Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Honestly, as one of the devs involved with this security fix, I can tell
> you that I don't know. It is a use-after-free in some situations.
> Is it reachable from remote? I don't know.
> Is it reachable from local? Maybe.
> Is the use-after-free exploitable? Damn hard to tell, it is for sure not easy.
> Was there a PoC exploit? No, there was no PoC.
> I will not invest hours of my time to figure out something that does not
> really interest me. The fix is out, everyone can update.

Thx, that was the answer I was hoping for! :)

-- 
Jonathan

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

To close this thread, I found this: 
https://twitter.com/m00nbsd/status/1321524807473782784

> Am 30.10.2020 um 11:15 schrieb js-openbsd-m...@webkeks.org:
> 
>> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
>> 
>> js-openbsd-m...@webkeks.org wrote:
>> 
>>> I just saw
>>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>>> however, it's unclear from the description and the context around the
>>> patch if this is a read after free or write after free (or both).
>> 
>> I think it is fair you can study the code yourself and make your own
>> factual determination.
> 
> As said, it is not immediately obvious to me if this is just read-after-free 
> or also write-after-free. Hence I was hoping someone who either wrote the fix 
> or who is more familiar with the code than me could enlighten me. It's not 
> one of those obvious fixes where you see the buffer overflow just below.
> 
>>> In the case of a write after free, would this change "Only two remote
>>> holes in the default install, in a heck of a long time!" to three? Or
>>> does it need more than IPv6 being configured?
>> 
>> First off, is ipv6 deployment really part of the default install?  No,
>> not really it takes some effort to configure v6, it is not natural.
> 
> The same could be said for v4 though, so is networking not considered part of 
> the default install? How did the 2 remote holes happen without network then, 
> though? Please help me understand, because the installer asked me for IPv6 
> just as it did for IPv4, so I would consider them both equally default.
> 
>> It is active on the loopback, but then that's not remote..
> 
> What about link-local IPv6? That's active by default, isn't it?
> 
> In any case, are you saying just removing the inet6 address from all 
> interfaces would be a sufficient workaround if an immediate update is not 
> possible? (Of course, only as a workaround until it's possible)
> 
>> But there's a bigger assumption in your mail:
>> 
>> We've released the errata as security because it is possibly exploitable
>> or could cause a crash, and we have a rapid fix release process.  It was
>> released without even seeing any evidence of a remote crash, nor any
>> evidence of a remote exploit.  Incorrect code gets fixed, and if we
>> judge it important we release a fix to the public in expedited fashion,
>> and apparently get judged for doing so.
> 
> And that is good. But it still does not help in determining the impact, i.e.: 
> Was this just a remote DoS (read-after-free) or a potential RCE 
> (write-after-free)? For the latter, I would just update, for the former, time 
> to reinstall my machines.
> 
>> Now that the fix is released and deployed by most openbsd users, we
>> quickly become uncurious and head back to other work.  The only
>> conversations related to this are asking how we can harden the mbuf
>> layer to avoid similar issues in the future.
> 
> Which seems like a good strategy, but still, don't you think it's valuable to 
> know what the maximum impact was in the worst-case? I fully agree with being 
> over cautious and calling something an RCE rather than a DoS when it's 
> unclear (a write-after-free could look like a DoS at first and turn out to be 
> RCE, after all), but some things are limited in impact (a read-after-free 
> usually isn't more than a DoS).
> 
>> I guess many other operating systems would wait weeks or months to
>> collect all the "facts" and make a fancy disclosure, but we shipped
>> source and binary fixes in just over 24 hours.
> 
> Again, I think that time is better spent fixing it fast than writing a fancy 
> disclosure. I am merely curious if this was just read-after-free or 
> write-after-free (or both) to make my own risk determination.
> 
>> So, is it a remote crash?  Possibly, but we'd like to see a packet
>> that causes it.
>> 
>> Next after that, is it a remote exploit?
>> 
>> I think it is fair to wait for facts.
> 
> So, what you're saying is, it is only tagged as a security out of caution, 
> not because it necessarily is exploitable?
> 
>> I also think you are a troll.
> 
> Not everybody trying to understand the impact of a security bug is a troll ;).
> 
> I merely brought up the 2 remote holes because I was wondering if this could 
> be used as a signal that it's not remotely exploitable, as it's still 2.
> 
> -- 
> Jonathan
> 

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
> 
> js-openbsd-m...@webkeks.org wrote:
> 
>> I just saw
>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>> however, it's unclear from the description and the context around the
>> patch if this is a read after free or write after free (or both).
> 
> I think it is fair you can study the code yourself and make your own
> factual determination.

As said, it is not immediately obvious to me if this is just read-after-free or 
also write-after-free. Hence I was hoping someone who either wrote the fix or 
who is more familiar with the code than me could enlighten me. It's not one of 
those obvious fixes where you see the buffer overflow just below.

>> In the case of a write after free, would this change "Only two remote
>> holes in the default install, in a heck of a long time!" to three? Or
>> does it need more than IPv6 being configured?
> 
> First off, is ipv6 deployment really part of the default install?  No,
> not really it takes some effort to configure v6, it is not natural.

The same could be said for v4 though, so is networking not considered part of 
the default install? How did the 2 remote holes happen without network then, 
though? Please help me understand, because the installer asked me for IPv6 just 
as it did for IPv4, so I would consider them both equally default.

> It is active on the loopback, but then that's not remote..

What about link-local IPv6? That's active by default, isn't it?

In any case, are you saying just removing the inet6 address from all interfaces 
would be a sufficient workaround if an immediate update is not possible? (Of 
course, only as a workaround until it's possible)

> But there's a bigger assumption in your mail:
> 
> We've released the errata as security because it is possibly exploitable
> or could cause a crash, and we have a rapid fix release process.  It was
> released without even seeing any evidence of a remote crash, nor any
> evidence of a remote exploit.  Incorrect code gets fixed, and if we
> judge it important we release a fix to the public in expedited fashion,
> and apparently get judged for doing so.

And that is good. But it still does not help in determining the impact, i.e.: 
Was this just a remote DoS (read-after-free) or a potential RCE 
(write-after-free)? For the latter, I would just update, for the former, time 
to reinstall my machines.

> Now that the fix is released and deployed by most openbsd users, we
> quickly become uncurious and head back to other work.  The only
> conversations related to this are asking how we can harden the mbuf
> layer to avoid similar issues in the future.

Which seems like a good strategy, but still, don't you think it's valuable to 
know what the maximum impact was in the worst-case? I fully agree with being 
over cautious and calling something an RCE rather than a DoS when it's unclear 
(a write-after-free could look like a DoS at first and turn out to be RCE, 
after all), but some things are limited in impact (a read-after-free usually 
isn't more than a DoS).

> I guess many other operating systems would wait weeks or months to
> collect all the "facts" and make a fancy disclosure, but we shipped
> source and binary fixes in just over 24 hours.

Again, I think that time is better spent fixing it fast than writing a fancy 
disclosure. I am merely curious if this was just read-after-free or 
write-after-free (or both) to make my own risk determination.

> So, is it a remote crash?  Possibly, but we'd like to see a packet
> that causes it.
> 
> Next after that, is it a remote exploit?
> 
> I think it is fair to wait for facts.

So, what you're saying is, it is only tagged as a security out of caution, not 
because it necessarily is exploitable?

> I also think you are a troll.

Not everybody trying to understand the impact of a security bug is a troll ;).

I merely brought up the 2 remote holes because I was wondering if this could be 
used as a signal that it's not remotely exploitable, as it's still 2.

-- 
Jonathan

Impact of 002_icmp6.patch

[js-openbsd-misc]

Hi!

I just saw 
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig, 
however, it's unclear from the description and the context around the patch if 
this is a read after free or write after free (or both).

In the case of a write after free, would this change "Only two remote holes in 
the default install, in a heck of a long time!" to three? Or does it need more 
than IPv6 being configured?

-- 
Jonathan

How to open new window/pane in the current working directory in tmux?

[openbsd-misc-nospam]

I have next options in tmux.conf:

bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"

But it doesn't work anymore. And I can't find working options in Google. I tried
all suggestions from stackexchange and it doesn't work either. What working 
options
for OpenBSD 6.6?

Thanks!

Bad fonts in pdf

[openbsd-misc-nospam]

Here is screenshot: https://screenshots.firefox.com/LyKbRyGMRT3sDHbu/null

I had this problem in the past, but can't remeber what font should I install?

Thanks!

Hosted CI with OpenBSD targets

[Derek (openbsd-misc)]

Hi!

Wondering if anyone has experience with hosted CI services that 
support OpenBSD targets for building + tests.  I haven't been 
successful finding any.


Looking to add native OpenBSD support to a project's CI, hoping 
to draw on the community's experience.


Would also prefer to run a service, rather than self-host.

Thanks!
Derek

release and patch/errata info in (easily) machine readable format?

[openbsd-misc]

I mostly follow -stable, and have scripts/tools that enable me to (re)build
stable from source with minimal human intervention.

To further automate this process, it would be helpful to have the current
release number and (at least) the most current patch number.

Obviously this information is clearly documented in various web pages, and if
absolutely necessary,
I could extend my toolset to scrape this info from the website and/or the www
directory in CVS,
but I am wondering if this information is already available somewhere as
data?

I've found that www/build/Makefile contains:

STABLE_VERSION= 5.8

So that is one place I could look, although I am not excited about having to
parse a Makefile either, but I haven’t yet
found anyplace where the patch numbers are available as non-html data.

