Re: FAI + SaltStack anybody?
> On Oct 6, 2023, at 10:59, Diego Zuccato wrote: > > Il 06/10/2023 10:36, Sinh Lam ha scritto: >> With the above said, I do not see what you mean there is a chicken and the >> egg problem. > > To approve a minion key, Salt does have to trust the request is coming from > the right minion, but it can't know till the key is approved. Embed the Salt Master's public key in the FAI environment before the minion is started. While the master won't have the minion key before it contacts it, you can ensure the initial communication with the master is secured and the master is properly identified. The keys themselves are generated by `salt-key --gen-keys` on first run of the minion, if they don't exist. So, during the install, pre-generate the keys with `salt-key`. Just ensure the target directory for the private key ends up in `/etc/salt/pki/minion/minion.pem` and the public key in `/etc/salt/pki/minion/minion.pub`. The master's key needs to be in `/etc/salt/pki/minion/minion_master.pub`. With that, on the salt-master, either autoaccept, or find a way to place the minion's public key in `/etc/salt/pki/master/minions/` and that will bypass the key acceptance entirely. Keys, inside of salt, are just managing where the file sits under the various minion directories in `/etc/salt/pki/master/` after all. >> Your concern was how to move the minion around servers that are getting >> provisioned/re-provisioned so you don’t have to approve the minion each time >> and I’m sure there’s a couple of ways to do this but right now I see two : >> 1) turn on auto-accept - you don’t have to worry about approving any minions >> because they’ll be auto-approved > > Can't do that on public networks. [*] Don't have to do it if you set the master's public key, and minion keys, before the minion is started though. Then it's just having a single job starting after FAI's reboot, and doing `salt-call state.highstate` on first boot.
Re: SSH "Honey Keys" Security
Don’t. Generally, these things should be used to alert if an internal service has been compromised (akin to using Canary Tokens), and the key copied. It is, at best, a way to hear someone knocking. On Wed, May 8, 2019 at 15:59 Stefan R. Filipek wrote: > There's a blog post going around that has an interesting use of SSH > authorized_keys restrict + command: > https://kulinacs.com/ssh-honey-keys/ > > If you don't want to follow the link, it basically uses the > well-documented authorized_keys feature to restrict a login for an ssh > key to invoking a single binary which logs the access attempt: > > restrict,command="/usr/local/bin/honeypot_logger" ssh-rsa 1C8...32Tv== > honeypot_...@example.com > > Without devolving into an argument about the efficacy of honey keys or > honey pots in general, I'm wondering if this is truly safe from a > security perspective to run on a regular server (not a dedicated honey > pot). Is there anything that an attacker can control that 'restrict' > does not cover, assuming the targeted command is a shell script? > Perhaps with a malicious SSH client as well? By the man page, > 'restrict' turns on all restrictions available to the authorized_keys > configuration, but it's not clear if that is really sufficient for > this attack scenario. > > Apologies if you feel this is off-topic for the mailing list, but > there's no general OpenSSH discussion list anymore listed on the > openssh site. > > -Stefan > > -- Semt form my Apqle iPhnoe 4s and gMal Mobble.
Re: SSH extremely quickly dropped from T-Mobile phone hotspot
You can also just set client keepalives. Set TCPKeepAlive in ~/.ssh/config. This has solved a bunch of random timeout problems due to carrier NAT or similar. On Sat, Sep 15, 2018 at 15:36 Constantine A. Murenin wrote: > On 15 September 2018 at 09:50, Chris Bennett < > cpb_m...@bennettconstruction.us> wrote: > > > I am using my phone's hotspot, which may or may not be secure, but is > > not censoring my choice of sites to visit. Public WiFi in the USA does > > so all over the place. Worse, when I lived in Washington State, I was > > next to a Naval Air Station, which certainly eavesdrops, not OK, but > > this is the land of the free? Now I am living in the Capital of Texas, > > Austin which also leaves public WiFi under the same problems > > (legislature meets here). > > > > I cannot maintain an SSH connection unattended long enough to go to the > > bathroom and get a cup of coffee without the connection being dropped > > halfway through reading my email. > > > > Is autossh the right choice or is there a better way? > > The flow of data seems to be the problem. A static page disconnects. > > > > Thanks, > > Chris Bennett > > > > I also have T-Mobile US, and I cannot reproduce your problem. > > In fact, because my laptop gets a public IPv6 address from T-Mobile US — a > standard feature in Android 7.1.1, where you get at least a whole /64 from > the carrier — I can put it to sleep, disable AndroidAP, go get coffee, > lunch, dinner, or attend a meetup, or all of the above, come back home, > turn AndroidAP back on, turn my laptop on, and my vanilla ssh connection > will come back to live after a single keystroke (provided the phone was > never turned off and didn't itself lose network connectivity, e.g., still > has the same /64 assigned to itself). > > I did have to configure my laptop to `sysctl -w > net.inet6.ip6.prefer_tempaddr=0`, and also make sure I'm not running > something that'd be constantly refreshing the screen of the terminal I'm > accessing through ssh, e.g., you definitely do have to disconnect tmux with > the timestamp before you attempt this, and doing socks proxying would > obviously interfere with it as well if any connections remain open when you > attempt to turns things off like that, and — viola, problem solved. > > So, my suggestion — move to IPv6 for the killer features, and stop worrying > about the disconnects. > > But if you don't have a public IP address on your laptop and do get your > internet through NAT/CGNAT and/or a stateful firewall, then you might have > to play with `-oServerAliveInterval=480` or some such, as per > http://mdoc.su/o/ssh_config.5, but, otherwise, this option is actually not > only unnecessary, but is, in fact, harmful, as it may "detect" brief > periods of connectivity loss that you don't necessarily care about. > > P.S. Another option, if you don't necessarily care about scrolling, and/or > already use tmux within your ssh, is to use http://ports.su/net/mosh. > Personally, I prefer straight ssh through IPv6 to mosh, although sometimes > it does cause me to use my AndroidAP even in venues where the public > internet is available. > > Cheers, > Constantine.SU. >
Re: Is anyone using Amazon EC2?
Yes. We're looking at bootstrapping in EMR... On Sat, May 23, 2015 at 07:21 Joe Wass jw...@crossref.org wrote: I used Spark on EC2 a while ago
Hamburg Apache Spark Meetup
If you could also add the Hamburg Apache Spark Meetup, I'd appreciate it. http://www.meetup.com/Hamburg-Apache-Spark-Meetup/ On Tue, Feb 17, 2015 at 5:08 PM, Matei Zaharia matei.zaha...@gmail.com wrote: Thanks! I've added you. Matei On Feb 17, 2015, at 4:06 PM, Ralph Bergmann | the4thFloor.eu ra...@the4thfloor.eu wrote: Hi, there is a small Spark Meetup group in Berlin, Germany :-) http://www.meetup.com/Berlin-Apache-Spark-Meetup/ Plaes add this group to the Meetups list at https://spark.apache.org/community.html Ralph - To unsubscribe, e-mail: user-unsubscr...@spark.apache.org For additional commands, e-mail: user-h...@spark.apache.org - To unsubscribe, e-mail: user-unsubscr...@spark.apache.org For additional commands, e-mail: user-h...@spark.apache.org - To unsubscribe, e-mail: user-unsubscr...@spark.apache.org For additional commands, e-mail: user-h...@spark.apache.org
Re: is what this guy is saying even anywhere close to reasonable, about ssh everywhere?
no. Sent form my iFoe. On Jan 4, 2015, at 05:34, bofh goodb...@gmail.com wrote: https://medium.com/@shazow/ssh-how-does-it-even-9e43586e4ffc -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: maybe OT 10 year anniversay of Chuck Yerkes death
Man. Thanks for the reminder. +1 Sent form my iFoe. On Aug 27, 2014, at 16:21, Diana Eichert deich...@wrench.com wrote: I don't think it's off topic but others might. I'm writing this post to remember Chuck Yerkes, a long time contributor to the misc@openbsd list. While riding his motorcycle 10 years ago Chuck was involved in an accident and passed away as a result of his injuries. http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm http://marc.info/?l=openbsd-miscm=109385676632581w=2 http://web.archive.org/web/20040901013204/http://www.adownie.net:/vqwiki/jsp/Wiki?ChuckStories Just wanted to remember you Chuck, take it easy wherever you are. diana
Re: new OpenSSL flaws
On Thu, Jun 5, 2014 at 5:09 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 05-06-2014 20:45, Eric Furman escreveu: I predict that within a year OpenSSL will go the way of IPF. For much the same reason... IPF? Care to elaborate? Well, in 2001 there was this drama around Darren Reed's IPF, that caused it to be removed from OpenBSD's source code. This removal and license problem directly to the development of OpenBSD's pf firewall by Daniel Hartmeier. And the rest, as they say, is history.
Re: Strange route entry from China
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote: Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it?
Re: Strange route entry from China
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda ke...@ie.suberic.net wrote: On 14 May 2014 08:20, Johan Beisser j...@caustic.org wrote: On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote: Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it? Sure. But connecting to port 22 in order to fail to auth is a successful TCP connection. Yes. Path MTU implies the connection is held open for larger packets than just during the handshake and SSH negotiation. Or am I misunderstanding when MTU is negotiated?
Re: Multihoming with carp possible? and ipsec failover?
On Tue, May 13, 2014 at 4:58 AM, Magnus mag...@tokra.org wrote: Hello Misc-Users, I'm looking in to the possibility to do multihoming (more than one isp) on a Carp setup. To do live failover if one isp goes down, the other takes over. Just as carp does if one of the routers goes down. You can do this with OpenBGPd, but CARP can only fail out between two routers sharing the same IP (at its most basic setup, more complicated setups are possible, obviously). If both ISPs are routing to the same netblock, then you can fail in the way you want. Otherwise, take a look at ifstated(8), and modify your routing tables or do dynamic routing. I'm thinking that in combination with ifstated it might be possible, but have yet to find someone that has actually done it sofar. A solution I've used in the past is a controlled endpoint that represents the exit for the network. The ISPs acted as pure transit for the external network, the VPN carried to a common end point(s). Next issue if the first one is possible. The proposed router in question is a IPSEC gateway, with several nodes connected to it. Fail over here with just the carp and one isp is no issues. But if the remote node, has only one isp, and it has no carp or such, its just a plain obsd box running a site-to-site tunnel, routing everything (0.0.0.0/0) over the tunnel. How would one manage to do a failover to the second isp of the above box, without loss of the tunnel during fail over. Take a look at sasyncd(8).
