 Intel 82801CA/CAM USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801CA/CAM USB rev 0x02: irq 11
uhci2 at pci0 dev 29 function 2 Intel 82801CA/CAM USB rev 0x02: irq 10
ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42
pci2 at ppb1 bus 2
cbb0 at pci2 dev 3 function 0 Ricoh 5C475 CardBus rev 0xb8: irq 11
Ricoh 5C551 Firewire rev 0x00 at pci2 dev 3 function 1 not configured
cbb1 at pci2 dev 7 function 0 TI PCI1410 CardBus rev 0x01: irq 11
fxp0 at pci2 dev 8 function 0 Intel PRO/100 VE rev 0x42, i82562: irq
10, address 00:00:f0:76:85:9e
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x0, lattimer 0x20
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02: 24-bit
timer at 3579545Hz: SpeedStep
pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: SAMSUNG MP0804H
wd0: 16-sector PIO, LBA48, 76351MB, 156368016 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CDRW/DVD SN-308B, U021 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
ichiic0 at pci0 dev 31 function 3 Intel 82801CA/CAM SMBus rev 0x02:
irq 10
iic0 at ichiic0
auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x02: irq
10, ICH3 AC97
ac97: codec id 0x43525934 (Cirrus Logic CS4299 rev 4)
ac97: codec features headphone, 20 bit DAC, 18 bit ADC, Crystal Semi 3D
audio0 at auich0
Intel 82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 not
configured
usb0 at uhci0: USB revision 1.0
uhub0 at usb0: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci2: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: 

Re: how to create cdrom42.fs?

[Soner Tari]

On Tue, 2007-11-06 at 19:42 -0500, Steve Shockley wrote:
 Take a look at
 http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/amd64/ramdisk_cd/Makefile?rev=1.3content-type=text/x-cvsweb-markup
 
 It looks like if you comment out the NOFS line it'll generate the 
 cdromXX.fs file.  I did not test this.

You are exactly right Steve, thanks. I've just generated cdrom42.fs for
amd64, following your suggestion.

 Why not just use cdbr and cdboot?  Unless you actually have a 2.88mb 
 floppy drive.

I need to create a custom CD image with cdromXY.fs. The only candidate
replacement was floppy42.fs, and it seems to work. But unlike
floppyXY.fs, cdromXY.fs is supposed to contain almost all of the updated
drivers:

cdrom42.fs  The amd64 boot and installation 2.88MB
floppy image that contains almost all OpenBSD
drivers; ...

In any case, there is no problem now. Thanks again.

Gnome 2.18 bytecode renderer enabled, but still ugly aliased fonts

[Soner Tari]

I am running Gnome 2.18 on 4.2-release. Thanks again to all those who
worked on this port. It's quite stable and functional.

I want to use Tahoma as my ui font, and have disabled anti-aliasing
using gnome-font-properties. Also, I have undef'd
TT_CONFIG_OPTION_NO_INTERPRETER (thus enabled bytecode renderer) by
removing the relevant patch from freetype-1.3.1 patches directory, which
disables it. Make installed freetype.

But Tahoma (and other similar fonts) still looks ugly. Do I need to do
anything else? Could somebody help?

Re: Gnome 2.18 bytecode renderer enabled, but still ugly aliased fonts

[Soner Tari]

On Tue, 2007-11-06 at 20:12 +0100, Jonathan Schleifer wrote:
  But Tahoma (and other similar fonts) still looks ugly. Do I need to
 do
  anything else? Could somebody help?
 
 Disable the autohinter.

Thanks Jonathan, that was it. (For the record, I've disabled autohinter
in its conf file under /etc/fonts/conf.d)

Re: how to create cdrom42.fs?

[Soner Tari]

On Tue, 2007-11-06 at 23:06 +0100, ropers wrote:
 On 06/11/2007, 23e7 [EMAIL PROTECTED] wrote:
  Hi,
anything script?
 
  --
  Best Regards,
  No.23
 
 http://marc.info/?t=11939458983r=1w=2

I guess that's not what the OP was asking for. However, there is a
cdrom42.fs in cdemu42.iso for i386. But I also need the one for amd64,
so I am looking for ways to create it myself too.

Re: Web configure Firewall

[Soner Tari]

On Tue, 2007-10-09 at 10:51 +0530, Siju George wrote:
 Anyone knows if there is a mailinglist for comixwall?
 I am facing a few issues with it :-(

Anyone is welcome to e-mail me about issues: soner at comixwall.org

However, the IP address of the project is from dynamic pool. Gmail and
some other e-mail giants consider e-mails from such IPs as spam.
Otherwise, I had promptly replied your previous web enquiry and many
others' too.

Please see the project web site for a news article about user questions.
Maillist is mentioned in the same article too.

(If you are experiencing failed login issues on the web interface,
please see the same article.)

Re: uvm_fault on Asus M2V-MX

[Soner Tari]

Just for the record, I've been able to obtain a stable bios
configuration. See the dmesg output below. I've realized that the
problems I've been experiencing (uvm_fault previously, and strange
unexpected reboots during boot-ups recently) are related with the audio
configuration in bios settings. If I disable the audio (which is totally
useless in my case), the system becomes unstable. So I left it enabled,
and now everything seems fine and quite stable.