One approach would be to scrape http://www.openbsd.org/errata.html
, and figure out the release numbers, and
then scrape the errata page of a particular release to obtain the patch
numbers.

Is this information available somewhere in the tree in some easily parseable
format (YAML, JSON, etc) ?

If not, I’ll proceed to scrape this info.

It seems to me that the errata.html and errata.html files could be
generated from the kind of data source
I’m describing, and that both the resulting html files AND the data source
file could then be statically served from the website.
If this isn’t the way these files are generated today, and if there were
interest in migrating to this approach, I would
be willing to develop and contribute the code to implement that…

Re: release and patch/errata info in (easily) machine readable format?

[openbsd-misc]

> On Dec 5, 2015, at 11:51 AM, trondd  wrote:
>
> On Sat, December 5, 2015 2:20 pm, openbsd-m...@clark-communications.com
> wrote:
>> I mostly follow -stable, and have scripts/tools that enable me to
>> (re)build
>> stable from source with minimal human intervention.
>>
>> To further automate this process, it would be helpful to have the current
>> release number and (at least) the most current patch number.
>
> What is your build process?  The machine doing the build is running the
> same version it's building, right?  Does 'uname -r' not work for you?

My build process begins outside of OpenBSD itself, so if I do not have a
machine running the current release version,
a machine running that release needs to be created.  There are several ways to
make that happen, and currently
I spin up a virtual machine.  At the moment, this is not an automated part of
my process, but I would like to make it so...

> As for the patch number, someone can correct me if I am wrong, but I don't
> believe it is recorded anywhere else.  I used to parse the errata page but
> to be kinder to the server, I started parsing my local mirror which I
> actually found to be easier to get the info from.

Yes, if I end up writing a scraper, I will very likely obtain the html pages
from the www directory of my local CVS mirror, rather than making http
requests
of the OpenBSD website.  In addition to reducing bandwidth demands of the
website, getting the information from my local mirror might lower the risk
that the website is more recent that my local mirror….

Another nice piece of data to have about a patch level would be the revision
number in CVS for that patch.
At present, the only place I see that information is inside the patch.sig
file, e.g.


http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/004_smtpd.patch.sig

If I had that, i could ensure that the release I am about to build actually
contains the changes indicated by the patch level.
I am not looking forward to parsing these .sig files either :-(

> I maintain a "patchlevel" file on each system to keep track of what patch
> I have applied and I check it against the patches on my mirror in
> daily.local so I keep getting notified of out of date systems.  I also add
> it to the motd so I see it when I log in, as well.
>
> I prefer this slightly manual intervention because I like to know what is
> changing on my systems.  I'm already patching manually, so also
> maintaining the patchlevel file is minor.

My approach is to build an entire new release for the current patch level.
I understand this is way overkill, but given that is is a (mostly) automated
process, I prefer this
approach to manually applying and rebuilding….

I don’t apply patches to running systems, I re-install them from scratch,
and automated
configuration management restores the system to where it should be.

I do not now, nor envision, that the re-imaging of a machine would happen
automatically.

I can imagine that at some point I can have my build system send me a
notification that a new patch is available, and a bit later,
that a new release has been built and is available for installation, if/when I
so choose.

Your idea of a patch level file and adding that to motd is great,  I will add
that to my configuration management, just to make it obvious when shelling
into a server.
A follow-on addition to that idea is to add a “patch level fact” to ones
configuration management tool of choice, so that the patch level is
reported….

kernel hiccups with two OpenVPN tunnels

[travis+ml-openbsd-misc]

So a few releases ago, I found that if I had OpenVPN running on an
OpenBSD box as a hub, and I did a large transfer from one client to
another, the OpenBSD box would occasionally kernel panic - something
about mbufs, I can pull the kernel stack traces up if desired.  The
hosting company said they saw this quite often with OpenBSD boxes.

As of 4.8, I notice that if I do a similar large transfer, the system
just stops responding to all network traffic for a period of time,
perhaps around 10 minutes or longer.  During this time it's unpingable and
won't
forward any packets.  It eventually recovers, which is WAY better than
a kernel panic (the mbuf corruption actually corrupted my root disk on
more than one occasion).

Before I go digging into this, I was wondering if anyone else has had
this experience, and how I should consider troubleshooting it.
--
http://www.subspacefield.org/~travis/
What do you call this music? Hadouken Hadouken? It's down right
fierce
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

openvpn openbsd = kernel lockups

[travis+ml-openbsd-misc]

Hey there,

I have been asked to help a friend whose system is used as a VPN hub.

It used to be an older OpenBSD, possibly 4.5 or 4.6, and he got many
kernel panics around some buffer routines (possibly mbuf) that led to
disk corruption.

It's now OpenBSD 4.8 amd64, and if the system has transit traffic -
going from one leaf through the hub to another - in excess of 100MB at
200kB/s or more, the system stops responding to network traffic for a
minute or three.  During this time, it becomes unpingable, and the VPN
basically stops working temporarily.  Often it will start up again,
but if the connection is lossy (like a wifi connection), then it
sometimes won't recover.

Before I investigate further, does anyone have a clue as to what my be
going on here?

If not, what would be the suggested method for investigating?
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: equivalent of Linux mount -o bind

[travis+ml-openbsd-misc]

On Fri, Jan 28, 2011 at 03:52:53PM -0800, Travis H. wrote:
 So I'm curious if there's something in OpenBSD that's similar to the
 mount -o bind /dir1 /dir2 to make dir1 appear where dir2 is.

For those who asked, one sample use is for something like this:

Starting with the 2.4-series Linux kernels, it has been possible to
mount a filesystem simultaneously in two different places. Aha! you
might think, as I did. Then surely we can mount the backups read-only
in /snapshot, and read-write in /root/snapshot at the same time!

Alas, no. Say your backups are on the partition /dev/hdb1. If you run
the following commands,

mount /dev/hdb1 /root/snapshot
mount --bind -o ro /root/snapshot /snapshot

then (at least as of the 2.4.9 Linux kernel--updated, still present in
the 2.4.20 kernel), mount will report /dev/hdb1 as being mounted
read-write in /root/snapshot and read-only in /snapshot, just as you
requested. Don't let the system mislead you!

In the example above, the second mount call will cause both of the
mounts to become read-only, and the backup process will be unable to
run. Scratch this one.

Update: I have it on fairly good authority that this behavior is
considered a bug in the Linux kernel, which will be fixed as soon as
someone gets around to it. If you are a kernel maintainer and know
more about this issue, or are willing to fix it, I'd love to hear from
you!
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

host(1) oddities

[travis+ml-openbsd-misc]

Hey all,

I ran host www.google.com on a new OpenBSD 4.8 install and got this:

13:50:28.132052 127.0.0.1.41209  127.0.0.1.48830: udp 31
13:50:28.132081 127.0.0.1  127.0.0.1: icmp: 127.0.0.1 udp port 48830
unreachable
13:50:29.133552 ::1.38033  ::1.48830: udp 31
13:50:29.133577 ::1  ::1: icmp6: ::1 udp port 48830 unreachable
13:50:34.143471 127.0.0.1.41209  127.0.0.1.48830: udp 31

What gives?  Nothing's on port 48830; should there be something there?
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

miscellaneous unofficial OpenBSD ports

[travis+ml-openbsd-misc]

http://www.subspacefield.org/~travis/OpenBSD/

Need to be updated - last update was for 4.1
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: OT: Old School Unix vs. Modern Day Support Professionals - was (Defending OpenBSD Performance)

[openbsd misc]

  Fact of the matter is that I have
 become convinced that those that know how to actually TROUBLESHOOT
 problems are in the very small minority in this industry.

   I think this is really the crux of the matter, I find the ability
to troubleshoot multi-vendor complexity is getting to be a  rare
commodity, its something thats very hard to interview people for.
Nowadays people are so proud of their certification and specialized
domain knowledge
that they actively avoid learning or thinking about stuff outside of
their specialized area.

Atheros AR9001U chipset - maybe Otus driver ?

[openbsd misc]

 I was given a AVM FRITZ!WLAN USB Stick N and I found some references to it in
a man page for otus driver (rel 1.3 and 1.4).

 However searching the man pages
via openbsd.org I can't find any mention of a released otus driver at
least in 4.5 (as
per my official CD).

Also I noticed this line in the web page for changes between 4.5 and -current
Enabled otus(4) on amd64 and i386 GENERIC kernels.
 But clicking on the otus(4)  link,
gives me Sorry, no data found for `otus(4)'.

Can anyone shed any light on what the odds are of getting this device working ?