Re: Strange route entry from China
On May 13, 2014, at 18:47, Stuart McMurray kd5...@gmail.com wrote: And, 163data.com.cn is a large source of shady activity. I blocked the bulk of China and Asia outright at the router. Quick solution, if not clean.
Re: Strange route entry from China
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg jo...@securit.se wrote:
Yes, it's related to a SSH brute force attack.
I have just never seen the the client IP in the routing table before. My
IP does not exist in the routing table when I SSH to the host.
The IP shouldn't be there, at all. But, according to the route flags
('D' in this case), it's in there due to a redirect.
I have a hard time to understand the mechanism that added the IP to the
table.
Is this something that can be explained?
My assumption is there was an ICMP redirect that added the IP to your table.
Check to see if you're accepting redirects. By default, OpenBSD has them as off.
Re: where are translated web-pages?
http://marc.info/?l=openbsd-cvsm=139637003025491w=2 You did. On Thu, Apr 17, 2014 at 3:08 PM, Alex Naumov posix...@gmail.com wrote: Hello, I just want to ask about not English (translated) pages. I can't find these. Also translation.html and steelix are not avaliable. Did I missed something? Thank you, Alex
Re: where are translated web-pages?
On Thu, Apr 17, 2014 at 3:18 PM, Alex Naumov posix...@gmail.com wrote: Thank you for link, but... why? I mean, we are not going to continue work on translation anymore? Reason? Read this thread on the topic from earlier this month. http://marc.info/?t=13965139876r=1w=2
Re: Where can I find a list of error codes in smtpd?
http://www.faqs.org/rfcs/rfc821.html (1982) Section 4.2.1. https://www.ietf.org/rfc/rfc2821.txt (2001) Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. https://www.rfc-editor.org/rfc/rfc2487.txt (1999) Secure SMTP over TLS. On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' and...@msu.edu wrote: So far, I'm not finding them. I'm interested in learning more about 150 IO error and 442 i/o error 5, but a general list of them would be good. I know I'm missing something... Thanks, STeve Andre'
Re: Where can I find a list of error codes in smtpd?
I feel like a bit of a jackass for the response. Check smtpd/smtp_session.c http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtp_session.c?rev=1.192 On Thu, Jan 30, 2014 at 7:41 AM, Johan Beisser j...@caustic.org wrote: http://www.faqs.org/rfcs/rfc821.html (1982) Section 4.2.1. https://www.ietf.org/rfc/rfc2821.txt (2001) Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. https://www.rfc-editor.org/rfc/rfc2487.txt (1999) Secure SMTP over TLS. On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' and...@msu.edu wrote: So far, I'm not finding them. I'm interested in learning more about 150 IO error and 442 i/o error 5, but a general list of them would be good. I know I'm missing something... Thanks, STeve Andre'
Softupdate on 3.4.7 with Debian Squeeze.
I'm kind of at a loss as to where I'm going wrong on this. So far, my searches in the code hasn't gotten me very far. I'm attempting to get softupdates working correctly to systematically update older Lenny systems to Squeeze (then eventually to Wheezy). What I'm discovering is that the NFSROOT mounts fine, but everything else fails. What seems to be going on (I can't seem to locate the actual error in fai.log, or any of the other logs) is the filesystems aren't mounting. So, is there a way to get even more verbose logging? Second, where do I start looking for the filesystem mounts? In sysinfo all the filesystems mount cleanly, so I'm quite certain there's something I'm missing for softupdate/lazyformat. -jb
Re: Is Soekris OpenBSD friendly?
I'm not sure what you mean by too slow to route. I've a net4501 with 64mb of RAM that's handling all of my IP traffic at home. Biggest problem is swapping taking out available interrupts. Modern networks are actually just too fast for the hardware these days. It works fine for home stuff. On Fri, Nov 15, 2013 at 5:39 PM, jordon open...@sirjorj.com wrote: I have an old net4511 running 5.4. It’s too old/slow to route but it’s too fun to not have running because how many other OS’es can run on a 486 100MHz with 32MB RAM? On Nov 15, 2013, at 6:03 PM, SmithS smit...@hush.ai wrote: Greetings misc@. After coming across a link[1] to make an OpenBSD router using a Soekris device, I think I will make one. Does anyone else have this hardware and can verify all the components work? I think Intel NICs are good, but everything else? I have never heard of this brand before so I want to be safe before buying. The model number[2] is 6501-30 [1] http://www.bsdnow.tv/tutorials/openbsd-router [2] https://soekris.com/products/net6501/net6501-30-board-case.html greetz, SmithS
Re: Is Soekris OpenBSD friendly?
On Fri, Nov 15, 2013 at 9:00 PM, jordon open...@sirjorj.com wrote: A few years back I put m0n0wall (FreeBSD-based) on it, hooked it up to 2 machines (1 WAN, 1 LAN) and pushed a file through it. Its max bandwidth was well under my Internet connection speed. It was replaced with a net5501. It's not below mine. I can saturate it, but my inbound is still well below what the hardware can handle. I'll upgrade eventually.
Re: why icmp timestamping is enabled by default ?
On Oct 21, 2013, at 2:57, Henning Brauer lists-open...@bsws.de wrote: * Илья Шипицин chipits...@gmail.com [2013-10-11 04:52]: I was just curious why that timestamping is enabled by default. 'cause there is no reason to disable it. why is tcp enabled by default? Everyone knows that TCP, like IP, and the Internet is just a passing fad.
Re: new queueing subsystem
On Oct 16, 2013, at 8:05, Otto Moerbeek o...@drijf.net wrote: This will not be in 5.4, it wil be in 5.5. If you see shortcomings in the docs explain in more detail. I just read the QUEUEING section in the man page. Seems fairly clear to me, and in some ways more clear. One thing I'd like to see is a suggestion for how to figure out your actual bandwidth, to better define the queues. For example, I've got a 10Mbit outbound link, and three priority queues. The only reason I define a total bandwidth is that altq requires it, so I've set it at 9.5Mbit. With the move to HFSC, do I have to break down major queues, and the children? Or cam I still just do very basic priority queueing in 5.5?
Re: new queueing subsystem
On Wed, Oct 16, 2013 at 11:04 AM, Norman Golisz li...@zcat.de wrote:
On Wed Oct 16 2013 08:54, Johan Beisser wrote:
Or cam I still just do very basic priority queueing in 5.5?
See pf.conf(5), 'set prio'. This doesn't even require you to define
queues, etc.
Right. I guess if I want to define multiple queues for matching
traffic, I need to either redo the filter rules to use tagging*, or
simply do it per outbound bit of traffic.
The change is a pretty powerful one.
*
match on FOO inet proto tcp from BAR to BAZ port {X,Y} tag PRIO_Z
[...]
pass out on egress tagged PRIO_X set prio 4
pass out on egress tagged PRIO_Z set prio (3, 7)
Re: DNS Proxy
DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki monahb...@gmail.com wrote: Hi all, I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the U.S and uses my OpenBSD squid proxy to access netflix. I've been told this can be also accomplished via DNS Proxy. Is it true? If yes which one do you recommend? Thanks
Re: DNS Proxy
Use the D option in ssh(1) and the SOCKS proxy will do lookups through the tunnel. Make sure you use version 5 (OpenSSH supports 4 and 5). On Sun, Sep 15, 2013 at 12:42 PM, Joel Wirāmu Pauling aener...@aenertia.net wrote: Also given dns is a user of UDP by default you need to use some other tunnel mechanism other than ssh. -Joel Johan Beisser j...@caustic.org wrote: DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki monahb...@gmail.com wrote: Hi all, I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the U.S and uses my OpenBSD squid proxy to access netflix. I've been told this can be also accomplished via DNS Proxy. Is it true? If yes which one do you recommend? Thanks -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: OpenBSD pxe automated install
On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer m...@kernel32.de wrote: Hi Loic, Am 13.08.13 15:43, schrieb � Blot: Hello Marian, i think you are right, because bsd.rd is required for last chance to repair system, among others. right. And I'd like to leave it untouched. This hopefully also increases the possibility that whatever we come up with might get added upstream... ;) There's nothing preventing you from building your own installer within the RAMDISK kernel. I've done it in the past to handle some personalized extensions. I agree that the most pressing point is automatic network configuration in order to be able to download additional configs, like disk config, package config, ... It's doable within the base tools, if you assemble things correctly. No reason to not have these stuff off of NFS or TFTP to pull in the config. PS.: personal opinion: I like FAI (www.fai.org) much more then debians preseed.cfg... check it out ;) http://fai-project.org/ is the correct URL. I've had some interesting problems with FAI in the past. Once it's working, it's quite wonderful.
Re: OpenBSD pxe automated install
read the FAQ, Loic. http://openbsd.org/faq/faq4.html#site Site*.tgz, install.site and upgrade.site are a good starting point. On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT loic.b...@unix-experience.fr wrote: Hello @misc. Today i'm working on automated deploy with PXE. I have successful found and made automated PXE install on Debian with pxelinux. I know OpenBSD have a pxe boot image to netinstall the system http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution -environment/ Is there any options to automate the installation ? I want a machine to boot on bsd.rd, read a configuration file (url passed by etc/boot.conf, for example) and install with the read parameters. Is there any issue to do this or i do it myself ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Please read the FAQ entry I sent you, pay close attention to install.site and upgrade.site. Both of those are scripts that are executed by the installer. Fully automatic installs have been done, usually by modifying the installer script or root's .profile. Basically: automatic, unattended installation of openbsd is possible, but you have to build the glue for it. Sent form my iFoe. On Aug 12, 2013, at 12:52, Loïc BLOT loic.b...@unix-experience.fr wrote: Hello, thanks for your reply Johan, but this is not why i want. site.tgz contain a set of preconfigured files to deploy with other sets to deploy similar machines. My need is to install a clean OpenBSD with an automated mean: The server boot in PXE and install OpenBSD, configure network, hostname, disk, install sets by network and reboots without any human intervention. After, the server can use siteXX.tgz, yes, but this is not the main problem here -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : read the FAQ, Loic. http://openbsd.org/faq/faq4.html#site Site*.tgz, install.site and upgrade.site are a good starting point. On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT loic.b...@unix-experience.fr wrote: Hello @misc. Today i'm working on automated deploy with PXE. I have successful found and made automated PXE install on Debian with pxelinux. I know OpenBSD have a pxe boot image to netinstall the system http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution -environment/ Is there any options to automate the installation ? I want a machine to boot on bsd.rd, read a configuration file (url passed by etc/boot.conf, for example) and install with the read parameters. Is there any issue to do this or i do it myself ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: new topic: blind support for OpenBSD.