Thanks for the replies,

OpenBSD 4.1 (GENERIC.MP) #1152: Sat Mar 10 19:22:57 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1039446016 (1015084K)
avail mem = 878047232 (857468K)
using 22937 buffers containing 104153088 bytes (101712K) of memory
mainbus0 (root)
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0740 (51 entries)
bios0: ASUSTeK Computer INC. M2V-MX
acpi at mainbus0 not configured
mainbus0: Intel MP Specification (Version 1.1)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+, 2200.29 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+, 2200.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
mpbios: bus 0 is type PCI   
mpbios: bus 1 is type PCI   
mpbios: bus 2 is type PCI   
mpbios: bus 3 is type PCI   
mpbios: bus 4 is type PCI   
mpbios: bus 5 is type PCI   
mpbios: bus 6 is type ISA   
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 3, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xfecc, version 3, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 VIA K8M890 Host rev 0x00
pchb1 at pci0 dev 0 function 1 VIA K8M890 Host rev 0x00
pchb2 at pci0 dev 0 function 2 VIA K8M890 Host rev 0x00
pchb3 at pci0 dev 0 function 3 VIA K8M890 Host rev 0x00
pchb4 at pci0 dev 0 function 4 VIA K8M890 Host rev 0x00
VIA K8M890 IOAPIC rev 0x00 at pci0 dev 0 function 5 not configured
pchb5 at pci0 dev 0 function 6 VIA K8M890 Host rev 0x00
pchb6 at pci0 dev 0 function 7 VIA K8M890 Host rev 0x00
ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 VIA DeltaChrome Video rev 0x11
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 2 function 0 VIA K8T890 PCI-PCI rev 0x00
pci2 at ppb1 bus 2
ppb2 at pci0 dev 3 function 0 VIA K8T890 PCI-PCI rev 0x00
pci3 at ppb2 bus 3
pciide0 at pci0 dev 15 function 0 VIA VT8237A SATA rev 0x80: DMA
pciide0: using apic 2 int 21 (irq 5) for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: WDC WD2500JS-22NCB1
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x07: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide1: channel 0 disabled (no drives)
pciide1: channel 1 disabled (no drives)
pcib0 at pci0 dev 17 function 0 VIA VT8237A ISA rev 0x00
pchb7 at pci0 dev 17 function 7 VIA VT8251 VLINK rev 0x00
ppb3 at pci0 dev 19 function 0 VIA VT8237A PCI-PCI rev 0x00
pci4 at ppb3 bus 4
azalia0 at pci4 dev 1 function 0 VIA HD Audio rev 0x10: apic 2 int 17
(irq 5)
azalia0: host: High Definition Audio rev. 1.0
azalia0: codec: 0x04x/0x10ec (rev. 0.2), HDA version 1.0
audio0 at azalia0
ppb4 at pci0 dev 19 function 1 VIA VT8237A PCI-PCI rev 0x00
pci5 at ppb4 bus 5
vr0 at pci5 dev 7 function 0 VIA VT6105 RhineIII rev 0x86: apic 2 int
17 (irq 5), address 00:08:54:3c:b4:00
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
rl0 at pci5 dev 9 function 0 Realtek 8139 rev 0x10: apic 2 int 20 (irq
3), address 00:1b:fc:1b:34:fe
rlphy0 at rl0 phy 0: RTL internal PHY
pchb8 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb9 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb10 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb11 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console 

Re: uvm_fault on Asus M2V-MX

[Soner Tari]

I actually only add some packages in install.site script, during my 3-4
trials I got uvm_fault error in one of the following lines:

pkg_add php5-mysql-5.1.6p1.tgz 21 | tee -a $LOG_FILE
pkg_add php5-pear-5.1.6p0.tgz 21 | tee -a $LOG_FILE
/usr/local/sbin/phpxs -s 21 | tee -a $LOG_FILE
/usr/local/sbin/phpxs -a mysql 21 | tee -a $LOG_FILE

I'll do what Pierre suggested first thing in the morning (the system is
at workplace). Probably faulty RAM theory can explain the fact that I
was getting this error almost exactly on the same lines above (i.e.
shared memory usage reaches the same faulty RAM location around php5
install, a wild guess...).

On Sun, 2007-08-12 at 21:35 +0200, Joachim Schipper wrote:
 Where in the installation? Try running it with sh -x, or
 
 #!/bin/sh -x
 
 (I'd try what Pierre proposed first, unless your script does odd things
 - tweaking the write cache on the disks, or somesuch.)

uvm_fault on Asus M2V-MX

[Soner Tari]

Today I was trying to install OpenBSD/amd64 4.1 GENERIC on a system with
the following motherboard:
http://www.asus.com/products4.aspx?modelmenu=2model=1418l1=3l2=101l3=324l4=0

But during installation I got the following blue lines (which I've noted
on a piece of paper by hand):

uvm_fault (0xfe80 0a2de810, 0x7f8000267000, 0, 1) - e
fatal page fault in supervisor mode
trap type 6 code 0 rip 802540a7 cs 8 vflags 10216 cr2
7f8000267fb0 cpl1 0 rsp 800067015c80
syncing discs ...done

At which time system halts, or becomes unresponsive. (Actually, this
error occurs during my custom install script, in site41.tgz, after usual
OpenBSD installation finishes.)

I was suspicious about pciide, but VIA 8237A is in the supported
hardware list.

So I've installed OpenBSD on the same HD, but now on another hardware,
then inserted the HD back into this system again, but after a couple of
services start, I got another uvm_fault error (it's similar but not the
same, if I recall correctly), and the system hangs.

Some of the other parts are: Athlon64 4200+ X2, Kingston 1GB RAM, WD
250GB SATA2 HD.

I've disabled many options in the bios, but nothing changed. If I cannot
find a solution, the board will be returned.

Does anybody else use this motherboard too? Do you have any problems? If
you had a similar issue, how did you fix it, any special bios settings?
What could be the source of the uvm_fault error: motherboard, RAM, or
even the processor itself?

Otherwise I have installed OpenBSD with my custom script on other amd64
hardware without major problems.

I would appreciate any help.

Re: Spamd variation

[Soner Tari]

From what I understand from the post, you are suggesting a scheme
similar to what snort2pf is doing for snort and pf. In layman terms,
when snort issues an alert, snort2pf informs pf about the attacker's IP,
and pf takes an action. AFAIK, this is currently the only way to convert
snort from an IDS into an IPS on OpenBSD (snort inline works only on
Linux, if I'm not mistaken).

Similarly, when SpamAssassin or DSPAM determine that an e-mail is spam,
(again in layman terms) they inform spamd about the spammer IP and
then-after that IP is handled by spamd. Please beware this scheme does
not require any change to spamd functioning. And if implemented, it
could save processing resources of the system, because the spammers
which are not in any blacklist could be dynamically added to the spamd
blacklists and could not reach content scanners like SpamAssassin and
DSPAM, which are much more expensive in terms of processing resources.

Probably a simple shell script could do the job, which would look at
SpamAssassin logs to find out the spam score and IP address, and insert
into spamd blacklists as necessary. The only caveat is that threshold
spam score for blacklisting should be kept very high to prevent
inserting false positives into spamd blacklist.

In my experience spamd is very successful, but SpamAssassin catches some
spam e-mails that spamd misses occasionally. (After all, OpenBSD
maillists also use both, see http://www.openbsd.org/mail.html).

Please correct me if I am wrong, but I believe the OP's point was missed
in the other replies. I also would like to know what people at misc@
think about such a scheme.