If I plug it in to my old t22 Thinkpad  (usb 1.1 I'm guessing) it
picks it up as a mass storage device

Thanks

uname  4.5 Generic 1749 i386



dmesg

SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 267874304 (255MB)
avail mem = 250728448 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/28/02, BIOS32 rev. 0 @
0xfd820, SMBIOS rev. 2.3 @ 0xfff (46 entries)
bios0: vendor IBM version 16ET29WW (1.09 ) date 02/28/2002
bios0: IBM 26474EG
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 46%
apm0: AC off, battery charge high, estimated 0:33 hours
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 S3 Savage/IX-MV rev 0x13
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 2 function 0 TI PCI1450 CardBus rev 0x03: irq 11
cbb1 at pci0 dev 2 function 1 TI PCI1450 CardBus rev 0x03: irq 11
fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x0c, i82550: irq 11,
address 00:03:47:7b:6d:1e
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ATT/Lucent LTMODEM rev 0x01 at pci0 dev 3 function 1 not configured
clcs0 at pci0 dev 5 function 0 Cirrus Logic CS4280/46xx CrystalClear
rev 0x01: irq 11
reset_codec: AC97 inputs slot ready timeout
clcs0: AC97 write fail (DCV!=0) for add=0x26 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x02 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x06 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x04 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x38 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x08 data=0x0f0f
clcs0: AC97 write fail (DCV!=0) for add=0x0a data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x0c data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x0e data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x0e data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x10 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x12 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x14 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x16 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x18 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x1a data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x1c data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x1e data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x22 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x22 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x26 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x2a data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x7c
clcs0: AC97 read prob. (DCV!=0) for add=0x7e
clcs0: AC97 read prob. (DCV!=0) for add=0x00
ac97: codec id not read
clcs0: AC97 read prob. (DCV!=0) for add=0x28
clcs0: AC97 read prob. (DCV!=0) for add=0x02
clcs0: AC97 write fail (DCV!=0) for add=0x02 data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x18
clcs0: AC97 write fail (DCV!=0) for add=0x18 data=0x0808
clcs0: AC97 read prob. (DCV!=0) for add=0x1c
clcs0: AC97 write fail (DCV!=0) for add=0x1c data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x1a
clcs0: AC97 write fail (DCV!=0) for add=0x1a data=0x

Re: Atheros AR9001U chipset - maybe Otus driver ?

[openbsd misc]

 at uhub0 port 1 AVM Berlin FRITZ!WLAN USB Stick N rev 2.00/4.03 addr
2
otus0: could not load init firmware
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=6
otus0 detached
umass0 at uhub0 port 1 configuration 1 interface 0 AVM Berlin
FRITZ!WLAN USB Stick N rev 2.00/4.03 addr 2
umass0: using ATAPI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
cd1 at scsibus1 targ 1 lun 0: FRITZ!, WLAN selfinstall, 1.00 ATAPI
5/cdrom removable
cd1 detached
scsibus1 detached
umass0 detached
otus0 at uhub0 port 1 AVM Berlin FRITZ!WLAN USB Stick N rev 2.00/4.03 addr
2
otus0: could not load init firmware




On Wed, May 13, 2009 at 1:23 PM, Stuart Henderson s...@spacehopper.org
wrote:
 try -current.


 On 2009-05-13, openbsd misc open...@6wells.com wrote:
  I was given a AVM FRITZ!WLAN USB Stick N and I found some references to it
in
 a man page for otus driver (rel 1.3 and 1.4).

  However searching the man pages
 via openbsd.org I can't find any mention of a released otus driver at
 least in 4.5 (as
 per my official CD).

 Also I noticed this line in the web page for changes between 4.5 and
-current
 Enabled otus(4) on amd64 and i386 GENERIC kernels.
  But clicking on the otus(4)  link,
 gives me Sorry, no data found for `otus(4)'.

 Can anyone shed any light on what the odds are of getting this device
working ?


 If I plug it in to my old t22 Thinkpad  (usb 1.1 I'm guessing) it
 picks it up as a mass storage device

 Thanks

 uname  4.5 Generic 1749 i386



 dmesg

 SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
 real mem  = 267874304 (255MB)
 avail mem = 250728448 (239MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 02/28/02, BIOS32 rev. 0 @
 0xfd820, SMBIOS rev. 2.3 @ 0xfff (46 entries)
 bios0: vendor IBM version 16ET29WW (1.09 ) date 02/28/2002
 bios0: IBM 26474EG
 apm0 at bios0: Power Management spec V1.2
 apm0: battery life expectancy 46%
 apm0: AC off, battery charge high, estimated 0:33 hours
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/208 (11 entries)
 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
 pcibios0: PCI bus #5 is the last bus
 bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xdc000/0x4000!
0xe/0x1
 cpu0 at mainbus0: (uniprocessor)
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
 intelagp0 at pchb0
 agp0 at intelagp0: aperture at 0xf800, size 0x400
 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 0 function 0 S3 Savage/IX-MV rev 0x13
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 cbb0 at pci0 dev 2 function 0 TI PCI1450 CardBus rev 0x03: irq 11
 cbb1 at pci0 dev 2 function 1 TI PCI1450 CardBus rev 0x03: irq 11
 fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x0c, i82550: irq 11,
 address 00:03:47:7b:6d:1e
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 ATT/Lucent LTMODEM rev 0x01 at pci0 dev 3 function 1 not configured
 clcs0 at pci0 dev 5 function 0 Cirrus Logic CS4280/46xx

Re: OT: 10GbE Physical Network Taps

[openbsd misc]

On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote:
 On Wed, 6 May 2009, J.C. Roberts wrote:

 I need to collect raw throughput statistics without increasing latency
 or reducing bandwidth on 10GbE fiber links, so most of the typical
 methods are out of the question (i.e. like bridging, SPAN sessions on a
 switch, ...). As far as my understanding allows, I believe the best way
 to do this is with a physical network tap connected to monitoring
 equipment. I figure folks running/maintaining OpenBSD firewalls might
 be familiar with using physical network taps for deploying IDS/IPS since
 using bridges on such systems is a Bad Idea (R)(TM).

 I've found one company [1] which offers what I need, but I was wondering
 if anyone can recommend a vendor of physical network taps?

 Thanks,
 jcr


 [1] http://www.networktaps.com/products/index.html

 --
 J.C. Roberts

 JC

 We use physical taps at work, when I get the chance I'll take a look at
 the vendor.

 Also, you really think you can capture 10GE? Chuckle, good luck.

 diana




   NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

 I can't see any  black helicopters and my Tin Foil hat fits fine
thanks for asking.

Re: Transparent firewall (bridge) with DMZ + LAN

[openbsd misc]

 You can either read the code or listen to somebody who has.  I don't
 know you either, but I know Henning and I know the bridge code, and
 the short version is he's right.


Has anyone noticed

 That if you substitute BIble for code , in the section quoted above-
its like listening to someone who believes in a technical
high-priesthood - all blessed with the doctrine of technical
infallibility
which is great if you like dogma and blind faith. For  Me the
occasional rational explanation for why not to do something with a
little concrete technical backup to support the assertion, is usually
more useful.

;)

Re: where to order now ?

[openbsd misc]

On Thu, Apr 2, 2009 at 11:48 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
 I see OpenBSDEurope appear to advertise the CDs for about 30 euro a
 pop: http://www.openbsdeurope.com/45.htm

 Other sellers offer the CDs for the usual 50 euro.
 Does the lower price @ openbsdeurope mean they have smaller margins or
 OpenBSD.org gets less money, or both?

 It means they intend to operate with smaller margins.

 I never did understands Wim's math.


Well I'm glad we can easily order CD's again - I've just placed my
order and as well as the lower CD set price, I thought for once the
international shipping was very reasonable at eur 1.75.

Re: European orders

[openbsd misc]

Damn, this is degenerating into mud slinging bollocks, what with

full value, owed for CD Sales , transfers of undisclosed amounts -
some clear facts would be nice, this sounds like waffle.

 1. There appear to be no contracts, so Theo and Wim or the bodies
they represent or act for, have no written agreement as to what the
involved parties were supposed to do, if that is true then that is a major
 governance short coming and whoever let this situation come to pass
 needs a good kicking, in essence you've gotten the fucking mess
 you deserve and who ever is responsible for openbsd's legal governance
(if anyone) should stand up and take the blame and sort it out.

 2. Because there is no contract, now we descend into
 He said, I said and other equivalent bollocks that really no-one can verify
 or substantiate as there appear to be no documents or agreements
or contracts that we can verify against.

 3. If KD85 is delinquent in payments - who are the amounts owed to. is it ?

 a) The Computer Store for the supply of goods. Which I assumed are covered
by some terms and conditions and invoice terms.
 b) Some legal entity that represents Openbsd, which is owed money for
something,
 what for, it is not exactly clear - is it a revenue share from
T-Shirts, Posters, fsking plush toys ?
. And where is the agreement covering the terms of this. ?
 c) Theo personally for something.

 4. Donations - I would have assumed they are property of the legal
entity which is
 Openbsd's foundation, so if that entity doesn't account clearly for
donations and
doesn't maintain some financial accounts that reflect where,who,when
and what it was used for - then you fucking well deserve this mess.

*years* in paying the full value - what the hell does this mean
?,full-value ??? ,surely there is a declared invoice value which gets
paid, you can't really retrospectively
change the invoices.


If the Computer store is owed money , then there should be outstanding
invoice amounts -
so either there are outstanding amounts
or there are not-
if this is some weirdo retrospective thing where one party wants to now get
extra payment for something that was never invoiced for
and is not covered by something verfiable , then good luck to you.

This is a mess and worse it's a stupid mess, and forming up
blindly to support one party or the other is stupid too.

No agreements, less then clear facts, mud slinging == a recipe for disaster

Someone get in the middle and mediate, someone who both parties trust,
and get it
sorted as this is going downhill fast.

Re: Multiple obsd installations on one harddrive

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
 Im Auftrag von Mike Erdely
 Gesendet: Freitag, 27. Mdrz 2009 20:25
 An: misc(at)openbsd.org
 Cc: misc@openbsd.org
 Betreff: Re: Multiple obsd installations on one harddrive

 On Fri, Mar 27, 2009 at 12:38:27AM +0100, misc(at)openbsd.org wrote:
  I have a question regarding openbsd and partitions. I want
 to have more
  than one obsd installation on one harddrive. The idea behind that
  question ist to be able to install a newer release in
 parallel, chroot
  into it, compile stuff, install packages etc and boot into that
  partition when it's done. I want to avoid onside
 reinstallations (and I
  don't want to have several old versions of libs, in short,
 the default
  patch-way).
  I don't know if that is a good idea, perhaps there is a
 much easier way.