On Jul 6, 2013, at 21:53, Nick Holland n...@holland-consulting.net wrote: Feel free to take this off list with me if you prefer. I kind of hope you keep this on list, actually. While I'm not affected by the problem, I'm interested in the problem and solutions.
Re: Fuse on OpenBSD
On Jul 3, 2013, at 20:23, Brad Smith b...@comstyle.com wrote: On 03/07/13 11:07 PM, openda...@hushmail.com wrote: Why do we need FUSE anyway? To be able to utilize FUSE based filesystems. Fuse is a terrible hack. But, a useful one that solves all kinds of problems. Sent form my iFoe.
Re: rtsol with IPv6 forwarding turned on
On Tue, May 14, 2013 at 3:13 PM, Stuart Henderson s...@spacehopper.org wrote: On 2013-05-14, Mattias Lindgren mlindg...@runelind.net wrote: Hello, I'm using a OpenBSD 5.3 (release) machine as my router connecting to Comcast. Comcast provides native IPv6 access, however it does so a little bit differently than what is probably best practice. I use wide-dhcpv6-20080615p2 from ports to get an address on my outside interface, as well as a prefix which gets assigned to my inside interface. However, the default route is announced via Route Advertisements. That is pretty common practice for ISPs doing IPv6 (see RFC 6204), but OpenBSD doesn't support it at present. I tried to use the DHCPv6 client but found it didn't quite work right (no assigned IP to the interface). Rtsold gets the prefix and gateway just fine, but Comcast assigns a /64 prefix to my firewall. But, the DHCPv6 server won't actually issue me a V6 IP (as of yet..) I've assigned an arbitrary IPv6 address to my firewall, and it can reach out over Comcast's network with no problem. I started to look at setting up an internal local network before getting distracted by paying work. However since I would also like for my router to forward IPv6 packets, I'm not sure of how to make it work. Rtsol states that net.inet6.ip6.forwarding=0. I've tried running rtsol with forwarding set to 1, but it complains and does not grab a default route. The other option would be to manually set the v6 default route, but I'd prefer to not have to do that. Does anyone know of a workaround for this issue? Manually setting the route is the only current workaround afaik. I might give that a shot. The RA (at least the one near me) gives a link local advert (fe80::) with a /64 prefix. FreeBSD turned accept_rtadv into a per-interface flag which can be set (only) on the upstream interface so you can continue to send adv's on the downstream interfaces. That seems to be a good solution, but not necessarily the right one.
Re: NFS cluestick needed
Back in the day I'd abuse lndir(1) to link to the nfs mounted source directory. http://www.openbsd.org/cgi-bin/man.cgi?query=lndirsektion=1 Sent form my iFoe. On Mar 31, 2013, at 7:48, David Higgs hig...@gmail.com wrote: In trying to avoid multiple copies of OpenBSD source on my VMs, I am trying to use NFS; however, permissions don't seem to be working right. I would very much appreciate help in figuring out what I'm doing wrong, and am also interested in tips on how to compile from read-only source trees. Thanks in advance, --david SERVER VM [vm@vm ~]$ dmesg | head OpenBSD 5.2 (GENERIC) #2: Mon Nov 5 10:42:07 EST 2012 root@vm.localdomain:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz (GenuineIntel 686-class) 2.45 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,SSSE3,CX16,LAHF real mem = 267907072 (255MB) avail mem = 252665856 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/20/12, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (364 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 09/20/2012 bios0: VMware, Inc. VMware Virtual Platform [vm@vm ~]$ cat /etc/exports # $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $ # # NFS exports Database # See exports(5) for more information. Be very careful: misconfiguration # of this file can result in your filesystems being readable by the world. /usr/src /usr/ports /usr/xenocara -maproot=root:wheel -network=172.16.223.0 -mask=255.255.255.0 [vm@vm ~]$ showmount -a All mount points on localhost: 172.16.223.129:/usr/ports 172.16.223.129:/usr/src 172.16.223.129:/usr/xenocara CLIENT VM # dmesg | head OpenBSD 5.2-stable (GENERIC) #2: Wed Dec 26 12:19:49 EST 2012 root@vm.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 267321344 (254MB) avail mem = 237985792 (226MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 09/20/2012 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 # mount /dev/wd0a on / type ffs (local, softdep) /dev/wd0f on /home type ffs (local, noatime, nodev, nosuid, softdep) /dev/wd0d on /tmp type ffs (local, nodev, nosuid, softdep) /dev/wd0g on /usr type ffs (local, noatime, nodev, softdep) /dev/wd0e on /var type ffs (local, nodev, nosuid, softdep) 172.16.223.128:/usr/src on /usr/src type nfs (noatime, nodev, noexec, nosuid, v3, udp, timeo=100, retrans=101) 172.16.223.128:/usr/ports on /usr/ports type nfs (noatime, nodev, noexec, nosuid, v3, udp, timeo=100, retrans=101) 172.16.223.128:/usr/xenocara on /usr/xenocara type nfs (noatime, nodev, noexec, nosuid, v3, udp, timeo=100, retrans=101) # id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) # ls -la /usr/src/sys/arch/amd64/compile/ total 16 drwxr-xr-x 3 root wheel 512 Feb 27 2009 . drwxr-xr-x 10 root wheel 512 Nov 29 2010 .. -rw-r--r-- 1 root wheel 38 Jun 25 2004 .cvsignore drwxr-xr-x 2 root wheel 512 Mar 30 16:37 CVS # mkdir /usr/src/sys/arch/amd64/compile/GENERIC mkdir: /usr/src/sys/arch/amd64/compile/GENERIC: Permission denied
Re: npppd not communicating in 5.2
I had a problem with tun interfaces and npppd. Try the pppx interface instead. Sent form my iFoe. On Mar 5, 2013, at 13:35, Jason Markowitz jma...@gmail.com wrote: Hello, I'm receiving the following errors when attempting to establish a vpn session via l2tp, the ipsec side works fine and phase 1 authenticates perfectly, i dont see pf blocking anything in pf log (egress wide open, inbound is set to block in log all, with holes opened for the appropriate ports for vpn and ssh) 2013-03-05 16:26:10:NOTICE: Starting npppd pid=5729 version=5.0.0 2013-03-05 16:26:10:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2013-03-05 16:26:10:WARNING: write() failed in in_route0 on RTM_ADD : File exists 2013-03-05 16:26:10:INFO: tun0 Started ip4addr=10.101.0.1 2013-03-05 16:26:10:INFO: Listening /var/run/npppd_ctl (npppd_ctl) 2013-03-05 16:26:10:INFO: Added 2 routes for new pool addresses 2013-03-05 16:26:10:INFO: Loading pool config successfully. 2013-03-05 16:26:10:INFO: realm name=local(local) Loaded users from='/etc/npppd/npppd-users.csv' successfully. 1 users 2013-03-05 16:26:10:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] 2013-03-05 16:26:10:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] 2013-03-05 16:26:10:INFO: tun0 is using ipcp=default(1 pools). 2013-03-05 16:26:19:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=x.x.x.247:65028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:19:INFO: l2tpd ctrl=1 SendSCCRP 2013-03-05 16:26:21:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=x.x.x.252.247:65028/udp tunnel_id=2/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:21:INFO: l2tpd ctrl=2 SendSCCRP 2013-03-05 16:26:25:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=x.x.x..247:65028/udp tunnel_id=3/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:25:INFO: l2tpd ctrl=3 SendSCCRP 2013-03-05 16:26:29:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=x.x.x.247:65028/udp tunnel_id=4/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:29:INFO: l2tpd ctrl=4 SendSCCRP 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl packets. 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 logtype=Finished 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ from=xx.x.x.247:65028/udp tunnel_id=5/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:33:INFO: l2tpd ctrl=5 SendSCCRP 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl packets. 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 logtype=Finished 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ from=xxx.x.x.247:65028/udp tunnel_id=6/15 protocol=1.0 winsize=4 hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= 2013-03-05 16:26:37:INFO: l2tpd ctrl=6 SendSCCRP 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl packets. 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 logtype=Finished 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl packets. 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 logtype=Finished npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 10.101.0.1 # IP Address Pool pool.dyna_pool: 10.101.0.0/25 pool.pool: 10.101.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv realm.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP 10.101.0.1 l2tpd.purge_ipsec_sa: false l2tpd.require_ipsec:true l2tpd.accept_dialin:true pipex.enabled: true Any Thoughts? System is amd64 running 5.2
Re: Microsoft VPN PPTP
On Thu, Jan 31, 2013 at 4:06 PM, Aaron Mason simplersolut...@gmail.com wrote: If you can, change to a different type of VPN. Not because of the storm, but because PPTP has been broken security-wise. Good results have been achieved with OpenVPN. I'm having remarkable success with npppd(8) and L2TP. I'm using it with MacOS and iOS clients, no problems. I'll be testing with Linux ones later this week (including Android, etc). Outside of the tun(4) bug that bit me, it's been rock solid.
Re: CARP best practices
On Wed, Jan 30, 2013 at 8:56 AM, System Administrator ad...@bitwise.net wrote: I finally got to deploy a CARP firewall cluster (HA failover for now). Using only the official OpenBSD.org documentation, everything went very smoothly even though the setup is not quite trivial (14 carp addresses on 6 active interfaces). I even got system replication going using rdist(1). While testing the failover and trying to ssh to a carp address I got hit with the server key mismatch; hence this email. What is considered best practice wrt ssh keys in a carp cluster -- install the same keys on all member nodes to avoid the alerts or just live with the occasional mismatch? Don't monitor SSH on the CARP address.
Re: CARP best practices
On Wed, Jan 30, 2013 at 9:44 AM, System Administrator ad...@bitwise.net wrote: On 30 Jan 2013 at 9:29, Johan Beisser wrote: While testing the failover and trying to ssh to a carp address I got hit with the server key mismatch; hence this email. What is considered best practice wrt ssh keys in a carp cluster -- install the same keys on all member nodes to avoid the alerts or just live with the occasional mismatch? Don't monitor SSH on the CARP address. Sorry, I'm not following you Do you need to be able to ssh in to the firewall(s) via the CARP addresses? If the answer is yes, share the host keys between them. Or set up a redirect for the CARP addresses that goes to an alternate sshd port from port 22. Which uses the same host keys between the systems.