On Tue, 2007-06-12 at 03:04 -0700, Praveen wrote:
 Hi,
From the man page it appears that spamd relies on 
 static information about spam originators.
 Why not a more dynamic scheme ?.
 
 Why not run the content of the mail through a spam
 detector (like dspam), find the spam score and make
 decisions based on that. I know that spam detection
 is no where near perfect but it can be used for
 assigning a 'badness score' to a site(originator of
 email). So a site keeps getting this score and the
 average (per msg) exceeds a we black list the site for
 fixed duration. Similarly for white listing.
 
 'Badness score' and also be assigned for other things,
 like trying to send to non-existant user (a typical
 spammer probe), absence of mx entry etc.
 
 
 A milter(sendmail/postfix) can be implemented for
 this.
 Thus decisions will be more dynamic and 'configuration
 free'.
 
 Does this sound reasonable ?

spamd-setup: pfctl: Cannot allocate memory

[Soner Tari]

Hi All,

According to http://www.openbsd.org/spamd/ I have added a couple of new
blacklists to my original spamd.conf, previously I had only spews1,
china, and korea, and there was no problem. But now pfctl gives me an
error:

# /usr/libexec/spamd-setup -d
Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz
blacklist spews1 14482 entries
Getting http://www.openbsd.org/spamd/spews_list_level2.txt.gz
blacklist spews2 18103 entries
Getting http://www.openbsd.org/spamd/chinacidr.txt.gz
blacklist china 431 entries
Getting http://www.openbsd.org/spamd/koreacidr.txt.gz
blacklist korea 270 entries
Getting http://www.openbsd.org/spamd/traplist.gz
blacklist uatraplist 45380 entries
Getting http://www.openbsd.org/spamd/nixspam.gz
blacklist nixspam 39983 entries
# pfctl: Cannot allocate memory.

I know that there's not much shared memory in my system (and it's a slow
machine), but there is plenty of swap area. While this command was
running, I've been watching shared memory and swap usages with top, I
see that kernel starts swapping, and frees up as much as 20MB shared
memory, so spamd-setup fetches the lists successfully, but pfctl
complains at the end (probably kernel cannot swap anything out anymore).

To test if shared memory is the problem, if I stop httpd running on the
same system, thus free at least 30MB RAM, spamd-setup (and pfctl at the
end) runs without any problem, all the blacklists enabled.

To avoid this issue I have to disable uatraplist and nixspam, which are
obviously very large lists.

Is there anything I can do in this case? (Other than, stopping httpd for
example, during each spamd-setup run, or installing more RAM, which is
out of the question.)

Relevant head of dmesg may be:

OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 166 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
cpu0: F00F bug workaround installed
real mem  = 100233216 (97884K)
avail mem = 83529728 (81572K)

OT: btw, I'm using www.openbsd.org to download these lists, because I've
checked at least a couple of mirrors, they don't have them. I hope
that's ok.

Re: q

[Soner Tari]

I guess the OP means, for example, Ubuntu-like setting, where there is a
root account of course but you cannot log in as root (actually, you can
drop to root shell in single user mode or by sudo -i). I believe this
hopefully serves the purpose of preventing the habit of system admins to
log in as root, thus can protect the system from inadvertent behaviour
on the command line (and perhaps GUI too). Probably nothing else in
practice.

how to configure bridge interface [WAS: snort any interface]

[Soner Tari]

I cannot see any traffic on bridge0 with tcpdump -i bridge0, so that's
why I don't see any alerts on snort.

My physical interfaces are already configured and have their own IP
addresses. I need to assign different IPs to all 3 cards (LAN, WAN1,
WAN2). And here is what I run on the command line to create a bridge
interface (to use as a pseudo interface on snort command line for
monitoring):

ifconfig bridge0 create
brconfig bridge0 add vr0 add rl0 add nfe0 up

Am I not supposed to see the traffic on all of the physical interfaces
(vr0, fxp0, nfe0) using tcpdump on bridge0? (I've tried with pf disabled
too.)

Perhaps this is not possible at all with bridge intefaces? If so, how do
I achieve such a monitoring interface? Any comments please?

(Please note: this issue is important to be able to run only a single
instance of snort on multiple NICs. Otherwise, 3 instances of snort
really stretches the shared memory.)

snort any interface and 2.6.1.4 mysql problem

[Soner Tari]

Hi All,

I have more than one interface I need to monitor with snort. I've read
http://www.snort.org/docs/faq/1Q05/node35.html, To do that, I've created
bridge0 and added both interfaces. Since I need to assign IP addresses
to each interface, I could not just up the interfaces and add them to
the bridge. Perhaps that's the reason, but I don't see alarms triggered
with -i bridge0 (snort warns that no IP is assigned to bridge0 anyways).
Do I need to do anything else?

Using 0.0.0.0 or any as HOME_NET (as mentioned somewhere) doesn't help
at all.

Perhaps http://www.monkey.org/openbsd/archive/misc/0203/msg01194.html
could be helpful, but I can't see how.

I couldn't find how to create an any interface on OpenBSD, I would
appreciate any links/comments. Otherwise, what I do is to run multiple
instances of snort for each interface, which wastes my shared memory.

Also, I've compiled 2.6.1.4 mysql enabled, but for some reason snort
complains that it cannot connect to mysql via mysql.sock file. But on
the same system I don't have any problem connecting to mysql using
mysql-enabled 2.4.5 package, so I don't believe there is any problem
with my mysql settings or file permissions (I cannot use 2.4.5-mysql due
to timestamp problems I mentioned on another post). To make sure I'm not
doing anything wrong, I've modified the ports Makefile and compiled
using ports, but I have the same problem.

Isn't it enough to configure snort with --with-mysql? And if the build
is successful, what can be wrong?

I'm sorry if I'm asking too many snort related questions.
Thanks,

snort alert timestamps are close to random

[Soner Tari]

I'm running snort on OpenBSD 4.0 amd64. I've tried 2.4.5 among the
packages, and built 2.6.1.4 from the source (are there any special
configure options I should use?). Also I've tried many combinations of
rules: registered user, community and bleeding-edge rules. The same
result.

For example, when I run nmap for the TargetIP, TCP Portscan alert logs
report the datetime as follows (shown only the timestamp lines):

04/05-15:55:09.000174 SrcIP - TargetIP
04/05-20:14:48.000174 SrcIP - TargetIP
04/06-06:11:01.000174 SrcIP - TargetIP
04/05-19:09:59.000169 SrcIP - TargetIP
04/06-00:22:37.000174 SrcIP - TargetIP

The datetime was around 11:48 AM on Apr 06, +/-2mins for each nmap run
(order of runs is as shown).