 Here's how I did it:
 http://erdelynet.com/tech/openbsd/2nd-install-1-disk/


That's what I was looking for, thanks a lot.

Regards
  Hagen Volpers

Re: Multiple obsd installations on one harddrive

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
 Im Auftrag von Ingo Schwarze
 Gesendet: Freitag, 27. Mdrz 2009 03:12
 An: Volpers, Hagen
 Cc: misc@openbsd.org
 Betreff: Re: Multiple obsd installations on one harddrive

 Volpers, Hagen wrote on Fri, Mar 27, 2009 at 01:56:07AM +0100:

  But I think there is a misunderstanding. I was talking about, mmhh,
  let's say fdisk partitions. I want to create two absolut independent
  installations. My problem is, that disklabel always uses the whole
  disc (c:), I'm not able to switch between the
 fdisk-partitions (wd0 /
  rwd0c is always the same).

 According to the disklabel(8) manual, the disklabel refers to
 the whole
 disk.  I never heard that anybody tried to trick a disk into
 having one
 disklabel for its first part and a second disklabel for its
 second part.
 Also, i see no point in that.  That disklabel just cuts the disk into
 slices to put filesystems in.  In any case, you will only mount those
 filesystems that you want to work with right now.  It does no harm if
 the disklabel contains some more slices you don't use.  Why would you
 want to split the disklabel into two parts?  In my eyes, that
 would seem
 to be an unnessessary complication and obfuscation.

  If I got you right you created something like this:
 
  wd0a: /root1
  wd0b: shared swap
  wd0d: /root2
  [...]

 Yes.

 If you install once to wd0a and once to wd0d, these two installations
 *are* completely independent - even if you share /tmp and /home.
 Of course, pay attention not to share /usr (for obvious reasons)
 or /var (think of /var/db/pkg!).

  That means that you only switch the mount-point during installation,
  keeping the partitions untouched, right?

 Yes.

Ok, tried it, but disklabel always want to use wd0a as root-partition. That's
what disklabel(8) says:

By convention, the `a' partition of the boot disk is the root
partition, and the `b' partition of the boot disk is the swap partition,
but all other letters can be used in any order for any other partitions
as desired.

How did you do the install?

Another problem is the bootloader. AFAIK you can only define the hd and
fdisk-partition, not the disklabel-partition to boot from.

Could you please give me some more informations about your setup?

Regards
  Hagen Volpers

Re: OpenLDAP w/o bdb okay?

[dan-openbsd-misc]

Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100:
 I am not aware of any. Lack of options doesn't make openldap better.

There is an option for people who have very basic LDAP needs - tinyldap
from fefe.de. It's high quality but lacks many features at the time.

Re: new home box for secure data storage

[eric-list-openbsd-misc]

On Thu, 2008-10-30 at 10:45:20 -0400, Douglas A. Tutty proclaimed...

 Yes.

Then keep it off a computer. Otherwise look for solutions that have already
been presented...because they work.

- Eric

sasyncd / pfsync / carp question

[openbsd misc]

Hi,

I'm running two obsd 4.4-current boxes as firewall / vpn-endpoints
hot-standby (no balancing). I configured carp like this:

Master:
carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev vlan32 vhid 1 advbase 1 advskew 9
groups: carp
inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc
inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX

Slave:
carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
carp: BACKUP carpdev vlan32 vhid 1 advbase 1 advskew 100
groups: carp
inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc
inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX

I'm running pfsync and it's working fine (did several tcp / ping tests
switching several time). But if the master boots it will become master
before sasyncd is able to sync status and all ipsec connections get
dropped (ATM I have three monowall www.m0n0.ch/wall endpoints).

The question is how I have to handle this setup. Do I have to play with
advbase? I don't think it's a good idea to trust delays hoping that
sasyncd will do it's job before the first machine becomes master again.
Is there a way to wait for sasyncd or something like that?

Here's the exact version:

# sysctl kern.version
kern.version=OpenBSD 4.4-beta (GENERIC) #987: Wed Jul 23 15:39:48 MDT
2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

Please let me know if you need further informations.

Regards
  Hagen Volpers

Re: pfctl

[openbsd misc]

Hi,

interessting point. How about dumping it to a file or something so you are
able to check what was loaded last time (e.g. a file with 400 under
/var/whatever)?

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Stuart Henderson
 Gesendet: Freitag, 25. Juli 2008 17:15
 An: Charlie Clark
 Cc: misc@openbsd.org
 Betreff: Re: pfctl

 On 2008/07/25 14:53, Charlie Clark wrote:
  Stuart Henderson wrote:
  On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote:
 
  Hi,
 
  I have noticed that you are unable to view the currently loaded
  options for pf using pfctl, even 'pfctl -sa' doesn't show the
  options eg. set skip on tun0.
  Is this going to be implemented soon or is it there and
 I'm missing
  something?
 
  Regards,
 
 
 
  Someone asked about this recently.
  http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b
 
 
 
  Yes sorry I posted this by accident, I still haven't got a valid
  solution for this though.

 set XX options are a mix of directives to pf and to pfctl,
 the pfctl directives don't get stored anywhere so you can't
 retrieve them later. The ones affecting pf are available but
 in a different format.

Re: pfctl

[openbsd misc]

Hehe, I knew I'll get this reply. ;-) The question was which configuration is
active, not what will be activated by pfctl -f /etc/pf.conf, that's the
difference.
I think that could help some people in multi-admin environments ;-)

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
 Gesendet: Freitag, 25. Juli 2008 22:37
 An: openbsd misc
 Cc: misc@openbsd.org
 Betreff: Re: pfctl

 On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote:
 | Hi,
 |
 | interessting point. How about dumping it to a file or
 something so you are
 | able to check what was loaded last time (e.g. a file with 400 under
 | /var/whatever)?

 GREAT IDEA !

 How about /etc/pf.conf ?

 Cheers !

 Paul 'WEiRD' de Weerd

 | Regards
 |   Hagen Volpers
 |
 |
 |  -Urspr|ngliche Nachricht-
 |  Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 |  Im Auftrag von Stuart Henderson
 |  Gesendet: Freitag, 25. Juli 2008 17:15
 |  An: Charlie Clark
 |  Cc: misc@openbsd.org
 |  Betreff: Re: pfctl
 | 
 |  On 2008/07/25 14:53, Charlie Clark wrote:
 |   Stuart Henderson wrote:
 |   On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote:
 |  
 |   Hi,
 |  
 |   I have noticed that you are unable to view the
 currently loaded
 |   options for pf using pfctl, even 'pfctl -sa' doesn't show the
 |   options eg. set skip on tun0.
 |   Is this going to be implemented soon or is it there and
 |  I'm missing
 |   something?
 |  
 |   Regards,
 |  
 |  
 |  
 |   Someone asked about this recently.
 |   http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b
 |  
 |  
 |  
 |   Yes sorry I posted this by accident, I still haven't got a valid
 |   solution for this though.
 | 
 |  set XX options are a mix of directives to pf and to pfctl,
 |  the pfctl directives don't get stored anywhere so you can't
 |  retrieve them later. The ones affecting pf are available but
 |  in a different format.
 |

 --
 [++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/

Re: pfctl

[openbsd misc]

I was only an idea regarding the question. Sorry for sharing thoughts ... I'm
already using such a script because of that, would be great to have that job
done by pfctl because everyone whould have this feature and you can not pass
it by pfctl -f ...
As I said this is only an idea. We should stop this discussion :)

Regards
  Hagen Volpers

 -Urspr|ngliche Nachricht-
 Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
 Gesendet: Samstag, 26. Juli 2008 00:00
 An: openbsd misc
 Cc: misc@openbsd.org
 Betreff: Re: pfctl

 On Fri, Jul 25, 2008 at 11:38:40PM +0200, openbsd misc wrote:
 | Hehe, I knew I'll get this reply. ;-) The question was
 which configuration is
 | active, not what will be activated by pfctl -f
 /etc/pf.conf, that's the
 | difference.
 | I think that could help some people in multi-admin environments ;-)

 If you can't organize a proper way to keep loaded rules and rulefile
 in sync, you may want to have a talk with the other admins.

 Given that, you may want to create a script that does exactly what you
 want. It's OpenBSD. It's open source, the tools are there, you can see
 how this stuff works, you know what you want - create what you need by
 yourself. A simple script that copies your pf.conf to
 /var/whatever/last.loaded is just a few keystrokes away.