Re: CARP best practices
On Wed, Jan 30, 2013 at 2:03 PM, Jiri B ji...@devio.us wrote: On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote: Don't monitor SSH on the CARP address. Doesn't it depend on the purpose of this SSH service? If it is to manage individual boxes, then sshd should not listen on CARP ip address. Maybe. Or, perhaps you have a pool of servers that are essentially identical, and the failover service runs over SSH. In that case, having identical host keys would clear up that specific error. But, if a host fails out of the pool, you may not know right away. If it is authentication for external users like authpf, file uploads, I would create another sshd instance which would flow between boxes sharing same key, still keeping individual sshd for each box. We were doing this for a file upload cluster, though that was not OpenBSD but the issue about the key and virtual ip is the same. Yes. I covered that in a later email. But, that's defined by the function you're trying to use. The orginal complaint was I'm sshing in to the CARP address, and the host keys keep changing making SSH throw an error. Like any doctor who gets a complaint of it hurts when I do this!, the first answer is well, don't do that. Until you get more information, and can actually help the person out.
Re: Android mobile - OpenBSD IPSEC
Are you using just ipsec, or L2TP? On Wed, Jan 23, 2013 at 11:48 PM, Jan Lambertz jd.arb...@googlemail.com wrote: Hi, Running OpenBSD 5.2 AMD64 release as homeserver. Got Andoid 2.3 Samsung Mobile. Want to connect via vpn IPSEC. Config: ike passive esp tunnel from any to any \ main auth hmac-sha1 enc des \ quick auth hmac-sha1 enc des \ srcid dstid (testted different things here without effect) \ psk test123 Also changed any to any to more concise settings, without effect. local ip and peer any didnt help, too. Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION 89.204.138.90 seems to be the mobile 10.166.112.90 ?? whats this ? btw. im using the standard vpn client built in android. before i can connect i have to enter a username / pw (not psk). is ipsec about username / pw stuff ? could find it anywhere in the manuals. thanks
Re: Still possible to get OpenBSD onto Soekris net5501 via qemu install to flashcard?.
I just upgrade in place via bsd.rd on my net4501. Guess I could do the other methods as well. Sent form my iFoe. On Jan 14, 2013, at 10:59, Nick Holland n...@holland-consulting.net wrote: On 01/14/2013 10:15 AM, Sarah Caswell wrote: Hi all, I'm having a frustrating problem getting OpenBSD-current (or snapshot) to run on my Soekris net5501. With previous versions of OBSD I was able to use qemu to install to a compact flashcard directly, by connecting the flashcard to my laptop and then starting qemu like so: sudo qemu -hda /dev/sd0i -cdrom install52.iso -boot d (and many variations of this command mostly pertaining to the /dev/sd0 section) funny definition of directly. ... P.S.: I know there are other ways to get OpenBSD running on a Soekris but I've always liked the utter simplicity of the qemu-based install. using an emulator = simple? If you don't understand the tools well enough to troubleshoot the problem, I really don't believe your assessment there. I don't know much about qemu, but I see a problem in the command line. This is what *I* call simple: Take your USB flash card reader to a free machine with a USB port. Put an OpenBSD CD in it. Boot off CD. Install to CF device. Use DUIDs. Create a /etc/hostname.vr0 (or whatever your soekris uses for its primary NIC), and do other network configuration as needed. Put flash device in Soekris. Done. direct, simple, bare minimum of extra tools. Machine doesn't even have to be able to boot from the USB port, though you can't test it before installing on soekris if it isn't. (variation: install bare minimum system on flash drive, move to Soekris, at the boot prompt, tell it bsd.rd and re-install exactly as you wish. If *I* were doing that, I could do it from an installed OpenBSD machine of the same platform without taking down the machine or booting from a CD. I'd call that simple, but I understand some basic tools that we try to keep normal people from having to use. The info for figuring out how to do that is all in the OpenBSD FAQ, though not in recipe form.) Nick.
Re: PF filtering on MAC address
On Thu, Jan 10, 2013 at 6:54 PM, Erling Westenvik erling.westen...@gmail.com wrote: Is it possible to have PF filter on MAC address on a machine with only one physical nic? I'm aware that MAC filtering can only be done on a machine configured as a bridge, but how to configure such a bridge? Add the single interface to the bridge. Tag the packets from a specific MAC. Filter the tag. ---8--- # /etc/hostname.bridge0 add bge0 add ?? rule pass in on bge0 src f8:db:7f:4d:bb:10 tag WWW rule pass in on bge0 src 00:08:02:85:6c:90 tag SSH rule pass in on bge0 src 00:16:ea:b3:65:d0 tag SSH ---8--- Regards, Erling
Re: Running OpenBSD on Raspberry Pi
On Fri, Jan 4, 2013 at 4:41 PM, Aaron Mason simplersolut...@gmail.com wrote: On Sat, Jan 5, 2013 at 7:58 AM, Dan Shechter dans...@gmail.com wrote: You have all failed to mention that the ALIX devices come with Swiss chocolates in the package! I've ordered direct from PCEngines before and never got that. Perhaps you should ask more pleasantly.
Re: Running OpenBSD on Raspberry Pi
On Dec 30, 2012, at 8:31, pe...@bsdly.net (Peter N. M. Hansteen) wrote: A case in point: one of the firewalls I maintain for old friends is a Pentium III box with a whopping 512 MB of RAM, 8GB hard drive, you get the idea. As in, seriously, you'll get better hardware for free or the price of a bus ticket. 486DX2, 64mb of ram, 1gb of disk. It's my firewall at home. Has been reliably pushing packets since 2000.
Re: openbsd clusters
On Sat, Dec 22, 2012 at 7:43 PM, Nick Holland n...@holland-consulting.net wrote: On 12/22/12 07:54, Friedrich Locke wrote: ... But for other services i don't have now what i could use. A example: i need a file system that must expand by adding more machine in the network in a simple way. in plain English: I'm not thinking out the design carefully, so I'm going to rely on fancy shit to haul my ass out of the fire when the predictable (and not so predictable) happens. Yes and no. Yes, the design is important. No, I actually do have a need for linear storage that can be easily expanded upon. I could use a NetApp or similar setup, but then I can't throw more CPU at the other side of the problem: using the stored data. So the bigger problem isn't storage space (disk is cheap, after all), rather than being able to slice and dice the data that's stored on the system. Processing huge files is much easier when when you have a dozen nodes to do it on. I fully agree that being able to later extract and migrate away from any storage solution is important. Along with that comes migration paths to new hardware, software, and simple failure recovery (bad disks, broken node, etc). Big data takes quite a bit of planning, but it's gotten much easier. Good thing I don't need to do this quickly...
Re: Unified BSD?
On Tue, Nov 13, 2012 at 2:45 AM, Ignatios Souvatzis ignat...@cs.uni-bonn.de wrote: At least a sixth, IIRC. You left out MirBSD from your distribution list. Also, you could argue that Minix, with its NetBSD compatibility, is a seventh and MacOS-X, with its partially (Free-/Net-)BSD compatible userland, an eighth. OS X has benefitted greatly from FreeBSD, Apple hiring former FreeBSD core team members. And indirectly from OpenBSD as well, with modern versions of OS X, 10.7+, have pf. Cross pollination is a huge benefit to the BSD community. ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to freebsd-chat-unsubscr...@freebsd.org
Re: Unified BSD?
On Tue, Nov 13, 2012 at 2:45 AM, Ignatios Souvatzis ignat...@cs.uni-bonn.de wrote: At least a sixth, IIRC. You left out MirBSD from your distribution list. Also, you could argue that Minix, with its NetBSD compatibility, is a seventh and MacOS-X, with its partially (Free-/Net-)BSD compatible userland, an eighth. OS X has benefitted greatly from FreeBSD, Apple hiring former FreeBSD core team members. And indirectly from OpenBSD as well, with modern versions of OS X, 10.7+, have pf. Cross pollination is a huge benefit to the BSD community.
Re: Unified BSD?
On Mon, Nov 12, 2012 at 5:14 PM, Greg 'groggy' Lehey g...@freebsd.org wrote: - Then DragonflyBSD split from FreeBSD. Mainly personality driven AFAICT. Again, this doesn't imply any criticism of the founder of the new project. There were some very valid technical reasons at the time as well, IMHO. ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to freebsd-chat-unsubscr...@freebsd.org
Re: Unified BSD?
On Mon, Nov 12, 2012 at 5:14 PM, Greg 'groggy' Lehey g...@freebsd.org wrote: - Then DragonflyBSD split from FreeBSD. Mainly personality driven AFAICT. Again, this doesn't imply any criticism of the founder of the new project. There were some very valid technical reasons at the time as well, IMHO.
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 4:12 AM, Dan Shechter dans...@gmail.com wrote: Hi All, current situation A windows 2008 server is receiving TCP traffic from a stock exchange and sends it, almost as is, using UDP multicast to automated high frequancy traders. StockExchange --TCP--- windows2008 ---MCAST-UDP On average, the time it take to do the TCP to UDP translation, using winsock, is 240 micro seconds. It can even be as high as 60,000 micro seconds. /current situation my idea 1. Use port mirroring to get the TCP data sent to a dedicated OpenBSD box with two NICs. One for the TCP, the other for the multicast UDP. You'll incur an extra penalty offloading to the kernel. Winsock is already doing that, though. 2. Put the TCP port in a promiscuous mode. Why? You can just set up the right bits to listen to on the network, and pull raw frames to be processed. Or, just let the network stack behave as it should. 3. Write my TCP-UDP logic directly into ether_input.c Any reason to not use pf for this translation? /my idea Now for the questions: 1. Am I on the right track? or in other words how crazy is my idea? Pretty crazy. You may want to see if there's hardware accelerated or on NIC TCP off-load options instead. 2. What would be the latency? Can I achieve 50 microseconds between getting the interrupt and until sending the new packet through the NIC? See above. You'll end up having to do some tuning. 3. Which NIC/CPU/Memory should I use? Money is not a problem. Custom order a few NICs, hire a developer to write a driver to offload TCP/UDP on the NIC, and enable as little kernel interference as possible. Money's not a problem, right?
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 9:58 AM, Ariel Burbaickij ariel.burbaic...@gmail.com wrote: If money is not a problem -- go buy high-trading on the chip solutions and have sub-microsecond resolution. http://lmgtfy.com/?q=high+frequency+trading+FPGA I'd love to see PF offloading on to something like that. Not that I can justify the expense for my work, but it'd be useful.