Granted the date is within 24 hours, but apparently the hour is, well,
random.

If I use tcpdump style logs, I see that the datetimes reported there are
correct.

Also, I've used BASE, it reports Timestamp as all 0's. But I deem that
this may be due to something else, probably the database time format, I
don't know. (To be exact, I've used and built both plain and mysql
versions of snort, with the same result.)

Could somebody tell me what I may be doing wrong? Any links I wasn't
able to find?

Thanks,

where to download IOBSD iso?

[Soner Tari]

Well, I'm surprised nobody has mentioned here this year's joke (or have
I missed those posts?). Only two drivers written, in the last two
months! rocks, but I'm especially amazed that you guys have really paid
for the iobsd.org domain name just to crack a joke on April fool's
day :).

I just wanted to be this year's fool of the day, thanks :). (Where I
live it's April 2nd now, so officially I'm not a fool.)

Re: SIP on OpenBSD

[Soner Tari]

On Tue, 2007-02-13 at 11:09 +0100, Claudio Jeker wrote:
 The only problem is that we don't support zaptel. It is an incredible ugly
 interface that only works with the digium cards that are not supported.

Head of the ftp://ftp.sangoma.com/OpenBSD/current_wanpipe/README reads:

Future release: Wanpipe version
--
o Support Asterisk interface.

Nov 23, 2006: wanpipe version - 1.6.5-8 (wanpipe-1.6.5-8.tgz)
--
[...]
o Support OpenBSD-4.0 kernel

Therefore, I am hoping to have Asterisk+Sangoma cards running on OpenBSD
sooner than most people are expecting. (Meaning that we won't need
zaptel/libpri drivers.)

FYI.

Re: destination-port-based routing for multiple links

[Soner Tari]

Thanks a lot for all the replies, public and private (especially Berk
for detailed explanations). It turns out that my nat rule was not
complete/correct (just as all of the replies had implied this
possibility).

So, for the record, the rules I'm using right now are as follows, and
work perfectly:

nat on $ext_if1 proto tcp from self to any port smtp \
tag IF2 - ($ext_if2)

pass out log quick on $ext_if1 route-to ($ext_if2 $ext_gw2) \
tagged IF2 keep state

Thanks again for the great community support.

destination-port-based routing for multiple links

[Soner Tari]

Hi All,

I'm running Postfix on OpenBSD and have multiple external links on the
same box. I want outgoing smtp connections to be routed to ext_if2, but
the rest to ext_if1. To achieve this, default route being ext_if1, I
tried a couple of things:

pass out log quick route-to ($ext_if2 $ext_gw2) \
   proto tcp to any port smtp user _postfix keep state

Looking at pflog, this rule really tries to send packets to ($ext_if2
$ext_gw2), but e-mails cannot be relayed (for some reason pflog reports
that it duplicates the packets). I wasn't too hopeful anyway per the
description of route-to in pf faq. Then again, this rule summarizes what
I'm trying to achieve. (Or is this rule supposed to work, and I'm doing
something else wrong?)

The other option would be to set the default route to ($ext_if2
$ext_gw2), but that's not what I want.

I use route-to successfully for connections originating behind the
firewall, but smtp connections originate from the box itself. I use
reply-to successfully too.

In short, I need something like destination-port-based routing for
multiple links. The situation is not specific to smtp port or Postfix,
I'd like to achieve the same for any port I wish.

What are my options? What can I do in such a case?

(Since I'm out of ideas and since route-to works fine, my only option
otherwise seems like placing another OpenBSD/pf in front of this box,
which I believe would be ugly.)

This is also related to a previous thread on a similar topic.

I would appreciate any help.
Thanks,

Re: destination-port-based routing for multiple links

[Soner Tari]

One correction, keep state in the rule prevents the duplicate to
$ext_if2. So to have the duplicate, it should have been like the
following:

pass out log quick route-to ($ext_if2 $ext_gw2) \
   proto tcp to any port smtp user _postfix

Sorry,

On Sun, 2007-01-28 at 13:03 +0200, Soner Tari wrote:
 Hi All,
 
 I'm running Postfix on OpenBSD and have multiple external links on the
 same box. I want outgoing smtp connections to be routed to ext_if2, but
 the rest to ext_if1. To achieve this, default route being ext_if1, I
 tried a couple of things:
 
 pass out log quick route-to ($ext_if2 $ext_gw2) \
proto tcp to any port smtp user _postfix keep state
 
 Looking at pflog, this rule really tries to send packets to ($ext_if2
 $ext_gw2), but e-mails cannot be relayed (for some reason pflog reports
 that it duplicates the packets). I wasn't too hopeful anyway per the
 description of route-to in pf faq. Then again, this rule summarizes what
 I'm trying to achieve. (Or is this rule supposed to work, and I'm doing
 something else wrong?)
 
 The other option would be to set the default route to ($ext_if2
 $ext_gw2), but that's not what I want.
 
 I use route-to successfully for connections originating behind the
 firewall, but smtp connections originate from the box itself. I use
 reply-to successfully too.
 
 In short, I need something like destination-port-based routing for
 multiple links. The situation is not specific to smtp port or Postfix,
 I'd like to achieve the same for any port I wish.
 
 What are my options? What can I do in such a case?
 
 (Since I'm out of ideas and since route-to works fine, my only option
 otherwise seems like placing another OpenBSD/pf in front of this box,
 which I believe would be ugly.)
 
 This is also related to a previous thread on a similar topic.
 
 I would appreciate any help.
 Thanks,

Re: destination-port-based routing for multiple links

[Soner Tari]

On Sun, 2007-01-28 at 16:39 -0800, J.C. Roberts wrote:
 On Sunday 28 January 2007 03:03, Soner Tari wrote:
  I'm running Postfix on OpenBSD and have multiple external links on
  the same box. I want outgoing smtp connections to be routed to
  ext_if2, but the rest to ext_if1.
 
 why?

Because the ext_if2 has a DSL connection which is faster and
symmetrical, and more importantly has a C class IP, which is essential
if you don't want to be considered as a spammer by many MTAs. Not to
mention, one might need to load-balance based on ports.