 Cheers,

 Paul 'WEiRD' de Weerd

 | Regards
 |   Hagen Volpers
 |
 |
 |  -Urspr|ngliche Nachricht-
 |  Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
 |  Gesendet: Freitag, 25. Juli 2008 22:37
 |  An: openbsd misc
 |  Cc: misc@openbsd.org
 |  Betreff: Re: pfctl
 | 
 |  On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote:
 |  | Hi,
 |  |
 |  | interessting point. How about dumping it to a file or
 |  something so you are
 |  | able to check what was loaded last time (e.g. a file
 with 400 under
 |  | /var/whatever)?
 | 
 |  GREAT IDEA !
 | 
 |  How about /etc/pf.conf ?
 | 
 |  Cheers !
 | 
 |  Paul 'WEiRD' de Weerd
 | 
 |  | Regards
 |  |   Hagen Volpers
 |  |
 |  |
 |  |  -Urspr|ngliche Nachricht-
 |  |  Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 |  |  Im Auftrag von Stuart Henderson
 |  |  Gesendet: Freitag, 25. Juli 2008 17:15
 |  |  An: Charlie Clark
 |  |  Cc: misc@openbsd.org
 |  |  Betreff: Re: pfctl
 |  | 
 |  |  On 2008/07/25 14:53, Charlie Clark wrote:
 |  |   Stuart Henderson wrote:
 |  |   On 2008-07-25, Charlie Clark
 [EMAIL PROTECTED] wrote:
 |  |  
 |  |   Hi,
 |  |  
 |  |   I have noticed that you are unable to view the
 |  currently loaded
 |  |   options for pf using pfctl, even 'pfctl -sa'
 doesn't show the
 |  |   options eg. set skip on tun0.
 |  |   Is this going to be implemented soon or is it there and
 |  |  I'm missing
 |  |   something?
 |  |  
 |  |   Regards,
 |  |  
 |  |  
 |  |  
 |  |   Someone asked about this recently.
 |  |  
 http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b
 |  |  
 |  |  
 |  |  
 |  |   Yes sorry I posted this by accident, I still
 haven't got a valid
 |  |   solution for this though.
 |  | 
 |  |  set XX options are a mix of directives to pf and to pfctl,
 |  |  the pfctl directives don't get stored anywhere so you can't
 |  |  retrieve them later. The ones affecting pf are available but
 |  |  in a different format.
 |  |
 | 
 |  --
 |  [++-]+++.+++[---].+++[+
 |  +++-].++[-]+.--.[-]
 |   http://www.weirdnet.nl/
 |

 --
 [++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/

Re: Rails https?

[openbsd misc]

Hi,

you didn't define a protocoll. Change your configuration to

ProxyPass / http://127.0.0.1:3000
ProxyPassReverse / http://127.0.0.1:3000

You should also set
NoCache *

(for more information on favicon: http://en.wikipedia.org/wiki/Favicon - some
browser request the icon even if it's not defined)

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von DrGadget
 Gesendet: Freitag, 25. Juli 2008 23:50
 An: misc@openbsd.org
 Betreff: Rails  https?

 Been testing redmine [OBSD4,3 + Rails 2.0.2] for project
 tracking, but I'm
 running into an issue creating an https proxy for it to run
 behind. Figured
 out the proxy config:

 LoadModule proxy_module /usr/lib/apache/modules/libproxy.so

  ProxyPass / 127.0.0.1:3000
  ProxyPassReverse / 127.0.0.1:3000

 however this doesn't seem to work:

 [Fri Jul 25 16:14:10 2008] [warn] [client 206.197.251.1]
 proxy: No protocol
 handler was valid for the URL /favicon.ico. If you are using
 a DSO version
 of mod_proxy, make sure the proxy submodules are included in the
 configuration using LoadModule.

 Did I miss something on the proxy config, or is there a
 different way to do it?

   TIA,

   Lee

Re: Actual BIND error - Patching OpenBSD 4.3 named ?

[openbsd misc]

http://cr.yp.to/djbdns/run-cache.html
http://www.ro.kde.org/djbdns/mywork/jumbo/index.html

I never understood the mix of authoritive server and resolver ... Use dnscache
as resolver and you you're (AFAIK)  save.

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Ted Unangst
 Gesendet: Mittwoch, 9. Juli 2008 20:10
 An: Steve Tornio
 Cc: misc
 Betreff: Re: Actual BIND error - Patching OpenBSD 4.3 named ?

 On 7/9/08, Steve Tornio [EMAIL PROTECTED] wrote:

   I don't think this actually accomplishes much.  It still
 lets poisoned
   replies back in on the previous port number.
  
  
 
   But does it allow a poisoned reply from the spoofed address?

 oh, right.  I think I forgot even UDP packets have IP addresses. :(

carp / routing question (multiple lines)

[openbsd misc]

Hello,

I hope I can avoid try'n error this way ;-) I have two firewall systems
with carp enabled (running obsd 4.3). These gateways have two internet
connections (dsl 6000 and symmetric 4000 provided by a router with an
/29 transport net).
The symmetric line should be used for vpn and vor mail and http(s) if
the dsl line is not available.
I tried to google about this topic, but I didn't find much helpful.
Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2
yesterday. Looks like a good starting point because the pf.conf manpage
doesn't say much about route-to and reply-to syntax.

Every connect should find his way back the same way (same route, using
the ip-address the SYN came to).

Does someone have a link for me how to set the correct routes and
pf-rules? The symmetric line should be set as default route with a
higher metric but the source ip should be the carp ip if used. I think
my biggest problem is carp, because I don't know how to set up pf
corretly with carp in use. As you know pf uses the phisical interface,
not the virtual interface, so I think I have to define the source ip,
too?

I hope someone understand my english ;-) and can give me some links /
documentation / examples ...

Thanks and regards
  Hagen Volpers

Re: carp / routing question (multiple lines)

[openbsd misc]

Hello,

I totally agree, that's why I wrote to mailing list and not copied the example
;-) It's not the first time I'm working with pf, but the first time with two
external connections. Thanks for the link, I missed that because of the topic
(I'm not looking for load balancing).
But I didn't find out how to set this up correctly:
- normaly the choosen link is rule (pf) based
- the other line should be used if one is down (how to do that with pf?)
- how must I read the route-to / reply-to syntax?
for example:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

Till now I wasn't able to get into that, still looking for the
click-aha-effect ;-)

Thanks for your help.

Regards
  Hagen Volpers

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Stuart Henderson
 Gesendet: Donnerstag, 26. Juni 2008 01:47
 An: misc@openbsd.org
 Betreff: Re: carp / routing question (multiple lines)

 On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote:
  I hope I can avoid try'n error this way ;-) I have two
 firewall systems
  with carp enabled (running obsd 4.3). These gateways have
 two internet
  connections (dsl 6000 and symmetric 4000 provided by a
 router with an
  /29 transport net).
  The symmetric line should be used for vpn and vor mail and
 http(s) if
  the dsl line is not available.
  I tried to google about this topic, but I didn't find much helpful.
  Someone mentioned
 http://marc.info/?l=openbsd-miscm=120665186412690w=2
  yesterday. Looks like a good starting point because the
 pf.conf manpage
  doesn't say much about route-to and reply-to syntax.

 Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an
 introduction, the syntax of route-to and reply-to is given in the
 BNF section at the bottom of pf.conf(5) - everyone writing PF
 configuration files should learn how to read this section.
 Everyone copying-and-pasting PF configs from samples really
 should too...

 You should also get acquainted with running tcpdump on different
 interfaces, including pflog0 (with the relevant log in PF rules),
 it's very useful when you need to debug PF and in particular any
 complicated NAT/route-to configuration.

  Does someone have a link for me how to set the correct routes and
  pf-rules? The symmetric line should be set as default route with a
  higher metric but the source ip should be the carp ip if used.

 You set the source address of outgoing packets with NAT rules.
 You direct packets out the relevant interface with route-to.
 And you direct return packets for an *incoming* connection
 with reply-to.

 Forget metrics/route priority for now, that won't help you direct
 packets out of one or other connection based on port number, you
 need PF rules to classify traffic if you want that.

  I think
  my biggest problem is carp, because I don't know how to set up pf
  corretly with carp in use. As you know pf uses the phisical
 interface,
  not the virtual interface, so I think I have to define the
 source ip,
  too?

 Where you have to define an interface, use the physical interface
 (vlan/trunk count as physical interface for this purpose).

 Where you have to specify an address, use whichever is correct for
 what you're trying to do, carp/physical/both.

Re: in-kernel pppoe problems

[openbsd misc]

Hello,

sorry, version 4.1 and 4.2. Thanks for your reply, I'll check that.

Regards
  Hagen Volpers

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Pierre Riteau
 Gesendet: Samstag, 14. Juni 2008 00:28
 An: misc(at)openbsd.org
 Cc: misc@openbsd.org
 Betreff: Re: in-kernel pppoe problems

 On Fri, Jun 13, 2008 at 11:24:32PM +0200, misc(at)openbsd.org wrote:
  Hello,
 
  it looks like the in-kernel pppoe causes systems to hang up
 sometimes. I
  testet with two systems (completly different hardware) and
 two different
  dsl-modems (I'm from germany - standard tcom modems).
  Did someone else notice such problems?
 
  Here is my hostname.pppoe0:
  #cat /etc/hostname.pppoe0
  inet 0.0.0.0 255.255.255.255 NONE \
  pppoedev bge1 authproto pap \
  authname 'USERNAME' authkey 'PASSWORD' up
  dest 0.0.0.1
  !/sbin/route add default 0.0.0.1
 
  # cat /etc/hostname.bge1
  up
 
  Here is the output from the kernel panic:
 
  cached lines from terminal server:
  ddb{0} start of buffer
  13/6/2008 11:49:39pppoe0: LCP keepalive timeout
  13/6/2008 11:49:39kernel: page fault trap, code=0
  13/6/2008 11:49:41Stopped at  softclock+0x2d: movl
  %edx,0x4(%eax)
  13/6/2008 11:49:41ddb{0}
  13/6/2008 18:29:27ddb{0}
  end of buffer

 You don't provide information about which version of OpenBSD you are
 running. Anyway, this seems identical to PR 5794 which was fixed in
 -current on May 17.

