Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

On Wed, Jun 20, 2007 at 01:27:22AM -0400, Brian A. Seklecki wrote: Very bizarre. The only advice I can offer is that maybe it's getting confused on - $nat_if instead of the more-pragmatic - ($nat-if). The above worked! Doesn't make sense though. According to pf.conf(5): nat-rule = [

CARP interface state change logging patch

The OpenBSD PF-MIB stuff is incredibly useful -- especially the PF-MIB:CarpIFTable objects. Thanks to all involved with that. I've also had success with Net-SNMP 5.4 (opti@'s version) with those patches; will try to port them to other PF-enabled OSs soon. In the mean time, I want to keep

Re: Random crash

Luca Losio [EMAIL PROTECTED] writes: Hi all, I'm having a lot of crashes with my 4.1 since I updated from 4.0 ...the console output is: page fault trap code=0 stopped at enqueue_randomness+0xc5addb%al,0(%eax) ddb RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING

Re: linker scripts

Constantine Kousoulos wrote: Having a linux background (and a limited NetBSD experience), i expected to find linker scripts in the kernel source code. However, this is simply not true for most architectures. What is the logic behind the lack of linker scripts? Do you have an actual problem

Re: linker scripts

Constantine Kousoulos [EMAIL PROTECTED] writes: Having a linux background (and a limited NetBSD experience), i expected to find linker scripts in the kernel source code. However, this is simply not true for most architectures. What is the logic behind the lack of linker scripts? The same

Help with pf address translation

We have ipsec running on an internal firewall, with packets being routed to the internal firewall via an external firewall. We wish to move off of the internal 192.168.11.0/24 network and onto a net-10 network. What pf rules do we need to automatically translate between a net-10 block and the

Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

* Brian A. Seklecki [EMAIL PROTECTED] [2007-06-20 07:39]: Very bizarre. The only advice I can offer is that maybe it's getting confused on - $nat_if instead of the more-pragmatic - ($nat-if). Perhaps the parse code is trying too hard to resolve $nat_if in the former, and thus finding the

Re: Security of the keyboard

On Tue, Jun 19, 2007 at 07:05:38PM -0700, Don Scott wrote: I think Artur Grabowski too easily dismisses the question. I'd be interested to know if you get any informative responses that are not also posted to [EMAIL PROTECTED] Mikulas (the friend) told me the algorithm to hack the root

Re: Security of the keyboard

Yay ! Let's map everything uncached from now on! For great justice! [I was tempted to write some stuff about how keyboard keycode translation works in wscons, but it's not worth my time] Miod

OpenSSL key theft through cache timing

http://www.daemonology.net/papers/htt.pdf This is the missing link to my post about keyboard security. CL

Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

On Wed, Jun 20, 2007 at 10:47:43AM +0200, Henning Brauer wrote: * Brian A. Seklecki [EMAIL PROTECTED] [2007-06-20 07:39]: Very bizarre. The only advice I can offer is that maybe it's getting confused on - $nat_if instead of the more-pragmatic - ($nat-if). Perhaps the parse code is

Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

* Albert Chin [EMAIL PROTECTED] [2007-06-20 11:24]: On Wed, Jun 20, 2007 at 10:47:43AM +0200, Henning Brauer wrote: * Brian A. Seklecki [EMAIL PROTECTED] [2007-06-20 07:39]: Very bizarre. The only advice I can offer is that maybe it's getting confused on - $nat_if instead of the

Re: OpenSSL key theft through cache timing

On Wed, 20 Jun 2007, Karel Kulhavy wrote: http://www.daemonology.net/papers/htt.pdf This is the missing link to my post about keyboard security. No, it isn't. You can't really compare a public key crypto operation to someone bashing at a keyboard. -d

Re: Random crash

On 6/19/07, Brian A. Seklecki [EMAIL PROTECTED] wrote: Are you doing something strong with Cryptography? No, just ssh and apache Funny, my GENERIC kernel gives me: OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Try

rdr outgoing traffic

Hello. I have machine with one interface pcn0 and ip 192.168.1.7 and I was trying to redirect outgoing traffic from it with no success. My pf rule: rdr on pcn0 inet proto tcp from pcn0 to 192.168.1.1 port 80 - 192.168.1.10 When I do telnet 192.168.1.1 80 it doesn't redirect traffic. What am I