Other than the smtp port and Postfix, the ability to route based on
destination port may be important for a firewall with multiple external
links in general. Because you might like to route the traffic
originating from the firewall itself to whichever link you wish, such as
those by an http proxy.

Re: multiple external links not working ..

[Soner Tari]

Hi, I'm using two external interfaces myself, and I believe I had the
same problem you describe in your message. I bet when you do:

netstat -rnf inet | grep default

you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory
is that the kernel is preferring your second external interface due to
your routing table (i.e. the order of your default routes).

Since I don't know how to handle this in pf.conf for connections
originating from my firewall, such as an http proxy running on the
firewall, just as in your case too (otherwise route-to and reply-to work
fine), I change my routing table in rc files.

Specifically, I rearrange the order of my default routes to have my
first external interface/gateway on top:

route add default -ifp ext_if1 -mpath ext_gw1
route add default -ifp ext_if2 -mpath ext_gw2

Accordingly, I removed the similar shell commands in hostname.if(5)
files.

Hope this helps,

On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote:
 Well thanks to everyone who help me coming close to using multiple external 
 links for internet.
 but its still not working, my scenario is that i have 2 ISP's connection  now 
 the main internet connection  is the powerful one which i only want  to use 
 for specific  protocols  which i have defined  in a macro called ports  now 
 rest is supposed to goto to my 2nd internet connection which is a weak  
 cheap connection basically there to allow p2p applications access.
 Main internet is ext_if1 (xl0)
 slow internet is ext_if2 (xl2)
 LAN is int_if (xl1) 
 now the problem is that when ever i apply my pf.conf file all the traffic 
 goes to 2nd slow internet connection.
 
 my pf.conf file
 lan_net = 10.0.0.0/16
 int_if  = xl1
 ext_if1 = xl0
 ext_if2 = xl2
 ext_gw1 = 192.168.0.1
 ext_gw2 = 203.81.235.1
 chadd = 10.0.0.1
 ports =  22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863
 table allowedclients persist file /etc/allowedclients
 
 nat on $ext_if1 inet proto {tcp, udp } from allowedclients to any port \
 { $ports } - ($ext_if1)
 nat on $ext_if2 inet proto {tcp, udp } from allowedclients to any \
  - ($ext_if2)
 
 rdr on $int_if proto tcp from allowedclients to any port 80 - $chadd port 
 8080
 
 pass out log on $int_if from any to $lan_net
 
 pass in log quick on $int_if from $lan_net to $int_if
 pass in log on $int_if route-to { ($ext_if2 $ext_gw2) } from \
 $lan_net to any flags S/SA keep state
 pass in log on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \
 $lan_net to any port {$ports} flags S/SA keep state
 
 pass out log on $ext_if2 proto tcp from any to any flags S/SA modulate state
 pass out log on $ext_if2 proto { udp, icmp } from any to any keep state
 pass out log on $ext_if1 proto tcp from any to any flags S/SA modulate state  
 pass out log on $ext_if1 proto { udp, icmp } from any to any keep state
 
 pass out log on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any 
 pass out log on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
 
 this is what happens
 
 bash-3.1# tcpdump -nettipflog0
 tcpdump: WARNING: pflog0: no IPv4 address assigned
 tcpdump: listening on pflog0, link-type PFLOG
 1169566778.398818 rule 18/(match) pass out on xl2: 203.81.235.185.5698  
 8.7.232.215.80: [|tcp] (DF)
 1169566778.553623 rule 18/(match) pass out on xl2: 203.81.235.185.13550  
 66.249.91.83.80: [|tcp] (DF)
 1169566779.005110 rule 18/(match) pass out on xl2: 203.81.235.185.16245  
 209.0.144.87.80: [|tcp] (DF)
 1169566779.102642 rule 1/(match) pass in on xl1: 10.0.2.41.1601  
 10.0.0.1.8080: [|tcp] (DF)
 1169566779.105302 rule 18/(match) pass out on xl2: 203.81.235.185.5672  
 216.143.70.77.80: [|tcp]
 1169566779.167718 rule 1/(match) pass in on xl1: 10.0.1.24.2402  
 10.0.0.1.8080: [|tcp] (DF)
 1169566779.170640 rule 18/(match) pass out on xl2: 203.81.235.185.11598  
 64.40.101.40.80: [|tcp] (DF)
 1169566779.457058 rule 2/(match) pass in on xl1: 10.0.2.7.2328  
 125.23.47.31.3460: [|tcp] (DF)
 1169566779.457112 rule 21/(match) pass out on xl0: 10.0.2.7.2328  
 125.23.47.31.3460: [|tcp] (DF)
 1169566779.615288 rule 18/(match) pass out on xl2: 203.81.235.185.33595  
 209.0.144.88.80: [|tcp] (DF)
 1169566779.700708 rule 18/(match) pass out on xl2: 203.81.235.185.42575  
 72.14.209.85.80: [|tcp] (DF)
 1169566779.994302 rule 1/(match) pass in on xl1: 10.0.2.8.4265  
 10.0.0.1.8080: [|tcp] (DF)
 1169566780.005425 rule 18/(match) pass out on xl2: 203.81.235.185.31337  
 72.14.209.86.80: [|tcp] (DF)
 1169566780.174899 rule 18/(match) pass out on xl2: 203.81.235.185.27385  
 8.2.96.67.80: [|tcp] (DF)
 1169566780.475037 rule 2/(match) pass in on xl1: 10.0.1.19.138  
 10.0.255.255.138: udp 201
 1169566780.475089 rule 22/(match) pass out on xl0: 10.0.1.19.138  
 10.0.255.255.138: udp 201
 1169566780.652249 rule 18/(match) pass out on xl2: 203.81.235.185.44777  
 8.7.232.215.80: [|tcp] (DF)
 1169566780.884663 rule 1/(match) pass in on xl1: 10.0.2.8.4266  
 10.0.0.1.8080: [|tcp] (DF)
 1169566780.889225 rule 18/(match) 

reverse http proxy on OpenBSD (or not)?

[Soner Tari]

Hi All,

On my network, ASP sites are served on a Microsoft IIS, and PHP sites
are on OpenBSD Apache, and there is only one Internet connection with a
single IP (all DNS records point to this IP). Since these web servers
run on different hardware/IPs, I need to distribute http requests based
on the requested URL, thus I think I need a reverse http proxy (Q1: am I
right?) running on my firewall (OpenBSD, of course).