Re: WPA in -current

[openbsd misc]

http://www.openbsd.org/plus.html

Enter wpa-psk(8), a tool to generate WPA-PSK keys from the ssid and
passphrase.

http://www.openbsd.org/cgi-bin/man.cgi?query=wpa-pskapropos=0sektion=0manp
ath=OpenBSD+Currentarch=i386format=html


Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Jonathan
 Gesendet: Sonntag, 11. Mai 2008 06:04
 An: misc@openbsd.org
 Betreff: WPA in -current

 OpenBSD 4.3-current (GENERIC) #853: Fri May  2 04:37:23 MDT 2008
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

 Hardware Info:

 ral0 at pci0 dev 9 function 0 Ralink RT2561S rev 0x00: irq 5,
 address 00:0e:2e:xx:xx:xx
 ral0: MAC/BBP RT2561C, RF RT2527

 # ifconfig ral0
 ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:0e:2e:xx:xx:xx
 groups: wlan egress
 media: IEEE802.11 autoselect hostap (autoselect mode
 11b hostap)
 status: active
 ieee80211: nwid obsd_wpa chan 8 bssid 00:0e:2e:xx:xx:xx wpapsk
 not displayed wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers
 tkip,ccmp wpagroupcipher tkip 100dBm
 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255

 /etc/hostname.ral0
 inet 192.168.1.1 255.255.255.0 NONE media autoselect \
 mediaopt hostap nwid obsd_wpa chan 8\
 wpa wpapsk not displayed

 I have tried connect from a Mac running Leopard, but it is always
 saying Connection Timeout after input of the pass-phrase. I have
 tried to connect from a Windows XP box manually selecting WPA-PSK and
 tried both (TKIP and AES), but was still unable to connect. It does
 seem like it is getting connected, since it is saying acquiring
 network address, but it just cycles through acquiring network and not
 connected. I tried to look at the tcpdump but the packets it prints
 are all in hexadecimal.

 Jonathan

Re: Redirect traffic based on sub-domain?

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Markus Bergkvist
 Gesendet: Sonntag, 27. April 2008 23:45
 An: OpenBSD Misc
 Betreff: Redirect traffic based on sub-domain?

 Hi,

 Is it possible to have PF redirecting traffic based on
 sub-domains? I.e.
 I want traffic to a.mydomain.nu to be redirected to machine 'a and
 traffic to b.mydomain.nu to be redirected to machine 'b'.'

 /Markus



Hi,

that's not possible because the dns-name is not transmitted. It's only used
for ip-lookup (http is IMHO the only exception).

Regards
  Hagen Volpers

Re: soekris/pcenginges and RO mounting

[openbsd misc]

Hello,

I use flashdist:

http://www.nmedia.net/flashdist/

It's easy to use and easy to customize.

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Martin Marcher
 Gesendet: Sonntag, 23. Mdrz 2008 15:18
 An: misc@openbsd.org
 Betreff: soekris/pcenginges and RO mounting

 Hello,

 being relatively new to obsd I have the problem of finding
 the right doc parts.

 What I'm looking for are starting points to read about what to do when
 RO mounting the root fs (and all other parts) especially on CF-media.

 So my ultimate target would be to:

  * mount as much as possible RO
  * still have system logging available (nfs mounting, logserver,
 whatever suits best - any pointers welcome)
  * main concern is exhaustion of write cycles on CF media

 usage of the box will be a home router in the first place and probably
 expanding to a file server and pxe boot server with usb drives
 attached to it for storage.

 I am familiar with general (linux) process of RO mounting partitions
 but I don't have any experience with CF cards and read that it's
 probably best to RO mount CF-media. Forgive me the missing/wrong
 terminology but I found just too much infos/howtos with differing tips
 on wether to care about write cycles or not, or special needs to take
 care of with CF media.

 Hope it makes sense what I ask for

 thanks
 martin

 --
 http://tumblr.marcher.name
 https://twitter.com/MartinMarcher
 http://www.xing.com/profile/Martin_Marcher
 http://www.linkedin.com/in/martinmarcher

 You are not free to read this message,
 by doing so, you have violated my licence
 and are required to urinate publicly. Thank you.

Re: What is WPA status in OpenBSD

[openbsd misc]

Hello,

I there a way to support as non-developer ... Unfortunally I'm not a developer
so I can't help code, but if I can do something else let me know.

Regards
  Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Damien Bergamini
 Gesendet: Mittwoch, 12. Mdrz 2008 19:49
 An: Dominik Zalewski
 Cc: misc@openbsd.org
 Betreff: Re: What is WPA status in OpenBSD

 I still have plans to continue the WPA work in the near future.
 No estimated time of arrival though, especially as I tend to
 become lazy
 as I get older.

 Damien


 | Dear All,
 |
 | I would love to use OpenBSD on my laptop but the problems
 is that most of
 | my work places use WPA encrypted wireless networks
 |
 | So what is a status of WPA support in OpenBSD? I know that
 a lot of people
 | ask about this.
 |
 | Last cvs commit I found with some work done with WPA is
 from 2007/08/22
 |
 | http://marc.info/?l=openbsd-cvsm=118781535213730w=2
 |
 | No active work with WPA  in OpenBSD 4.3 or -current?
 |
 | P.S. I'm not waiting for a kind of reply like: WPA is bad - use VPN
 | tunnels ;)
 |
 | Thank you,
 |
 | -
 | Dominik Zalewski | System Administrator
 | OpenCraft
 | t- +2 02 3336 0003
 | w- http://www.open-craft.com

Re: Limit ssh bandwidth

[openbsd misc]

Hello,

perhaps this helps:

man scp:

 -l limit
 Limits the used bandwidth, specified in Kbit/s.

Regards
  Hagen Volpers

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Marc Rene Arns
 Gesendet: Montag, 10. Mdrz 2008 19:30
 An: misc@openbsd.org
 Betreff: Limit ssh bandwidth

 Hi,

 for my client I have set up an mini sftp-Server (on Windows
 in their Intranet)
 and on my webserver (FreeBSD) there is a cronjob looking for
 new files to
 load them via sftp/ssh to the webserver.

 Now we need to limit the bandwidth of the sftp-uploads (ADSL).

 For several reasons it would be better, if I could limit the
 traffic on the
 webserver side. I thought, I would configure pf with altq to
 limit the
 bandwidth of the ssh-client.


 
 Intranet   |   | Webserver
 sftpd   == ssh-client (cron)
 limited|   |  pf / altq
 upload bw   |   |
 |  | 

 Now the idea was to force the sftpd to use less bandwidth by
 limiting the
 bandwidth of the ssh-client (via pf).

 As I read on http://www.openbsd.org/faq/pf/queueing.html altq
 limits by
 dropping packets. So I am not sure if this would cause the
 sftpd to send less
 packets. I would even expect that the sftpd would send more
 packets to
 compensate the lost ones and therefor use even more bandwidth.

 Or is it part of the ssh protocol to agree on a lower
 bandwidth based on the
 number of lost packets?

 Perhaps there is a way for the ssh-client to tell the sftpd
 how much bandwith
 to use?

 Is there a way to solve this without QoS on the sftpd side?

 Regards,
 Benny

Re: Regarding MTU values on 802.1q trunked physical interfaces (and more)

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von George Paschos
 Gesendet: Donnerstag, 6. Mdrz 2008 11:47
 An: misc@openbsd.org
 Betreff: Regarding MTU values on 802.1q trunked physical
 interfaces (and more)

 Hello all,

 I am a bit confused regarding the MTU value of the physical ethernet
 interfaces when there are vlan child interfaces configured,
 in regard to
 avoid unneeded fragmentation:

 ifconfig shows an MTU of 1500 for both the parent and the vlan
 interface. Should I increase by hand the mtu of the physical parent
 interface to accommodate the extra bytes for the vlan tags or this is
 taken care from the operating system someway when you define
 a physical
 interface as parent to a vlan one?

 Also as an extension to the previous question:
 When using IPSEC tunnels under openbsd, is there a need to
 increase the
 physical interface's MTU to accommodate ipsec overhead? And
 if yes, what
 would be that magic value from your experience?
 enc0 reports an MTU of 1536 which sounds logical, but that wouldnt
 prevent fragmentation if the interface that the ipsec traffic
 originates/terminates is at 1500.
 Ofc regarding the above, the rest of networking equipment between the
 ipsec endpoints (switches, routers, etc) has been configured to handle
 correctly the bigger mtu values.

 Thanks in advance on any insight

 Regards,
 George



Hello,

AFAIK the VLAN overhead should be handled by your nic (driver) - the mtu set
to 1500 is the packet size without (jumbo frame) extensions - my understanding
is, that it is the same for ipsec - as long as the frame that should go
through the tunnel has a size = 1500 fragmentation will not take place, the
ipsec interface itself need the overhead (1536 - 1500) for the ipsec tunnel.
You see the difference because it's software, not nic/driver ...

Correct my, if I'm wrong ... ;)

Regards
  Hagen Volpers

P.S.: Sorry for my bad english ...

Re: What is our ultimate goal??

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: David Higgs [mailto:[EMAIL PROTECTED]
 Gesendet: Sonntag, 17. Februar 2008 16:54
 An: openbsd misc
 Cc: OpenBSD-Misc
 Betreff: Re: What is our ultimate goal??

 On Feb 17, 2008 7:36 AM, openbsd misc
 [EMAIL PROTECTED] wrote:
   -Urspr|ngliche Nachricht-
   Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
   Im Auftrag von Tony Abernethy
   Gesendet: Sonntag, 17. Februar 2008 13:20
   An: 'Mayuresh Kathe'; 'OpenBSD-Misc'
   Betreff: Re: What is our ultimate goal??
 
  
   Mayuresh Kathe wrote:
   
OpenBSD is an OS with amazing security and stability,
 but it has too
few modern features.
   
   H   related?
  
  
 
  E.g. wpa[2] is one of the features I miss because I want to
 use OpenBSD as
  Firewall / Access Point (SOHO customers)... VPN is not an
 option, because
  windowsclients need network at startup.