Re: The little ssh that (sometimes) couldn't
On Oct 28, 2012, at 8:02, pe...@bsdly.net (Peter N. M. Hansteen) wrote: I stumbled across this little gem of a blog post, I think this deserves a wider audience, via my twitter feed: http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html To be filed under tcpdump is your friend and I must say I admire their perseverance in finding the root cause of the problem. Wow. That's a bit past perseverance and in to being obsessive. Fascinating read. Thank you. Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Imagine if this had flipped the evil bit! How would we know if the packet was evil or not? Ugly.
Re: pfsense and or OpenBSD Home router.
On Tue, Sep 11, 2012 at 9:06 PM, Sean Kamath kam...@moltingpenguin.com wrote: I ended up buying direct from PC Engines for my alix 2d13's. Even though I'm in the US, it was cheaper than netgate (where I bought a bunch of the exact same thing for work). I ended up getting the red metal cases because they were cheaper and in stock. ;-) And as far as I'm concerned, these little alix boards rock. Just to throw fuel on the fire, I've got a 10+ year old Soekris net4501 that still works as a home router. The onboard battery died, and the clock loses ticks quickly enough that I'm using rdate in cron to correct it. Outside of that, I found that npppd, when running l2tp for the system, can cause the kernel to hang so thoroughly only a power off can fix it. I'm still diagnosing it, but I'm assuming it's a problem with the CPU being overwhelmed with decrypting/encrypting traffic. Eventually, I'll catch the crash and get a backtrace on console (I've reenabled snapshot debugging and DDB to get this) for the devs. But, 10 years old and still running full network loads at home. I can't complain about the hardware. OpenBSD 5.2-current (GENERIC) #8: Tue Sep 4 02:16:50 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (AuthenticAMD 486-class) cpu0: FPU real mem = 66646016 (63MB) avail mem = 54689792 (52MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/50/27, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 [...] wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: SanDisk SDCFH-004G wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors wd0(wdc0:0:0): using BIOS timings
Re: vpn access for Macos, windows clients
On Aug 30, 2012, at 22:28, Simon ALFRED simonalf...@mail.com wrote: Thank you for this first reply. So, the only way is to use OpenBSD-current with npppd, and there's no other way to do it ? I can't say there's no other way to do it. PPTP is an option, via PoPToP. I just found that npppd worked better for me, and that it was much improved by the snapshot.
Re: vpn access for Macos, windows clients
On Thu, Aug 30, 2012 at 12:05 PM, Simon ALFRED simonalf...@mail.com wrote: Hi everyone, I have a firewall at work running OpenBSD 5.1-RELEASE I need to make a vpn access for outside clients, they use MacOs 10.6 and Windows XP/7. I can't add thrid software on theses clients. So i need a VPN Server on the OpenBSD Gateway that can works natively with MacOS and Windows clients. I've had very good success with npppd's L2TP VPN on OpenBSD snapshots. Due to it not being linked, it's not built by default. With OpenBSD 5.1, I found an odd keepalive failure that prevented my tunnel from staying active for more than 10 minutes. I do have odd issues with my old-as-dirt soekris crashing, but I blame memory exhaustion more than running beta versions of OpenBSD. A couple other oddities you'll encounter deal with routing (if you don't want to route *all* traffic to the VPN), and the lack of any real documentation outside of the code itself, and no alternative ways to authenticate other than RADIUS and a flat file. Do a quick search of the archives for NPPPD and check out a brief article on undeadly giving some overview. Then read the code: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/ I know TheGreenBow works great with isakmpd, but here we can't add software on clients. Is it possible to make a pptp server ? npppd does support PPTP as well. I'd suggest using L2TP instead, though. Any idea ?
npppd and iOS 5.1.1 on OpenBSD 5.1
I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. I've enabled pipex in kernel: # sysctl -a | grep -E '(pipex|gre)' net.inet.gre.allow=0 net.inet.gre.wccp=0 net.pipex.enable=1 Before anyone asks, yes, I had GRE enabled as well. But, I'm not looking to run PPTP via npppd, only L2TP. I've tested with it activated, and the config with pptpd.enabled: false I've configured a very basic npppd.conf, per the instructions in http://www.undeadly.org/cgi?action=articlesid=20120427125048 and http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt?rev=1.8 Everything connects, it appears to authenticate fine, but after that iOS attempts to negotiate ppp. I'm assuming this is the relevant part of the npppd debugging output (for my own privacy, I've replaced non-RFC addresses with A.B.C.D for the client and E.F.G.H for the server, respectively): 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 hostname=users-thing vendor=(no vendorname) firm= 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN session_id=948 calling_number= tx_conn_speed=100 framing=async 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:50002) 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username=user realm=local 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol ip6cp, 32855(8057) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by local PPP 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE user=user duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets error_in=1 error_out=0 mppe=no iface=(not binding) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in unexpected state=cleanup-wait 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 error=UNKNOWN/28261 tunnel_id=21 message=cted 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad control message: tunnelId=2 is not found. mestype=CDN Isakmpd does throw some errors, but they don't seem to be related to anything except protocol negotiation. Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as responder): initiator id 10.70.108.213, responder id E.F.G.H, src: A.B.C.D dst: A.B.C.D Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as responder): src: E.F.G.H dst: A.B.C.D It acts the same if pf is enabled or disabled. I'm debating if I should update to a snapshot or not, at this point. Due to the hardware being weak, and kind of old, I'd rather not have the debugging flags, etc, running a snapshot would entail. Any pointers on where to look would be appreciated. -jb npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 172.23.0.1 # IP Address Pool pool.dyna_pool: 172.23.0.0/25 pool.pool: 172.23.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv real.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP 192.168.0.1 l2tpd.purge_ipsec_sa: false l2tpd.require_ipsec:true l2tpd.accept_dialin:true pipex.enabled: true ipsec.conf: ike passive esp transport \ proto udp from A.B.C.D to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk PASSWORD
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Thank you for the catch, I was prett damn tired when I wrote that. On Aug 15, 2012, at 16:01, YASUOKA Masahiko yasu...@yasuoka.net wrote: Hi, real.local.concentrate: tun0 this should be realm.local.concentrate: tun0 I hope this will help you. --yasuoka On Wed, 15 Aug 2012 09:11:06 -0700 Johan Beisser j...@caustic.org wrote: I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. I've enabled pipex in kernel: # sysctl -a | grep -E '(pipex|gre)' net.inet.gre.allow=0 net.inet.gre.wccp=0 net.pipex.enable=1 Before anyone asks, yes, I had GRE enabled as well. But, I'm not looking to run PPTP via npppd, only L2TP. I've tested with it activated, and the config with pptpd.enabled: false I've configured a very basic npppd.conf, per the instructions in http://www.undeadly.org/cgi?action=articlesid=20120427125048 and http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 Everything connects, it appears to authenticate fine, but after that iOS attempts to negotiate ppp. I'm assuming this is the relevant part of the npppd debugging output (for my own privacy, I've replaced non-RFC addresses with A.B.C.D for the client and E.F.G.H for the server, respectively): 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 hostname=users-thing vendor=(no vendorname) firm= 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN session_id=948 calling_number= tx_conn_speed=100 framing=async 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:50002) 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username=user realm=local 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol ip6cp, 32855(8057) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by local PPP 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE user=user duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets error_in=1 error_out=0 mppe=no iface=(not binding) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in unexpected state=cleanup-wait 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 error=UNKNOWN/28261 tunnel_id=21 message=cted 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad control message: tunnelId=2 is not found. mestype=CDN Isakmpd does throw some errors, but they don't seem to be related to anything except protocol negotiation. Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as responder): initiator id 10.70.108.213, responder id E.F.G.H, src: A.B.C.D dst: A.B.C.D Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as responder): src: E.F.G.H dst: A.B.C.D It acts the same if pf is enabled or disabled. I'm debating if I should update to a snapshot or not, at this point. Due to the hardware being weak, and kind of old, I'd rather not have the debugging flags, etc, running a snapshot would entail. Any pointers on where to look would be appreciated. -jb npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 172.23.0.1 # IP Address Pool pool.dyna_pool: 172.23.0.0/25 pool.pool: 172.23.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv real.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Yep, that was exactly it. Thank you, again. On Aug 15, 2012, at 16:01, YASUOKA Masahiko yasu...@yasuoka.net wrote: Hi, real.local.concentrate: tun0 this should be realm.local.concentrate: tun0 I hope this will help you. --yasuoka On Wed, 15 Aug 2012 09:11:06 -0700 Johan Beisser j...@caustic.org wrote: I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. I've enabled pipex in kernel: # sysctl -a | grep -E '(pipex|gre)' net.inet.gre.allow=0 net.inet.gre.wccp=0 net.pipex.enable=1 Before anyone asks, yes, I had GRE enabled as well. But, I'm not looking to run PPTP via npppd, only L2TP. I've tested with it activated, and the config with pptpd.enabled: false I've configured a very basic npppd.conf, per the instructions in http://www.undeadly.org/cgi?action=articlesid=20120427125048 and http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 Everything connects, it appears to authenticate fine, but after that iOS attempts to negotiate ppp. I'm assuming this is the relevant part of the npppd debugging output (for my own privacy, I've replaced non-RFC addresses with A.B.C.D for the client and E.F.G.H for the server, respectively): 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 hostname=users-thing vendor=(no vendorname) firm= 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN session_id=948 calling_number= tx_conn_speed=100 framing=async 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:50002) 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username=user realm=local 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol ip6cp, 32855(8057) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by local PPP 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE user=user duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets error_in=1 error_out=0 mppe=no iface=(not binding) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in unexpected state=cleanup-wait 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 error=UNKNOWN/28261 tunnel_id=21 message=cted 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad control message: tunnelId=2 is not found. mestype=CDN Isakmpd does throw some errors, but they don't seem to be related to anything except protocol negotiation. Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as responder): initiator id 10.70.108.213, responder id E.F.G.H, src: A.B.C.D dst: A.B.C.D Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as responder): src: E.F.G.H dst: A.B.C.D It acts the same if pf is enabled or disabled. I'm debating if I should update to a snapshot or not, at this point. Due to the hardware being weak, and kind of old, I'd rather not have the debugging flags, etc, running a snapshot would entail. Any pointers on where to look would be appreciated. -jb npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 172.23.0.1 # IP Address Pool pool.dyna_pool: 172.23.0.0/25 pool.pool: 172.23.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv real.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP 192.168.0.1
Re: is it legal?