So I've found Pound v2.2. I think it works fine, does the job, and is
very simple to configure, with a caveat being that I had to build
openssl again with threads enabled.

I also thought that Apache in reverse proxy mode could do the job, but I
failed to have OpenBSD httpd running in that mode. (Q2: could somebody
point me to a help page which describes how to do that?) (Note that
http://www.apachetutor.org/admin/reverseproxies deals with Apache 2
only. And I'm not sure that would help anyway.)

I could not find another reverse proxy package among OpenBSD
ports/packages (Q3: is there any other reverse proxy package?).

Probably, there is another (or the right) way of doing all this (Q4:
could somebody give any hint?).

Thanks,

Re: reverse http proxy on OpenBSD (or not)?

[Soner Tari]

Thanks for all the replies, public and private. They've provided plenty
to work on.

Re: CD orders to Turkey?

[Soner Tari]

I've received the CD set today. It's impressive (the most interesting OS
installation CD set I've ever seen :)).

Just for the record, I had placed my order on Nov. 22nd, and the set was
mailed on 28th. So it was almost a 4-week-journey.

(The DVD case is broken at one corner, but I was expecting some damage
all the way from Canada anyways.)

Overall, this was a highly recommended purchase for many reasons.
Cheers,

On Wed, 2006-11-22 at 14:38 +0200, Soner Tari wrote:
 Those who live in Turkey and purchased OpenBSD CDs in the past using the
 ordering web page, did you have any problems with Turkish customs
 processing? Were you able to receive your CDs safe and sound?
 
 Because I'm planning to order a 4.0 CD set to an address in Turkey.
 
 (I know first-hand stories about other software CDs having problems at
 Turkish customs. Though, Amazon books pass thru fine.)
 
 Thanks,

SiS 964 ethernet with sis(4)?

[Soner Tari]

I'm planning to purchase a motherboard with SiS 661FX/964 chipset. Can I
assume sis(4) driver on OpenBSD 4.0 amd64 supports the ethernet on SiS
964? (In other words, sis(4) mentions SiS 900, does it mean 9xx?)

Thanks,

CD orders to Turkey?

[Soner Tari]

Those who live in Turkey and purchased OpenBSD CDs in the past using the
ordering web page, did you have any problems with Turkish customs
processing? Were you able to receive your CDs safe and sound?

Because I'm planning to order a 4.0 CD set to an address in Turkey.

(I know first-hand stories about other software CDs having problems at
Turkish customs. Though, Amazon books pass thru fine.)

Thanks,

select(2) performance and optimal timeout choice?

[Soner Tari]

Hi All,

I think I've found the real cause of those error messages.

The peer socket functions give out those errors, and it all boils down
to one function: select(2). The timeout value passed to select(2) in one
case is 3 and in the other is 10 seconds. Even though these values seem
large enough, under relatively high load (e.g. 120 web page requests
using firefox, or when there are many dante instances), I get 3-4 such
errors.

When I raise both of these timeouts to 30 seconds, and under the same
test conditions, I get no errors at all.

To verify my theory, if I reduce both of them to just 1 second, I get
6-7 such errors, as I expected.

So, I'm almost sure that select(2) timeout is the cause of such errors.
The fact that DG 2.9.7.5 cannot handle such errors (they are not
ignorable in my case) is another subject for discussion perhaps, but I'm
trying to find a way to improve the performance of select(2). What are
the factors effecting its performance?

The machines I'm using are in the ranks of P4 3.2GHz, DDR400 1GB RAM,
7200rpm 80GB SATA HD.

How should one choose timeout values for select(2)? How can I
performance tune OpenBSD in this case? Should I run DG at a higher
priority?

(I'll submit these findings to DG also, but it seems these timeout
values are OK with Linux. Or perhaps, the only processes running on
their Linux are DG. I have many other processes too. So I wanted to ask
misc@ first.)

Thanks,

On Sat, 2006-08-19 at 13:53 +0300, Soner Tari wrote:
 Hi All,
 
 I think that this problem is related with DG (or its interactions with
 OpenBSD), and I have already posted the following emails to the DG
 maillist, but I could not receive any replies. So I assume that most DG
 2.9.7.5 users run it on Linux, and they don't have this problem.
 Therefore, I hope there are people on this list running DG 2.9.7.5 on
 OpenBSD 3.9.
 
 The summary of the issue is that I get the following errors in messages:
 
 dansguardian: Error accepting. (Ignorable)
 dansguardian: Error reading ipc. (Ignorable)
 
 When these errors occur for all the child processes (max 120 in config
 file), DG stops all web access. Apparently, they are not ignorable.

Problems with DansGuardian 2.9.7.5 on OpenBSD 3.9

[Soner Tari]

Hi All,

I think that this problem is related with DG (or its interactions with
OpenBSD), and I have already posted the following emails to the DG
maillist, but I could not receive any replies. So I assume that most DG
2.9.7.5 users run it on Linux, and they don't have this problem.
Therefore, I hope there are people on this list running DG 2.9.7.5 on
OpenBSD 3.9.

The summary of the issue is that I get the following errors in messages:

dansguardian: Error accepting. (Ignorable)
dansguardian: Error reading ipc. (Ignorable)

When these errors occur for all the child processes (max 120 in config
file), DG stops all web access. Apparently, they are not ignorable.

If I can't receive any replies from misc@ either, I'll submit a bug
report to DG.