 If WPA2 is considered secure and widespread, it will likely be added
 to OpenBSD at some point.  Even more likely if it's been added to a
 relatively unmodified portion of NetBSD or FreeBSD.

 Is IPSEC an option for your SOHO customers?

 VPN could be an option, though it's definitely not as simple.  OpenVPN
 clients are available for both Windows and OS X.  You could distribute
 binaries and keys via USB drive or a local SSL-enabled webserver.
 There's been other discussions on-list about reducing your exposure to
 wireless sniffers.

 --david


Hello,

this is not an option to me. My customers don't have administration rights -
AFAIK you can't use openvpn without admin rights, the only solution is to run
openvpn as service. Therefore I need to configure openvpn to poll all possible
locations - I don't think that's the way it should go.
My POV is: there are two standards (I know that wpa isn't a real standard,
but AFAIK wpa2 is) to secure wireless lan. It's the easiest configuration
because even an non-administrative user can configure it. I accept that there
are better or more secure ways, but I need a handy solution, too. Some
customers use the AP for there private PCs, too - I don't want to administer
every private device using wireless lan and my customers don't want 20 boxes
@home.
I'm not a developer so I'm not able to do the task on my own - I asked if I
can help with hardware or something like that so the development will start
(or go on?) but it looks like none of the developers (currently) needs
wpa[1/2] :(

Regards
  Hagen Volpers

Re: Please explain this disk (?) error

[eric-list-openbsd-misc]

On Fri, 2008-01-11 at 16:05:49 +0100, jere proclaimed...

 I suddenly got this error (while surfing the web in default Gnome 
 session) on OpenBSD 4.2 release (patched up to patch_004, including it).
 
 Is it a disk error or something else ? Please help.
 

This is just a soft disk error; you may have problems with your hard disk in
the future, but if you're only seeing a small number, I wouldn't worry
muchyet.

Dobar dan!

- Eric

Re: hardware problem?! strangely ssh error - SOLVED

[openbsd misc]

 -Urspr|ngliche Nachricht-
 Von: Stuart Henderson [mailto:[EMAIL PROTECTED]
 Gesendet: Freitag, 20. Juli 2007 01:22
 An: openbsd misc
 Betreff: Re: hardware problem?! strangely ssh error

 On 2007/07/20 00:02, Stuart Henderson wrote:
  If there might be crypto hardware onboard, try sysctl
 kern.usercrypto=0

 The chip is detected as supporting AES, which gets used for
 ssh with default ciphers. Definitely try this sysctl (takes effect
 straight away) and if it helps please report back on misc@, if
 AES is detected incorrectly it would be useful to work out a
 way to identify and disable it..



Thanks a lot, that solved the problem.

Regards
  Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

 On Thu, 19 Jul 2007, openbsd misc wrote:

  misc(at)openbsd.org wrote:
  Hello,
 
  I have a system with openbsd 4.1 installed. Everything works fine
 (lynx
  / ping / ...) but I'm not able to connect to another system via
ssh.
 I'm
  not able to connect to the system, too.
  The error I got:
 
  2: Bad packet length integer
 
  I googled a bit, but I wasn't able to find out what exactly is
wrong.
  Here are the informations from dmesg about the nics:
 
  sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00,
DP83816A:
  irq 11, address 00:02:b6:33:50:dd
 
  Btw, I'm talking about a fresh 4.1 installation, completly
untouched.
 
  Has anyone an idea for me? Driver problem? Unsupported hardware?
The
  hardware was checked twice by producer (and I don't have the
problems
  using linux), I don't think that is a hardware defect.
 
  Thanks.
 
  Regards
Hagen Volpers
 
 
  Have you tried:
 
  ssh -vvv host.to.connect.to
 
  That might give some clues.
 
  HTH
  Fred
  --
  http://www.crowsons.com/puters/x41.htm

 Hello,

 here are the last lines:

 debug1: SSH2_MSG_NEWKEYS sent
 debug1: expecting SSH2_MSG_NEWKEYS
 debug2: set_newkeys: mode 0
 debug1: SSH2_MSG_NEWKEYS received
 debug1: SSH2_MSG_SERVICE_REQUEST sent

 followed by the error mentioned in my first mail.

 Does that help? Do you need more informations?

 Regards
   Hagen Volpers

 Try to determine where the error occurs. For example: is this a
network
 driver issue? To find out put another type network card into the
 machine and try to use ssh over it.

 Another test would be to connect to another machine (running a
 different version of sshd?), to test if this is a ssh protcol problem
 on the local or remote side.

 Can you ssh INTO the machine?

 Make notes of what works and what not, etc.  Try to be smart and rule
 out possible causes, this enable you to zoom in into the real problem.


   -Otto

Hello,

unfortunately I'm not able to test another nic, the system doesn't have
a pci slot (we are talking about a all-in-one board - e.g.
http://www.visionsystems.de/1_2_5_4.html). I already did all the other
tests you mentioned, except changing the ssh protocol - lynx / ping
works, ssh from to machine to different machines doesn't work (I can
connect from other systems without any problem), ssh to the machine
doesn't work, too.

Any other ideas?

Regards
  Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

Hello,

putting that one back to list, it's not silly ;-)

I tried ssh [EMAIL PROTECTED] - same result.

So the nic isn't the problem ... I looked into dmesg again, the bios is
mentioned as AT/286+ there?! Is that normal?

Btw, the IP-Address is unique ;-)

Are there known bugs on VIA-CPUs? Which informations do I need to provide?
(dmesg is hard, I have to write it up, but if that helps, let me know and I'll
do it).

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: Maxim Belooussov [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 19. Juli 2007 21:38
An: openbsd misc
Betreff: Re: hardware problem?! strangely ssh error

Hi Hagen,

Doing this off-the list in case I sound too silly.

For starters, have you tried to ssh [EMAIL PROTECTED] This would give a
clue where the problem could be.

Further make sure that there is no machine with the same ip on your
net - I've seen before that some connections were 'dying' all over
sudden when another (linux) box with same IP was closing 'illegal'
connection.

Hope it helps,

Maxim


  On Thu, 19 Jul 2007, openbsd misc wrote:

   misc(at)openbsd.org wrote:
   Hello,
  
   I have a system with openbsd 4.1 installed. Everything works fine
  (lynx
   / ping / ...) but I'm not able to connect to another system via
 ssh.
  I'm
   not able to connect to the system, too.
   The error I got:
  
   2: Bad packet length integer
  
   I googled a bit, but I wasn't able to find out what exactly is
 wrong.
   Here are the informations from dmesg about the nics:
  
   sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00,
 DP83816A:
   irq 11, address 00:02:b6:33:50:dd
  
   Btw, I'm talking about a fresh 4.1 installation, completly
 untouched.
  
   Has anyone an idea for me? Driver problem? Unsupported hardware?
 The
   hardware was checked twice by producer (and I don't have the
 problems
   using linux), I don't think that is a hardware defect.
  
   Thanks.
  
   Regards
 Hagen Volpers
  
  
   Have you tried:
  
   ssh -vvv host.to.connect.to
  
   That might give some clues.
  
   HTH
   Fred
   --
   http://www.crowsons.com/puters/x41.htm
 
  Hello,
 
  here are the last lines:
 
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug2: set_newkeys: mode 0
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_SERVICE_REQUEST sent
 
  followed by the error mentioned in my first mail.
 
  Does that help? Do you need more informations?
 
  Regards
Hagen Volpers
 
  Try to determine where the error occurs. For example: is this a
 network
  driver issue? To find out put another type network card into the
  machine and try to use ssh over it.
 
  Another test would be to connect to another machine (running a
  different version of sshd?), to test if this is a ssh protcol problem
  on the local or remote side.
 
  Can you ssh INTO the machine?
 
  Make notes of what works and what not, etc.  Try to be smart and rule
  out possible causes, this enable you to zoom in into the real problem.

 
-Otto

 Hello,

 unfortunately I'm not able to test another nic, the system doesn't have
 a pci slot (we are talking about a all-in-one board - e.g.
 http://www.visionsystems.de/1_2_5_4.html). I already did all the other
 tests you mentioned, except changing the ssh protocol - lynx / ping
 works, ssh from to machine to different machines doesn't work (I can
 connect from other systems without any problem), ssh to the machine
 doesn't work, too.

 Any other ideas?