On Mon, Jul 23, 2012 at 9:01 AM, Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: http://www.gwebtools.com/ns-spy/put your primary or secondary server here Anyone know from what data does it get such an info? By scanning every possible registered domain ? Legal? I don't know. Ask a lawyer who specializes in these things. They exist. My assumption is yes. I do not want other to get list of what domains my DNS server serve. You're making the data available to be queried. If you don't want it served, set up split views NS and ACLs. Or, keep the DNS unpublished and internal. And this works - never gives complete list but always a good part.
Re: ssh tunneling with -D option
You're confusing a SOCKS proxy with a HTTP proxy. They are not the same thing. Sent form my iFoe. On Jul 18, 2012, at 16:07, Paolo Aglialoro paol...@gmail.com wrote: @Abel I've had a look at dsocks page, the instructions are kinda criptic but just did something this way: # ssh -D 1080 user@sshdhost # dsocks.sh lynx google.com it looks like working (yeaah!!! great piece of advice, mate!!!) but also produces lotsa garbage on the screen bottom like: lynx: (dsocks4) error reading reply: Connection refused (even if, eventually, I get connection and the desired page) Issuing the following: # dsocks.sh lynx google.com 21 /dev/null does not get rid of those messages. Maybe something wrong with v4/v5??? @Alex So it looks I've been misled by the many people on internet who claim they can use firefox establishing a ssh -D connection before. Actually I tried to configure both firefox and netsurf but just had no results. So, can I use ssh to proxy my http without dsocks or not? On Thu, Jul 19, 2012 at 12:47 AM, m...@extensibl.com wrote: Hi Paolo, http_proxy=http://127.0.0.1:12345/; lynx google.com AFAIK, you should test SOCKS proxy, not HTTP. Regards, Alex
Re: OpenBSD forked
On Fri, Jun 22, 2012 at 5:57 AM, Eric Furman ericfur...@fastmail.net wrote: So what is wrong with perl?? It is nearly a standard in the UNIX Admin world. It's a terrible language, and you should feel terrible for using it.
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Tue, Apr 24, 2012 at 6:07 AM, Otto Bretz otto.br...@gmail.com wrote: On Tue, Apr 17, 2012 at 21:20, mxb m...@alumni.chalmers.se wrote: I rolled out L2TP/IPSec (npppd) on OpenBSD-current with RADIUS-auth. Used mostly by OSX and Win7. Stable and works without any additional third-party software. If you could write an article for undeadly (or only some short notes) on how you did this, it would be much appreciated. I'm sure there are lots of people besides me that are interested in this topic. Count me in for those notes. I haven't had time to properly set up a VPN service for myself, and want something compatible with everything I deploy and use.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hello, Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. You could do it in shell with tools in base with a little bit of scripting effort. http://dyn.com/support/developers/api/
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:43 AM, Ingo Schwarze schwa...@usta.de wrote: Hi, Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. If IP changes are rare for you and just want to update your IP manually now and then, using the web interface most providers offer is probably sufficient, and you don't even need your own script. Mine are rare, but referencing the developer site ( http://dyn.com/support/developers/api/ ) does give you enough information to avoid having your client blocked, and how to make it comply with their TOS. If you want to run the client as a daemon, i'd advise against rolling your own. Most providers block accounts that update too frequently, and getting the logic right to prevent excessive updates is tricky. Not really. It's dead simple: check against a state file that has the last known IP, compare to the interface or a web site that returns the external IP address, and update if that changes. If there's a change, update dyn.com, update your state file, and exit. I run mine every 5 minutes or so from cron. If nothing else, it's a good scripting exercise and a very basic one as well. Dyn.com offers up testing DNS entries for developers to test their code against. My experience is mostly with ddclient; i have contributed a few patches that were accepted upstream. The maintainer is a nice guy, not very actively supporting ddclient, but not letting it rot completely either. For home use, it is clearly good enough. For enterprise use, it is usable (if you are willing to help and fix the occasional bug), but certainly not great. However, the code quality is positively revolting. I have rarely seen Perl code looking that ugly. Still, as it is a small code base, you can find your way around it. But hacking into it is not fun, and if you value reliability a lot, you should probably look into other options, too, and compare. All the more reason to write your own updater. You get to know what features you really need, vs the ugly crap that people include in their scripts.
Re: Mosh? seems dangerous!
On Wed, Apr 11, 2012 at 11:02 AM, Christian Weisgerber na...@mips.inka.de wrote: Gilles Chehade gil...@poolp.org wrote: This must be satire. Right? I mean, local-echo mode? What is this? 1975? In lossy or high latency environments I find a local echo to be really useful. To the point I occasionally dump stdout through my ssh tunnel locally instead of trying to run an interactive shell.
Re: Recent DELL hardware support
Dell has an ugly habit of changing components even within the same model year of hardware. You can't predict how well supported something is based on PowerEdge R410 until you have your specific one in front of you. On Wed, Apr 4, 2012 at 1:14 PM, Kostas Zorbadelos kzo...@otenet.gr wrote: Hello all, we are about to engage a procurement procedure of servers. There is a high probability to purchase DELL hardware. I want OpenBSD to be supported on the hardware. I have 2 broad options - Go with PowerEdge R410 - Go with PowerEdge R620 (latest generation of servers) The first option has only a single PCIe slot so I cannot have hot swappable disks AND Intel Ethernet interfaces (preferred from Broadcom but unfortunately Broadcom is on-board and I cannot get rid of them). The second option has the disadvantages of recent hardware (= can be unsupported). My main concerns are the PERC controller, where I saw that PERC 310 is supported in mfi(4) and the Intel NICs (these servers come with Intel Ethernet I350, still unsupported from what I saw, they are on the hardware wanted list). The machines will be bought and put to use in at least 6 months from now, one or two OpenBSD releases will have been made. What do you think? Will the hardware be supported by then? As you can tell I do not control the procurement procedure, but I can ask for specific DELL hardware. Regards, Kostas -- Kostas Zorbadelos twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba () www.asciiribbon.org - against HTML e-mail proprietary attachments /\
Re: My OpenBSD 5.0 installation experience (long rant)
On Sat, Mar 10, 2012 at 9:15 AM, Nico Kadel-Garcia nka...@gmail.com wrote: With multiple drives, especially for bulky softraid setups, it might get overwhelming pretty fast. The idea is interesting, and especially helpful if the machine was previously built and the drives ordered differently in a different OS or BIOS configuration, changes in hardware RAID or drive controller manipulation in the BIOS, or the drives were installed in a different machine. I don't see why it's hard to shell out. ! # dmesg | grep [hs]d[0-9] # exit
Re: Snappy Answers to Stupid Questions - WTF?
Sent form my iFoe. On Mar 9, 2012, at 10:19, Nick Holland n...@holland-consulting.net wrote: pitch mode=money benefactor=OpenBSD Hey, if having an OS which takes the quality of its product -- and not much else! -- seriously is important to you, this would be a good time to make a donation to the project. Make Theo smile! /pitch Theo never smiles. Not once.
Re: smartphones and managing openbsd servers
On Feb 20, 2012, at 8:49, Jan Stary h...@stare.cz wrote: On Feb 20 10:19:48, Daniel mora wrote: I've worked with several different OS and phone brands (Nokia/Symbian, iPhone, HTC/Android). The one I feel more comfortable is the Nokia N900 it runs Maemo 5, is a Debian like Linux, you can use it as a normal Linux machine. Maybe another phones running Maemo could bring a similar experience. The cons... I Really don't know if Nokia is going to continue supporting Maemo. Correction: I Really don't know if Nokia is going to continue Nokia already said they'd kill Maemo and Symbian. I've heard the n900 has some stability issues. Any truth to this?
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 7:14 AM, Luke Tymowski l...@veldt.ca wrote: I use iSSH on an iPhone. But only in an emergency when I don't have anything else. I wouldn't make regular use of it. (ie, twice in the last year) I've grown to like Panic's Prompt, and found it does really well with tmux, etc as well. On the iPad, it's almost a pleasure to use. It works really well off of the iPhone as well. http://itunes.apple.com/us/app/prompt/id421507115?mt=8
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 9:14 AM, Anonymous cri...@ecn.org wrote: BlackBerry has built in VPN and you can also buy a few different SSH and SFTP apps. If you're cheap, there's also BBSSH. While it's not perfect, it is under active -if slow- development. As of November 2011, the developer claims there's an scp client coming as well. When I still had a Blackberry, I pretty actively used the app for emergency work. My only real complaint was the small type. http://bbssh.org/
Re: smartphones and managing openbsd servers
On Sat, Feb 18, 2012 at 3:06 PM, Marcos Ariel Laufer mar...@ipversion4.com wrote: What newer smartphones do you recommend for using also as a tool for managing OpenBSD servers (maybe windogs too) ? What experiences had you had with smartphones and OpenBSD managing? Your experience really depends on a few things: the phone network's bandwidth, CPU speed, and the ability to read the returned output without strain. Everything else is just extras and features. Bandwidth and lag can make your session unusable. Almost all modern smartphones have WiFi capability built in, which helps reduce your data rate during the SSH session, and decreases lag. That throughput will also make a big difference in receiving data from the server. In my experience if there's any amount of retransmission happening due to packet loss, the clients hang up abruptly. So, ideally, the client will emulate a modern terminal well enough to use tmux or screen really well. Most modern phones have more than enough CPU power to handle SSH. The problem is that few have the ability to offload the crypto from the CPU, and so SSH chews up already precious battery time. To help offset typing lag some clients permit you to queue a longer string to send to the session. The advantage of this is that fewer packets are sent, and the block of data can be sent out as (hopefully) a single chunk. I believe some Android Market clients support this feature, and I know at least one SSH client on blackberry has it, and at least two of the clients on iOS (iPhone/iPad) have the ability to assign shortcuts. Phone form-factor is a major issue you should consider. I know a few people who regularly use their phones for SSH, and are unwilling to up a physical keyboard. Slider and flip configurations permit you to use most of the screen real estate for your session, but the overall market is moving toward the touchscreen candybar configuration. Because of this, the SSH client has to be able to either 'shadow' the keyboard, allowing you to look through it, or permit you to hide the keyboard and read scrollback easily. As far as what's superior? None of them are really any better than the others. What works for you will matter more. Most modern smartphones are roughly the same, just with a different level of hype or features people want.* - jb * although, I'll be damned if I could find a GSM/LTE, CDMA and wifi capable Android phone with a physical keyboard that didn't utterly suck. I settled on an iPhone 4s, with a decent SSH client.