Re: rdr outgoing traffic

what is 192.168.1.10 then? Hello. I have machine with one interface pcn0 and ip 192.168.1.7 and I was trying to redirect outgoing traffic from it with no success. My pf rule: rdr on pcn0 inet proto tcp from pcn0 to 192.168.1.1 port 80 - 192.168.1.10 When I do telnet 192.168.1.1 80 it

Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

On Wed, Jun 20, 2007 at 11:40:36AM +0200, Henning Brauer wrote: * Albert Chin [EMAIL PROTECTED] [2007-06-20 11:24]: On Wed, Jun 20, 2007 at 10:47:43AM +0200, Henning Brauer wrote: * Brian A. Seklecki [EMAIL PROTECTED] [2007-06-20 07:39]: Very bizarre. The only advice I can offer is that

Re: rdr outgoing traffic

On Wed, 20 Jun 2007 12:00:18 +0200, RafaE Brodewicz [EMAIL PROTECTED] wrote: Hello. I have machine with one interface pcn0 and ip 192.168.1.7 and I was trying to redirect outgoing traffic from it with no success. My pf rule: rdr on pcn0 inet proto tcp from pcn0 to 192.168.1.1 port 80 -

Re: cannot enable executable stack...

It appears that a similar bug was encountered by Debian in 2005. See http://lists.debian.org/debian-glibc/2005/08/msg00289.html http://lists.debian.org/debian-glibc/2005/08/msg00311.html http://lists.debian.org/debian-glibc/2005/08/msg00483.html This would suggest that it might be a problem

Re: linker scripts

O/H Chris Kuethe ]cqaxe: Let me spin that around and ask you, what is the logic behind having linker scripts? If our bootloader can load a simple elf binary (or maybe one built with a slightly different text address) then why use linker scripts? CK A simple answer to a simple question. Thank

Icecast on OpenBSD

Hi, I have been experimenting with having a stream from my desktop computer, so that I can tune in on my PDA while I am cooking in the kitchen for example. I have mpd installed nicely. The icecast output module for mpd has proven too resource intensive for my 1.6gHz (which shocked me), so I am

Re: [Nagiosplug-devel] nagios check_carp for OpenBSD carp(4)

Just to follow-up: I have written a plugin that uses the somewhat complete PHP Net-SNMP bindings (no getsnmptable() ?!) and the new PF-MIB::CARP Agent Extensions to Net-SNMP snmpd(8). I'll post it on NagiosExchange for review if/when I can deploy a production 4.1-stable system. ~BAS On Fri,

Re: Security of the keyboard

Miod Vallat [EMAIL PROTECTED] writes: Yay ! Let's map everything uncached from now on! For great justice! Yay! Then we can start inlining code again for greater performance! //art

Re: Security of the keyboard

Karel Kulhavy [EMAIL PROTECTED] writes: On Tue, Jun 19, 2007 at 07:05:38PM -0700, Don Scott wrote: I think Artur Grabowski too easily dismisses the question. I'd be interested to know if you get any informative responses that are not also posted to [EMAIL PROTECTED] Mikulas (the

Re: Security of the keyboard

Artur Grabowski [EMAIL PROTECTED] writes: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you press. ZOMG! OpenBSD provides a side channel for attackers through the sensors framework! And

Re: Security of the keyboard

Artur Grabowski [EMAIL PROTECTED] writes: And don't forget the aps(4) sensor on Thinkpads! The accelerometer can probably measure the acceleration caused by various key strokes and that acceleration will be different depending on where on the keyboard you hit (different angles) and with which

Re: Icecast on OpenBSD

On 2007/06/20 14:11, Edd Barrett wrote: So, mpd is playing through the soundcard, the icecast server is up and waiting for sources. There's no mixer/splitter on /dev/audio; unless it's set to non-blocking it can't be shared. (When it is non-blocking, you can still expect some fun...see ports@

pfctl explaination

Hi misc@, I'm trying to understand how pfctl re-loads rules and tables. On my soekris board, 64MB RAM, I have a large table with more than 200K entries. It's used to perform some egress filtering (yes maybe it's too large but it's really effective). I raised up table-entries limit to 250K and I