I would appreciate any help.
Thanks,
Return-Path:  [EMAIL PROTECTED]
X-Virus-Scanner: P3Scan Version 1.0 by [EMAIL PROTECTED]/[EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on comixwall.akset.com
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed  
version=3.1.0
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from n18a.bullet.sc5.yahoo.com (n18a.bullet.sc5.yahoo.com 
[66.163.187.161])
by kulustur.org (Postfix) with SMTP id EA0E76120
for [EMAIL PROTECTED]; Fri, 18 Aug 2006 19:48:30 +0300 (EEST)
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima; d=yahoogroups.com; 
b=o1+E3874LiWMDWysmD2auakdb/0xMkdCI5v2f1Qnt7bLRmKw3dYxdchor+6Hif6HaUiKvuL3x/Vf653qaoHt1zIG+sdM82SXf/uFsJM0GlyK4yAayk/aoDcj8iB8MG8W;
Received: from [66.163.187.121]
by n18.bullet.sc5.yahoo.com with NNFMP; 18 Aug 2006 16:48:28 -
Received: from [66.218.69.5]
by t2.bullet.sc5.yahoo.com with NNFMP; 18 Aug 2006 16:48:28 -
Received: from [66.218.66.36]
by t5.bullet.scd.yahoo.com with NNFMP; 18 Aug 2006 16:48:28 -
X-Yahoo-Newman-Property: groups-email
X-Yahoo-Newman-Id: 2674120-m16946
X-Sender: [EMAIL PROTECTED]
X-Apparently-To: [EMAIL PROTECTED]
Received: (qmail 28990 invoked from network); 18 Aug 2006 16:44:45 -
Received: from unknown (66.218.66.217)
by m30.grp.scd.yahoo.com with QMQP; 18 Aug 2006 16:44:45 -
Received: from unknown (HELO comixwall.akset.com) (81.215.105.114)
by mta2.grp.scd.yahoo.com with SMTP; 18 Aug 2006 16:44:44 -
Received: from localhost (localhost [127.0.0.1])
by comixwall.akset.com (Postfix) with ESMTP id 0B57032F0E
for [EMAIL PROTECTED]; Fri, 18 Aug 2006 19:44:05 +0300 (EEST)
Received: from comixwall.akset.com ([127.0.0.1])
by localhost (comixwall.akset.com [127.0.0.1]) (amavisd-new, port 
10024) with ESMTP id 14260-02
for [EMAIL PROTECTED]; Fri, 18 Aug 2006 19:43:55 +0300 (EEST)
Received: from [192.168.1.32] (unknown [192.168.1.32])
by comixwall.akset.com (Postfix) with ESMTP
for [EMAIL PROTECTED]; Fri, 18 Aug 2006 19:43:55 +0300 (EEST)
To: [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]
Organization: Kulustur-Comix
Message-Id: [EMAIL PROTECTED]
X-Mailer: Evolution 2.6.2 (2.6.2-1.fc5.5) 
X-Virus-Scanned: amavisd-new at akset.com
X-Originating-IP: 81.215.105.114
X-eGroups-Msg-Info: 2:3:4:0
From: Soner Tari [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
MIME-Version: 1.0
Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED]
Delivered-To: mailing list [EMAIL PROTECTED]
List-Id: dansguardian.yahoogroups.com
Precedence: bulk
List-Unsubscribe: mailto:[EMAIL PROTECTED]
Date: Fri, 18 Aug 2006 19:44:17 +0300
Subject: [dansguardian] Problems with 2.9.7.5 on OpenBSD 3.9
Reply-To: [EMAIL PROTECTED]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Unfortunately I had to switch back to 2.8.0.6, because now another
similar error is causing the same problem, and it occurs so many times,
I cannot use a script to workaround it. (Since 2.8.0.6 is lacking some
very good features of 2.9.7.5, this is quite sad.)

dansguardian: Error reading ipc. (Ignorable)

I'm getting these errors on 3 different systems.

Since there was no reply to my previous post below, I assume that I'm
the only one having problems with 2.9.7.5 on OpenBSD 3.9.

What could be wrong? I would appreciate any help.
Thanks,

On Tue, 2006-08-15 at 19:20 +0300, Soner Tari wrote:
 Hi All,
 
 I am running DansGuardian 2.9.7.5 on OpenBSD 3.9 (P4 3.2 + 1GB RAM).
 Everything else seems fine except occasionally DansGuardian blocks
 Internet access (or all the children stop responding perhaps, I'm not
 sure what, but apparently related with socketpairs). This happens right
 after the following error appears in messages file 120 times, i.e. the
 maxchildren var in dansguardian.conf. I played with maxchildren, and it
 seems repeatable:
 
 Aug 11 12:22:22 firewall dansguardian: Error accepting. (Ignorable)
 Aug 11 12:22:55 firewall last message repeated 107 times
 Aug 11 12:23:54 firewall last message repeated 12

time-based pf rules in crontab do not survive a reboot (naturally)?

[Soner Tari]

Hi All,

I have time-based pf rules using cron and anchors (such as to restrict
HTTP access after hours). But as you can guess, they do not survive a
reboot. Is there any solution?

Thanks,

Re: time-based pf rules in crontab do not survive a reboot (naturally)?

[Soner Tari]

 Have your cron job copy the current anchor rules to pf-current.conf,
 then add pfctl -f pf-current.conf to rc.local.

Thank you for the reply (and Gaby too). But I am not sure if this would
be an elegant workaround. Because by chance there may be cron jobs
scheduled to run exactly during downtime, and I would miss them. This is
still true no matter how small the chances are.

Re: time-based pf rules in crontab do not survive a reboot (naturally)?

[Soner Tari]

Thanks jared and others for your replies. I'll try all of your
suggestions.

However, if you agree with me, I get the feeling that all of these are
inelegant workarounds compared to the ideal solution: time support in pf
(similar to perhaps iptables). I've read the replies from developers to
a similar question a few months back, and they were not interested in
adding such support in pf. I am sure there are other priorities for
them, and it's totally OK with me.

But time rules are important for me, so ultimately I'd like to achieve
the correct solution, if I can (which is the OpenBSD way after all).
Therefore, I am even willing to play with the pf source code to add time
support just for packet filtering rules. I am sure, if it were so easy,
we would probably have it by now. So, before I attempt it myself, do you
guys think it is too difficult?

Or perhaps, the developers have changed their minds, and there is
already some development effort to add such support. May I ask if that's
the case, hopefully?

Thanks,

On Sat, 2006-07-15 at 15:36 -0400, jared r r spiegel wrote:
 On Sat, Jul 15, 2006 at 08:27:32PM +0300, Soner Tari wrote:
   Have your cron job copy the current anchor rules to pf-current.conf,
   then add pfctl -f pf-current.conf to rc.local.
  