Re: Longsoon/Godson MIPS boxes, where to buy?
On Mon, Jan 2, 2012 at 10:59 AM, ropers rop...@gmail.com wrote: On 2 January 2012 18:10, Nomen Nescio nob...@dizum.com wrote: I don't rely on anyone's work. Ladies and gentlemen: The great American delusion. Randian delusion. It's not purely American, and never has been.
Where do I buy Lemote Loongson/Godson MIPS hardware? (was Re: Longsoon/Godson MIPS boxes, where to buy?)
On Tue, Dec 27, 2011 at 10:09 AM, Dave U. Random anonym...@anonymitaet-im-inter.net wrote: Are the Longson/Godson MIPS boxes available over the counter yet? If so where is the best place to order one? Thanks. A brief search of the archives gives a few resources. Spelling the architecture right helps, but searching for lemote does wonders. Start reading here: http://openbsd.org/loongson.html Relevant threads on misc@: http://marc.info/?l=openbsd-miscw=2r=1s=lemoteq=b http://marc.info/?l=openbsd-miscw=2r=1s=loongsonq=b Acquiring hardware: International: http://www.aliexpress.com/wholesale?SearchText=loongsoncatId=0 http://www.aliexpress.com/wholesale?SearchText=lemotecatId=0 In China (drop shipment to a forwarder may be necessary): http://loogson.taobao.com/ In Europe: http://www.tekmote.nl In the US, Amazon has a direct sales from Freedom Included. Prime eligible. http://www.amazon.com/s?ie=UTF8search-alias=computersfield-manufacturer=Lemote http://freedomincluded.com/ Compiled for the archives, YMMV.. Special thanks to Miod, Diana and others for their postings.
Re: CF Card setup
On Tue, Dec 20, 2011 at 2:41 PM, Jannik Pruitt pruttel...@googlemail.com wrote: Hi everyone. i am brand new purchased my open bsd 5.0 on 11 Nov 2011. I booted the CD on another computer installed every thing on a 32GB CF card. Placed in my old thin client and it booked. But the network card does not work. It did work on the other computer after the install. Is there a way to make the setup come up again? You really didn't provide enough information for anyone to help you. Let's start with what's missing. - dmesg - what hardware you're running - did you check your hostname.if in /etc matches the interface? - have you read the FAQ? (http://www.openbsd.org/faq) - did you check man pages?
Re: OpenVPN issues on 5.0
On Wed, Dec 14, 2011 at 5:54 PM, Erling Westenvik erling.westen...@gmail.com wrote: After upgrading (re-installing from scratch) my firewall from 4.6 (or 4.7) to 5.0, I have not been able to get OpenVPN back working. Please forgive me for asking here at misc but I have spent two days Googling, reading tons of HOWTO's and trying out different solutions, but without being able to solve the issue. What are your current pf.conf rules? Did you check that the syntax is right? Have you checked it for errors? Have you looked at the output for pflog? What's your current routing table? Does that look correct?
Re: Narcicism?
On Thu, Dec 1, 2011 at 8:02 AM, Rares Aioanei bsdlis...@gmail.com wrote: As a citizen of an English-speaking country AND a guru, John, you should at least know how to spell. David's right, you know. You don't need to know how to spell. People have spell checkers these days.
Re: dhclient, resolv.conf
Check dhclient.conf(5) and read about the supersede statement. jb Semt frim my ipHnoe. On Oct 20, 2011, at 8:35, sophia.ort...@googlemail.com wrote: Dear Sirs! I realy do not want that dhclient touch resolv.conf. The recomendation in http://www.openbsd.org/faq/faq6.html#DHCPclient namely, uncommenting request, errasing domain-name and domain-name-servers, does not work. The only idea I have is to change /sbin/dhclient-script, but I think that is a delicate thing. Do someone know a better solution? I am sure I am not the only one with this problem, but I did not find a solution with google. Best regards, SO.
Re: dhclient, resolv.conf
On Thu, Oct 20, 2011 at 11:11 AM, sophia.ort...@googlemail.com wrote: Johan Beisser j...@caustic.org wrote: Check dhclient.conf(5) and read about the supersede statement. Thank you very much for your kind answer. Of course I read not only dhclient.conf (5), but also a lot of man pages, a lot of postings in the internet. I think, you misunderstood my question. No, I really didn't. You don't want dhclient(8) to touch resolve.conf. I'm simply suggesting you set up dhclient.conf(5) to use supersede to set some things statically. Specifically set domain-name-servers and domain-name there, and when dhclient(8) fires off, it'll use your settings in resolv.conf. Again: I dont want that dhclient touch my resolv.conf. This means that I am also unhappy even if dhclient creates a resolv.conf containing exactly what I wanted that it contains, I am also unhapy if dhclient fakes the file metadata, the dates, in order that it appears as the file were untouched. You're screwed. You may want to check chmod(1) instead. Set resolv.conf(5) to be read only. I don't know if that'll prevent dhclient(8) from overwriting the file. I doubt it. If that were the goal, I have another question: I want no search statement in resolv.conf, the most near to that I get is a line containing search . in resolv.conf with a line containing supersede domain-name .; in dhclient.conf. Do you how to get dhclient without it? I'm not sure what you mean. What may get you what you want (search domains) is in resolve.conf(5): On a machine whose network connection does not change frequently (such as a desktop machine on a local-area network), the resolv.conf.tail file should not be necessary. However the resolv.conf.tail file may be useful on notebooks, to search multiple domains, to refer to hard-coded informa- tion in local files, or otherwise override the defaults. But again, I insist in my first question: how I get that dhclient respect my resolv.conf and do not touch it? You read man pages.
Re: Dennis Ritchie
I pointed out that Dennis Ritchie did something we all should admire:
Got to watch what he created blossom, and change the world.
Remarkably, for the better.
We should all be so lucky.
On Thu, Oct 13, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote:
So many lives touched, so many that don't even know about it. That
saddens me the most, that so many are using products of his
achievements daily to make their lives comfortable and only a small
minority know what it took to get here.
2011/10/13 Marc Smith marc_sm...@gmx.com:
#include stdio.h
int main()
{
printf(goodbye, dad\n);
return 0;
}
That was really touching.
Rest in peace, Dennis Ritchie.
--
Med vdnliga hdlsningar / With kind regards
Stefan Midjich
Re: Blocking Trojans with PF
block all Permit inbound port 80, but do not permit new outbound connections. Consider each interface a separate firewall, with separate flows entirely, then use policy enforcement (see tagging: http://cvs.openbsd.org/faq/pf/tagging.html) to ensure only properly tagged packets are passed out from the firewall. Nice thing about pf: stateful tracking of connections. It makes tracking sessions, blocking unwanted traffic, and tagging systems much easier. http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html On Sun, Sep 25, 2011 at 11:18 PM, Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . Regards, Hassan H. Monfared
Re: Why aren't you running -current?
On Wed, Sep 7, 2011 at 5:24 PM, roberth rob...@openbsd.pap.st wrote: don't be sorry, just tell me why, i am just curious. - Following -stable with security patches matches my existing in house corporate policy for Linux. - It reduces variations between configurations of a given machine function (simple transfer of /etc to the new install, and go) - I know what I'm getting with each install, even if I don't get the latest PF feature. - I get 1 year of support from the community, before I have to migrate to a new -stable. - the systems are stable, known good, and work very very well. - The drivers are debugged, the man pages complete. I could go on. But, why?
Re: all libc of my openbsd/i386
find / -type f -perm -0111 -exec ldd {} 2/dev/null \; -print | awk
'/libc.so/ {print $7}' | sort | uniq
On Fri, Jul 29, 2011 at 8:50 AM, johnw johnw.m...@gmail.com wrote:
(23:24:04) john@pdc:[~]$ du -sh /usr/lib/libc.so.*
704K /usr/lib/libc.so.34.2
704K /usr/lib/libc.so.35.0
[snip]
2.4M /usr/lib/libc.so.57.0
2.4M /usr/lib/libc.so.58.0
2.4M /usr/lib/libc.so.58.1
2.5M /usr/lib/libc.so.58.2
2.5M /usr/lib/libc.so.58.3
2.5M /usr/lib/libc.so.60.0
Re: Transparent smtp/pop3 proxy
On Thu, Jul 28, 2011 at 2:00 PM, R0me0 *** knight@gmail.com wrote: Hello misc. I would like to know if is possible do the following: clients--OpenBSD_FWExternal_mail_server when clients send or receive an email, OpenBSD catch this mail and send a copy of this to another email account, it must be transparently to user. Yes it's possible. And trivial. Please, anybody, can indicate the correctly way to do this? No.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 9:57 AM, Amit Kulkarni amitk...@gmail.com wrote: http://openports.se/www/rt ? written in perl. As someone who uses this for ticket tracking, let me be the first to say it's terrible.