Re: Security of the keyboard

Yay ! Let's map everything uncached from now on! For great justice! [I was tempted to write some stuff about how keyboard keycode translation works in wscons, but it's not worth my time] Miod You don't have to map keyboard map uncached, just change the way code is written --- instead of x =

Re: Security of the keyboard

On Wed, Jun 20, 2007 at 04:00:01PM +0200, Artur Grabowski wrote: Karel Kulhavy [EMAIL PROTECTED] writes: On Tue, Jun 19, 2007 at 07:05:38PM -0700, Don Scott wrote: I think Artur Grabowski too easily dismisses the question. I'd be interested to know if you get any informative

Re: Security of the keyboard

On Wed, Jun 20, 2007 at 06:14:07PM +0200, Karel Kulhavy wrote: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying The capacitors and regulator which are made to keep the voltage almost constant with a

Re: Security of the keyboard

Karel Kulhavy wrote: This kind of security design is assuming favourable constellation of uncontrollable environmental noises to scramble the information we are knowingly leaking. It's basically a snake oil. We have no proof that under every conceivable circumstances the noises will be present

Re: Locations of stable ports vs current ports

On Wed, Jun 20, 2007 at 10:05:25AM -0700, Joe S wrote: This site has a nice interface to ports: http://ports.openbsd.nu/ But they ports it says are in OpenBSD are not in my tree. Is this site showing current only? That site isn't run by the project; I assume it follows -current, but you could

Re: Security of the keyboard

On 6/20/07, Karel Kulhavy [EMAIL PROTECTED] wrote: This kind of security design is assuming favourable constellation of uncontrollable environmental noises to scramble the information we are knowingly leaking. It's basically a snake oil. We have no proof that under every conceivable

SNMP monitoring script

I recently started messing with SNMP, and I found that attempting to get it to do active monitoring via snmpd results in a segfault. could be my box, could be that it's a new implementation, could be bad mojo. in any event, I decided I'd reached the point of diminishing returns via

Re: incoming load balancing

I moved this to the appropriate list. Please read this page, http://www.openbsd.org/mail.html to see why it was moved. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luciano M. Mercucci Sent: Wednesday, June 20, 2007 11:34 AM To: [EMAIL PROTECTED]

Re: Locations of stable ports vs current ports

On Wed, Jun 20, 2007 at 10:05:25AM -0700, Joe S wrote: I'm running openbsd 4.1-stable. I'm also using cvsup to get/update ports-stable [snip] This site has a nice interface to ports: http://ports.openbsd.nu/ But they ports it says are in OpenBSD are not in my tree. Is this site

Re: Security of the keyboard

On Wednesday 20 June 2007 12:28:28 Darrin Chandler wrote: On Wed, Jun 20, 2007 at 06:14:07PM +0200, Karel Kulhavy wrote: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying The capacitors and regulator

Re: cannot enable executable stack...

On 6/20/07, Matthew Szudzik [EMAIL PROTECTED] wrote: It appears that a similar bug was encountered by Debian in 2005. See http://lists.debian.org/debian-glibc/2005/08/msg00289.html http://lists.debian.org/debian-glibc/2005/08/msg00311.html

max number of connections through the firewall

I am trying to approximate the maximum number of open TCP connections that an OpenBSD firewall can support at any given time. The scenario here is a firewall with 2 interfaces, a bunch of Web servers behind it on private IP addresses, a fairly simple set of rules (NAT each server on a public

Re: Security of the keyboard

And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you press. ZOMG! OpenBSD provides a side channel for attackers through the sensors framework! And don't forget the aps(4) sensor on

Re: max number of connections through the firewall

From previous discussions (search the archives) this has nothing to do with userland memory available but to kernel data structures. Also read pf.conf(5) man page: OPTIONS pf(4) may be tuned for various situations using the set command. interval Interval between purging

Re: Security of the keyboard

* Bob Beck wrote: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you press. ZOMG! OpenBSD provides a side channel for attackers through the sensors framework! And don't forget

Re: Security of the keyboard

someone already hacked you and sent that message -- be afraid On 6/20/07, Marc Balmer [EMAIL PROTECTED] wrote: * Bob Beck wrote: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you

Re: Security of the keyboard

That's ok, you can use my wep enabled wireless keyboard!! On 6/20/07, Marc Balmer [EMAIL PROTECTED] wrote: * Bob Beck wrote: And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you press.