  Thank you for the reply (and Gaby too). But I am not sure if this would
  be an elegant workaround. Because by chance there may be cron jobs
  scheduled to run exactly during downtime, and I would miss them. This is
  still true no matter how small the chances are.
 
   well, since rc.local is sourced right before the 'standard daemons:'
   echo in /etc/rc, which is itself above when cron is started, it may
   be entirely feasible to use rc.local for this.
 
   perhaps create a system by which you somehow drop a file into somewhere
   in var which describes what time-based anchor/ruleset you're using - you
   could populate that file either upon each instance of it changing via
   cron, or also in /etc/rc.shutdown (or both).
 
   then in rc.local, have it look for that file, if it finds it, it will
   load the appropriate pf ruleset pertaining to whatever time period the
   file indicates the host was in when it last updated that file.
 
   i don't know if this will inspire or help at all, but here is what i use
   to make some of my pf tables persist through reboots.  basically it
   tries to save/populate any table which i have named without an initial
   underscore -- if i have tables i don't want to persist through reboots, 
   my convention is to name them with an initial underscore:
 
 -[rc.shutdown]
 TABLE_STATE_DIR=/var/db/pftablestate
 if [ -w ${TABLE_STATE_DIR} ]  [ -d ${TABLE_STATE_DIR} ]; then
 echo writing contents of pf tables:
 for table in $(pfctl -sT); {
 # don't keep state for tables starting
 # with an underscore
 if [[ ${table} = _* ]]; then
 continue
 # only be concerned with nonempty tables
 elif [ $(pfctl -t ${table} -Ts | wc -l) -gt 0 ]; then
 echo -n \t${table} 
 pfctl -t ${table} -Ts  
 ${TABLE_STATE_DIR}/${table}
 fi
 };
 unset table
 echo done.
 fi
 unset TABLE_STATE_DIR
 --
 
 -[rc.local]---
 TABLE_STATE_DIR=/var/db/pftablestate
 if [ -w ${TABLE_STATE_DIR} ]  [ -d ${TABLE_STATE_DIR} ]; then
 echo restoring contents of pf tables:
 for table in $(pfctl -sT); {
 # don't keep state for tables starting
 # with an underscore
 if [[ ${table} = _* ]]; then
 continue
 # only be concerned with nonempty tables
 elif [ -r ${TABLE_STATE_DIR}/${table} ]  \
  [ $(wc -l  ${TABLE_STATE_DIR}/${table}) -gt 0 ]; then
 echo -n \t${table} 
 pfctl -t ${table} -Ta 
 $(${TABLE_STATE_DIR}/${table})  \
 rm -- ${TABLE_STATE_DIR}/${table}
 fi
 };
 unset table
 echo done.
 fi
 unset TABLE_STATE_DIR
 --

GA-8S661FXM-775 Rev.1 P4 motherboard cannot reboot or halt

[Soner Tari]

Hi All,

I'm running OpenBSD on a box with GA-8S661FXM-775 Rev.1 motherboard,
with the latest bios F4 (please see dmesg below). Previously I know that
FreeBSD and Linux could not reboot this hardware, but I was hoping
OpenBSD could, but it can't either. Linux can halt though, but others
can't halt either. (I don't know what Windows would do.)

So this is not specific to OpenBSD, but I think misc@ may have some idea
why these different OSs, and specifically OpenBSD, cannot reboot this
hardware (i.e. when I enter 'reboot' at command line, the system stops
after rebooting... line, and I have to press the reset button myself).
The system otherwise does not have any problems that I know of.

I tried different BIOS settings, removed NICs, etc. without success. I
contacted Gigabyte too, no replies yet, and I'm not too hopeful. I
googled too, but probably missed a relevant answer to my problem.

What could be the reason? ACPI? PCI interrupt routing warning in dmesg?
Hardware support? Any links? Any ideas please...

Thanks,


OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.53GHz (GenuineIntel 686-class) 2.54
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID
real mem  = 502833152 (491048K)
avail mem = 451727360 (441140K)
using 4278 buffers containing 25243648 bytes (24652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(b3) BIOS, date 10/14/05, BIOS32 rev. 0 @
0xfb4d0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xd914
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd880/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 6 7 9 10 11 12
pcibios0: no compatible PCI ICU found: ICU vendor 0x1039 product 0x0964
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 SiS 661 PCI rev 0x11
ppb0 at pci0 dev 1 function 0 SiS 648FX AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 SiS 6330 VGA rev 0x00: aperture at
0xe000, size 0x40
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 SiS 964 ISA rev 0x36
pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x01: 661: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 ignored (disabled)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-ROM GCR-8522B, 1.03 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 3, DMA mode 1
sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x90: irq 10,
address 00:14:85:cb:2c:85
icsphy0 at sis0 phy 1: ICS1893 10/100 PHY, rev. 1
pciide1 at pci0 dev 5 function 0 SiS 180 SATA rev 0x01: DMA
pciide1: using irq 11 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: SAMSUNG HD080HJ
wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ne3 at pci0 dev 9 function 0 Surecom Surecom NE-34 rev 0xd1: irq 11,
address 00:00:21:c7:e8:a3
ne4 at pci0 dev 10 function 0 Surecom Surecom NE-34 rev 0x01: irq 12,
address 00:00:21:50:72:91
ne5 at pci0 dev 11 function 0 Surecom Surecom NE-34 rev 0xd1: irq 10,
address 00:00:21:c7:e8:40
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask ebe5 netmask ffe5 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
ne3: device timeout

Re: smtp-gated alternative for OpenBSD

[Soner Tari]

Thanks guys, now I have postfix + amavisd configured as transparent smtp
proxy with clamav and spamassassin.

Now I wonder why there is such a package like smtp-gated on FreeBSD.
Anyway...

On Thu, 2006-06-15 at 13:45 +0300, Edgars wrote:
 Use a postfix and port redirection.
 Redirect all smtp connections to your server, and thats all :)
 
 Craig Skinner wrote:
  On Sun, Jun 11, 2006 at 03:43:24PM +0300, Soner Tari wrote:

  Hi all,
 
  I'm trying to find a fully transparent smtp proxy for outgoing mails
  from NATed hosts behind my firewall (smtp proxy will run on this
  firewall). smtp-gated of FreeBSD seems like an exact match. What is the
  equivalent of smtp-gated for OpenBSD? I tried to google too, but failed
  to find something similar.
 
  
 
  SMTP is a store and forward protocol, and as such any SMTP server is a
  caching proxy.
 
  It seems you only want to send mail out from the LAN, so just use the
  MTA that you are most familar with.
 
  Sendmail is included by default, I use postfix as I've used it at work
  for a number of companies, so know my way around it.

smtp-gated alternative for OpenBSD

[Soner Tari]

Hi all,

I'm trying to find a fully transparent smtp proxy for outgoing mails
from NATed hosts behind my firewall (smtp proxy will run on this
firewall). smtp-gated of FreeBSD seems like an exact match. What is the
equivalent of smtp-gated for OpenBSD? I tried to google too, but failed
to find something similar.

I would appreciate any help,
Soner