Re: Bug Tracking system does not work
2011/7/19 Mikael Vsterdahl m.osterd...@gmail.com: Terrible? In what way? I use it in my work and I think it works great. What ticket software do you think is better? I don't have one. I think they all suck equally.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 11:38 AM, Amit Kulkarni amitk...@gmail.com wrote: Can you elaborate? Where they suck? RT: written in perl, painful to upgrade (painful enough, that we've not touched ours in over a year). Ugly interface, but that's the least of its problems. Without a good way to manage users, access, or set up quickly through the UI, it's easier to try to manipulate the DB tables. Perhaps I'm just doing it wrong(tm). So far I've not had enough time to really track upgrades easily or quickly, and haven't had time to fix all the infrastructure that it sits on (MySQL, perl versions, libs, etc) to ensure an upgrade goes cleanly. The biggest advantage RT provides is easy creation of new tickets through email, but it still takes a human on the other end to actually classify what that ticket is. It's bad enough that at my work, we have a general Operations email, that we then handle tickets in the ops group. It wastes time, but it's easier than dealing with engineering misfiring a ticket. Then there's creating sub-users of a larger account... TRAC: nice integration with SVN, but still limited by a complex ACL system and the fact SVN doesn't provide a good user management system in itself, preferring system users (or PAM auth, LDAP, etc). Trouble is that it's not a good general ticket tracking system, and breaks just often enough to be annoying to admin. Given that I have to deal with at work, I don't have time to babysit TRAC's stupid more often than I care for. TRAC also suffers from trying to please a bunch of different people with different needs at once. Is it floorwax or a dessert topping? Wait, no, it's BOTH! Bugzilla: Perl. OpenSource UI, backend of pain (MySQL, PostgreSQL, or SQLite3!). I've not used it (administered) in a few years, but my experience with it has never been close to what one would call positive. Painful, breaks in weird ways, and sometimes just had errors. Haven't used Jira yet. So, I have no opinion. I don't think bug tracking needs to be difficult, ugly, or annoying to navigate. The problem is that every bug tracking utility is built to solve problems for a large set of implementors. Not, say, solve one specific need really well. Many violate the prime directive of dealing with software and users: KISS.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 1:20 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Jul 19, 2011 at 12:59 PM, Johan Beisser j...@caustic.org wrote: It takes significant, thoughtful re-organizaton and a saner workflow. Yes. It's non-trivial to make that happen as a default. What would be considered to not suck? Stability? Security? Flexibility? Reliable database on the back end? Ease of email submissions for newbs? RT's stability is fine. It's a webapp with a database back end, and the database is occasionally less than happy. Not a huge problem, sine I can just bounce the DB if need be (it's MySQL, many problems are fixed fairly quickly that way, I've learned). For what it is, it works decently. It's flexible enough to work for use in tracking trouble tickets, but it's been painful enough to upgrade that I hesitate to run a newer version. Even if that newer version might fix some of my UI issues. To make it not suck: - easy to extend, modify, or add in plugins for new features (no patching, please) - simple database schema, no dumping required to upgrade - functional search - merging of tickets - automatically scheduled repeating tickets (heh) - ability to make API calls to the ticket software (i sometimes want to open/list/etc tickets remotely, without using the webt interface directly) You get the idea.
Re: Mac Mini Server
On Wed, Jul 13, 2011 at 1:01 PM, Paolo Aglialoro paol...@gmail.com wrote: Watch out for using apple desktop boxes as servers: apple has always put style in front of reliability and, especially for such big boxes when run 24/7, airflow and heat can become serious issues when you least expect it. Not exactly what I'd call a workhorse... The MacMini Server is specifically designed to work in low airflow environments. I've had mine sitting in my entertainment center for over a year (it's working as my Media center), with no issues due to heat at all. I've had more problems from the couple drive enclosures than the hardware they put in there. There is a company that's been using the Mini for co-located servers for the last few years. My understanding is that the hardware failure rate is extremely low, even compared to what you should expect for commodity hardware.
Re: Internet bonding
On Jul 4, 2011, at 12:26, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote: Hi, I have a question : Is it possible with OpenBSD to bond 2 adsl connections (download=8Mb/s ; upload=1Mb/s) with different ISP? No. Unless you have your own IP space, and both ISPs are willing to advertise those for you. And so have a virtual ADSL connection with a speed : 16Mb/s and an upload of : 2Mb/s I have already read man pages of trunk, lap seems to me good, but i think it work on level 2 (OSI) ... Any idea? Look at load balancing the traffic over both links.
Re: Unix source code (was Re: Can command-line options be specified in any place?)
On Thu, Jun 23, 2011 at 11:57 AM, Brett brett.ma...@gmail.com wrote: Sure. Not to mention it came with source code, which you only got from ATT if you had a source license, and those were*expensive*. I was fortunate enough to work for a company that had exactly that source license during the 1980:s, and I learned a*lot* just by reading the code. Wish I still had a copy of it today, for nostalgia. :-) Copies can be found free on the net, and in book form: http://www.softpanorama.org/Bookshelf/Classic/lions_book.shtml Let me add to that. OCR'd text of first edition UNIX, from June of 1972. http://code.google.com/p/unix-jun72/
Re: Can command-line options be specified in any place?
On Jun 21, 2011, at 18:48, Benny Lofgren bl-li...@lofgren.biz wrote: On 2011-06-22 03.03, vadi...@gmail.com wrote: Please continue to use Linux. That's ugly, useless and dangerous. Oops, looks like that was a holy war type of question. Sorry I did not want to start that. It's not. Linus didn't do his homework properly. That, combined with the fact that Linux became such a huge success is both a blessing and a curse to us in the unix community; on the one hand Linux provides us with plenty of young blood in a new generation of hackers... while on the other hand they can't speak properly! Laying the blame on Linus isn't really correct. The environment of the Linux toolchain is from GNU. Blame starts and ends there.
Re: Can command-line options be specified in any place?
On Jun 21, 2011, at 20:20, vadi...@gmail.com wrote: Sorry I really did not want to start any flame. I just thought that getting answer from the mailing list would be faster than spending my time studying source code of the new system. What you should do is relearn the proper way. :-) Ok, let me turn my question the other way around. Suppose I typed ls -l /some/very/long/path/to/file and the file is too big so I want to use -h option. I use a text terminal so I can not use mouse to position cursor. How people usually handle this on *BSD systems? I use Bash and OpenBSD's ksh. In both CTRL-a gets me back to the beginning of the line. A short google search turns up these two handy references for Bash, the favored son of shells on Linux. Vi mode: http://www.catonmat.net/blog/bash-vi-editing-mode-cheat-sheet Alternatively, emacs mode: http://www.catonmat.net/blog/bash-emacs-editing-mode-cheat-sheet/
Re: License
On Wed, Jun 1, 2011 at 6:02 PM, Simranjit Gill sim...@engageinc.com wrote: Hello, I want to use the IPv6 source code in one of the products manufactured by my company and need to know if there are any restrictions or limitations regarding the use of source code in commercial products. Please let me know if this is not right place to enquire regarding the license. Thank you. Check the FAQ and check the source. http://openbsd.org/faq/faq1.html#ReallyFree http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.h?rev=1.53
Re: Loggin dmesge
On May 28, 2011, at 5:36, Jean-FranC'ois SIMON jfsimon1...@gmail.com wrote: All Thanks for your answers, I've set up my question not accurately enought. I would like to have a file logging the activity of dmesg after boot as well. I'm not sure it is the reight way to set it up. Here's my problem, I've seen on the screen in console tty0 the blue lines of kernel messages which were related to hard drive hardware failures being catched and automatically repaires in the way the hard disk are able to manage them. Those informations were as I said coming from kernel and therefore I would like to log them and have a review after a while, e.g. if the machine is rebooted meanwhile they are not lost. So I assumed they were shown through dmesg, but I'm not sure about this. Maybe you could help me a bit. Take a look for the strings you're looking for in /var/log/messages. I bet they're there.
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, May 8, 2011 at 3:25 PM, roberth rob...@openbsd.pap.st wrote: Uhum. Sure that's a way to approach this. That's the supported way. With that ammount of support required. Fine with that. I usually build the new kernel, major utilities that require the new kernel as per http://openbsd.org/faq/current.html and http://openbsd.org/upgrade*.html. Then reboot to the new kernel, and build userland. I assume the machine is out of production until it's done. On the otherhand, i have been running -current for years and never have had any problem with building source with the previouse kernel (without reboot) that i can remember. The occasional problem exists. Mostly due to a kernel call after a library is installed before the userland is upgraded. Concerning remote-updates, from source will run into more problems than from a known good set of tarballs. That's simple statistics, because of how many binarys are involved. (remote console access helps, but still might mess up your sla.) I always build release from an already upgraded master build server, so there's no potentially off binaries being distributed. jb
Re: nat static-port option
On Feb 3, 2011, at 5:17, Martin SchrC6der mar...@oneiros.de wrote: 2011/2/3 Bret Lambert bret.lamb...@gmail.com: Counting my toaster? Your toaster has an IP? Yours doesn't?
Re: Writing to remote tape
I prefer to tar(1)... On 1/7/11, Jeff Ross jr...@openvistas.net wrote: Hi, I have 2 servers that get backed up to tape. I was scping the daily dump files to the server with the tape attached but now I no longer have hard disk room to do that. So I read the man page for rdump/dump and that led me to rmt but I have been unable to make this work. It fails with a connection refused error, and I could not glean from the rmt manpage why. jr...@dukkha:/home/jross $ sudo sh -x /etc/scripts/tape_backup.sh Password: + dump -0a -f nirvana.internal:/dev/nrst0 /dev/sd0a nirvana.internal: Connection refused + exit nirvana does have pf enabled, but it uses a pass all ruleset. So I next wrote a quick shell script that pushes the dump data across the lan with ssh and uses dd to write it to the tape drive. #!/bin/sh #section 1 --/ dump -0a -f - /dev/sd0a | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 2 --/cvs dump -0a -f - /dev/sd1g | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 3 --/home dump -0a -f - /dev/sd0k | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 4 --/profiles dump -0a -f - /dev/sd1b | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 5 --/shared dump -0a -f - /dev/sd1d | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 6 --/stars dump -0a -f - /dev/sd1e | ssh nirvana dd of=/dev/nrst0 bs=1024 #section 7 --/bookkeeping dump -0a -f - /dev/sd0n | ssh nirvana dd of=/dev/nrst0 bs=1024 #done ssh nirvana mt rewoffl After a little trial and error this works, with one caveat--when a tape fills up the section it is working on aborts rather than calling for the second tape as a local dump-to-tape would. I can manually split this into two sections but that won't scale. Thanks in advance for any cluesticks or hints! Jeff Ross -- Sent from my mobile device
Re: pfsync nic problem.
On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, Dec 14, 2010 at 2:06 PM, Tomas Vavrys vav...@cleancode.cz wrote: Is there a light at the end of the tunnel somewhere to make email secure even for amateurs who don't know how to use PGP? I'm very curious about the future of email, especially now. I would like to hear opinions of OpenBSD wizards. The thing is that it is very hard to persuade someone to use PGP all the time. PGP has gotten easier with various front ends. Take a look at GPG Made Easy for an example of simplifying the library calls for application access to PGP encryption. jb
Re: suggestion for a new/additional OpenBSD release media option
On Sun, Oct 31, 2010 at 3:39 PM, Jamie Paul Griffin j...@gnix.co.uk wrote: Everytime one of you write to Theo directly, I feel like I'm watching gay porn. would someone please block this prick. it was funny to start with but now it's intensely annoying. You could just toss his email in to your killfile.
Re: Most barebones pf.conf
pass all On Wed, Aug 4, 2010 at 3:32 PM, Peter Merritt pwmerr...@weirdwater.org wrote: What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall with 2 nics, that passes everything. Peter