Re: pfctl explaination

On 6/20/07, Francesco Toscan [EMAIL PROTECTED] wrote: when I first load the rules everything works fine; when I reload the rules with pfctl -f pf.conf, pfctl segfaults or exits returning Cannot allocate memory as if table-entries limit were not high enough. If I first flush the large table and

Re: cannot enable executable stack...

right. i'm not even sure what the growsdown flag does. Indeed, Linux doesn't have the same standard of documentation as OpenBSD. The PROT_GROWSDOWN flag for mprotect is not even mentioned in mprotect's man page on linux http://linux.about.com/library/cmd/blcmdl2_mprotect.htm

Re: X.org: i810 - intel update

On 6/18/07, Alexey Suslikov [EMAIL PROTECTED] wrote: Hello [EMAIL PROTECTED] As seen in http://wiki.x.org/wiki/IntelGraphicsDriver, xf86-video-i810 is no more and there is xf86-video-intel driver instead. New driver supports more chipsets including i965 and i945 (aka GMA 950 which is

Re: Security of the keyboard

On Wed, 20 Jun 2007, Mikulas Patocka wrote: Yay ! Let's map everything uncached from now on! For great justice! [I was tempted to write some stuff about how keyboard keycode translation works in wscons, but it's not worth my time] Miod You don't have to map keyboard map uncached,

Re: Security of the keyboard

And guess what. Keyboards use a serial protocol. Which means that there will be slightly different voltage drops in the system varying with the keys you press. ZOMG! OpenBSD provides a side channel for attackers through the sensors framework! And don't forget the aps(4) sensor on

cgi best practices (was: Re: http://openbsd.rt.fm/faq/faq10.html#httpdchroot)

David Newman [EMAIL PROTECTED] wrote: Anything else? perldoc perlsec has a lot of good advice. -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA

Interface traffic counters

I have a problem where I need to know how much traffic has passed on a given interface. I don't need it broken down by IPs, protocols or whatever of the sort. After a bit of research I discovered the SIOCGIFDATA ioctl that seems to do what I want. I built myself a little test application to

Re: rdr outgoing traffic

On Wed, 20 Jun 2007, Jason Dixon wrote: On Wed, 20 Jun 2007 12:00:18 +0200, RafaE Brodewicz [EMAIL PROTECTED] wrote: Hello. I have machine with one interface pcn0 and ip 192.168.1.7 and I was trying to redirect outgoing traffic from it with no success. My pf rule: rdr on pcn0

OpenBSD port update

I've successfully installed OpenBSD 4.1. I'm new for OpenBSD therefore still studying how to update OpenBSD ports tree. How can i do this? Please someone tell me quick tips. If give me more detailed information i'll be very happy. -- Best regards, Erdenebat Guntomor

OpenBSD port update

I've successfully installed OpenBSD 4.1. I'm new for OpenBSD therefore still studying how to update OpenBSD ports tree. How can i do this? Please someone tell me quick tips. If give me more detailed information i'll be very happy. -- Best regards, Erdenebat Guntomor

Re: OpenBSD port update

On 6/20/07, Erka Gun [EMAIL PROTECTED] wrote: I've successfully installed OpenBSD 4.1. I'm new for OpenBSD therefore still studying how to update OpenBSD ports tree. How can i do this? Please someone tell me quick tips. If give me more detailed information i'll be very happy. Read all of

Re: Locations of stable ports vs current ports

Ok. So it appears the port I want is in CURRENT ports. Since we're not supposed to mix CURRENT ports with a STABLE system (or vice-versa), I have to wait for this port to get included in STABLE, which I'm guessing would be in 4.2 or build it from scratch. On 6/20/07, Josh Grosse [EMAIL

Re: OBSD 4.1 drops to ddb with cdd0: error 22 on component 0 (and 1 (mirror))

On 6/16/07, Marius Hooge [EMAIL PROTECTED] wrote: Can at least someone tell me, why I get no replies? probably because nobody can help. sometimes things don't work out.