 Regards
   Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

 HID v1.00 Mouse [USBPS2] on usb-:00:07.2-2
usbcore: registered new interface driver usbhid
drivers/usb/input/hid-core.c: v2.6:USB HID core driver
sl811: driver sl811-hcd, 19 May 2005
ieee1394: Initialized config rom entry `ip1394'
ieee1394: sbp2: Driver forced to serialize I/O (serialize_io=1)
ieee1394: sbp2: Try serialize_io=0 for better performance
libata version 2.00 loaded.
device-mapper: ioctl: 4.10.0-ioctl (2006-09-14) initialised:
[EMAIL PROTECTED]
md: raid0 personality registered for level 0
md: raid1 personality registered for level 1
md: raid10 personality registered for level 10
JFS: nTxBlock = 3966, nTxLock = 31734
Intel(R) PRO/1000 Network Driver - version 7.2.9-k4
Copyright (c) 1999-2006 Intel Corporation.
scsi 0:0:0:0: CD-ROMIOMEGA   CDRW86522EXT3-B  QOP3 PQ: 0 ANSI: 0
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
Uniform CD-ROM driver Revision: 3.20
sr 0:0:0:0: Attached scsi CD-ROM sr0
usb-storage: device scan complete
ISO 9660 Extensions: Microsoft Joliet Level 3
Unable to load NLS charset iso8859-1
Unable to load NLS charset iso8859-1
ISO 9660 Extensions: RRIP_1991A
Real Time Clock Driver v1.12ac
natsemi dp8381x driver, version 2.1, Sept 11, 2006
  originally by Donald Becker [EMAIL PROTECTED]
  http://www.scyld.com/network/natsemi.html
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
PCI: setting IRQ 11 as level-triggered
PCI: Found IRQ 11 for device :00:08.0
natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0),
00:02:b6:33:50:dd, IRQ 11, port TP.
PCI: setting IRQ 12 as level-triggered
PCI: Found IRQ 12 for device :00:09.0
natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0),
00:02:b6:33:50:de, IRQ 12, port TP.
PCI: setting IRQ 9 as level-triggered
PCI: Found IRQ 9 for device :00:0a.0
natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0),
00:02:b6:33:50:df, IRQ 9, port TP.
PCI: Found IRQ 10 for device :00:0b.0
PCI: Sharing IRQ 10 with :00:07.2
natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0),
00:02:b6:33:50:e0, IRQ 10, port TP.
natsemi dp8381x driver, version 2.1, Sept 11, 2006
  originally by Donald Becker [EMAIL PROTECTED]
  http://www.scyld.com/network/natsemi.html
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0),
00:02:b6:33:50:dd, IRQ 11, port TP.
natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0),
00:02:b6:33:50:de, IRQ 12, port TP.
natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0),
00:02:b6:33:50:df, IRQ 9, port TP.
natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0),
00:02:b6:33:50:e0, IRQ 10, port TP.
sr 0:0:0:0: Attached scsi generic sg0 type 5
eth1: DSPCFG accepted after 0 usec.
eth3: DSPCFG accepted after 0 usec.
eth2: DSPCFG accepted after 0 usec.
eth0: DSPCFG accepted after 0 usec.
eth0: link up.
eth0: Setting full-duplex based on negotiated link capability.
eth3: remaining active for wake-on-lan
eth1: remaining active for wake-on-lan
eth0: remaining active for wake-on-lan
fbsplash: console 0 using theme 'livecd-2006.1'
eth2: remaining active for wake-on-lan
fbsplash: switched splash state to 'on' on console 0
eth2: DSPCFG accepted after 0 usec.
eth0: DSPCFG accepted after 0 usec.
eth0: link up.
eth0: Setting full-duplex based on negotiated link capability.
eth3: DSPCFG accepted after 0 usec.
eth1: DSPCFG accepted after 0 usec.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
openbsd misc
Gesendet: Donnerstag, 19. Juli 2007 22:19
An: misc@openbsd.org
Cc: Maxim Belooussov
Betreff: Re: hardware problem?! strangely ssh error

Hello,

putting that one back to list, it's not silly ;-)

I tried ssh [EMAIL PROTECTED] - same result.

So the nic isn't the problem ... I looked into dmesg again, the bios is
mentioned as AT/286+ there?! Is that normal?

Btw, the IP-Address is unique ;-)

Are there known bugs on VIA-CPUs? Which informations do I need to provide?
(dmesg is hard, I have to write it up, but if that helps, let me know and
I'll
do it).

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: Maxim Belooussov [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 19. Juli 2007 21:38
An: openbsd misc
Betreff: Re: hardware problem?! strangely ssh error

Hi Hagen,

Doing this off-the list in case I sound too silly.

For starters, have you tried to ssh [EMAIL PROTECTED] This would give a
clue where the problem could be.

Further make sure that there is no machine with the same ip on your
net - I've seen before that some connections were 'dying' all over
sudden when another (linux) box with same IP was closing 'illegal'
connection.

Hope it helps,

Maxim


  On Thu, 19 Jul 2007, openbsd misc wrote:

   misc(at)openbsd.org wrote:
   Hello,
  
   I have a system with openbsd 4.1 installed. Everything works fine
  (lynx
   / ping / ...) but I'm not able to connect to another system via
 ssh.
  I'm
   not able to connect

Re: hardware problem?! strangely ssh error

[openbsd misc]

 openbsd misc wrote:
 Hello again,

 I tested the gentoo live cd. I was able to ssh to another machine, so
I was
 able to get a complete (linux) dmesg output. Hope that helps:

 [...]

 Regards
   Hagen Volpers


 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von
 openbsd misc
 Gesendet: Donnerstag, 19. Juli 2007 22:19
 An: misc@openbsd.org
 Cc: Maxim Belooussov
 Betreff: Re: hardware problem?! strangely ssh error

 Hello,

 putting that one back to list, it's not silly ;-)

 I tried ssh [EMAIL PROTECTED] - same result.

 So the nic isn't the problem ... I looked into dmesg again, the bios
is
 mentioned as AT/286+ there?! Is that normal?

 Btw, the IP-Address is unique ;-)

 Are there known bugs on VIA-CPUs? Which informations do I need to
provide?
 (dmesg is hard, I have to write it up, but if that helps, let me know
and
 I'll
 do it).

 Regards
   Hagen Volpers

 Can you ftp the dmesg out?

 My answer to all dodgy hardware at the moment is enable acpi via boot
-c

 HTH
 --
 http://www.crowsons.com/puters/x41.htm


Hello,

acpi0 was disabled, but enabling it doesn't make any difference. Here is
the openbsd dmesg output (after enableing acpi using config - forgot the
good old apache, easier than setting up an ftp server on another machine
;-)):

OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah (CentaurHauls 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem  = 528052224 (515676K)
avail mem = 474099712 (462988K)
using 4278 buffers containing 26525696 bytes (25904K) of memory
User Kernel Config
UKC find acpi0
386 acpi0 at mainbus0 bus -1 flags 0x0
UKC quit
Continuing...
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 11/27/03, BIOS32 rev. 0 @ 0xfdb30,
SMBIOS rev. 2.3 @ 0xf0630 (24 entries)
bios0: American Megatrends Inc. Uknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8920/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C686 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1000
0xce000/0x1000 0xcf000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05
ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: Maxtor 6E040L0
wd0: 16-sector PIO, LBA, 39205MB, 80293248 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40
sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A:
irq 11, address 00:02:b6:33:50:dd
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 9 function 0 NS DP83815 10/100 rev 0x00, DP83816A:
irq 12, address 00:02:b6:33:50:de
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 10 function 0 NS DP83815 10/100 rev 0x00, DP83816A:
irq 9, address 00:02:b6:33:50:df
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
sis3 at pci0 dev 11 function 0 NS DP83815 10/100 rev 0x00, DP83816A:
irq 10, address 00:02:b6:33:50:e0
nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e5e5 netmask ffe5 ttymask ffe7
pctr: user-level cycle counter enabled
uhidev0 at uhub0 port 2 configuration 1 interface 0
uhidev0: Tangtop USBPS2, rev 1.10/0.01, addr 2, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1
uhidev1: Tangtop USBPS2, rev 1.10/0.01, addr 2, iclass 3/1
uhidev1: 3 report ids
ums0 at uhidev1 reportid 1: 5 buttons and Z dir.
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0

Re: hardware problem?! strangely ssh error

[openbsd misc]

 misc(at)openbsd.org wrote:
 Hello,

 I have a system with openbsd 4.1 installed. Everything works fine
(lynx
 / ping / ...) but I'm not able to connect to another system via ssh.
I'm
 not able to connect to the system, too.
 The error I got:

 2: Bad packet length integer

 I googled a bit, but I wasn't able to find out what exactly is wrong.
 Here are the informations from dmesg about the nics:

 sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A:
 irq 11, address 00:02:b6:33:50:dd

 Btw, I'm talking about a fresh 4.1 installation, completly untouched.

 Has anyone an idea for me? Driver problem? Unsupported hardware? The
 hardware was checked twice by producer (and I don't have the problems
 using linux), I don't think that is a hardware defect.

 Thanks.

 Regards
   Hagen Volpers


 Have you tried:

 ssh -vvv host.to.connect.to

 That might give some clues.

 HTH
 Fred
 --
 http://www.crowsons.com/puters/x41.htm

Hello,

here are the last lines:

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent

followed by the error mentioned in my first mail.

Does that help? Do you need more informations?

Regards
  Hagen Volpers

Re: pxeboot hanging on WRAP board

[openbsd misc]

 On 2007/06/22 12:15, Heinrich Rebehn wrote:
 Stuart Henderson wrote:
 On 2007/06/22 09:59, Heinrich Rebehn wrote:
 i am trying to get my new WRAP board to boot via pxe. pxeboot loads
fine
 but seems to stall at the point where memory should be probed.
 enable the serial console in $TFTPROOT/etc/boot.conf.

 I tried that, but the WRAP does not even try to access etc/boot.conf
at this
 time (according to tcpdump(1) on the server). Also, pxeboot hangs in
the
 middle of the probing:... line.

 Try a new etherboot from rom-o-matic.net then, you'll need to piece
 it together with the files from wbios11.zip on pcengines.ch and xmodem
 it across. You'll need to use the options detailed in README.TXT in
 rom-o-matic (they're in a different order to listed now, the console
 ones are at the bottom of the web page).

 I have successfully booted pxeboot from 4.1 on a WRAP.1E with
 Etherboot 5.4.3

Correct, check this thread, it should answer all questions (I think
german isn't a problem, right ;-)):

http://www.bsdforen.de/archive/index.php/t-15259.html

Regards
  Hagen Volpers

Re: WRAP stalling at kernel entry point via pxeboot/tftp

[openbsd misc]

Hello,

your boot.conf should look like this:

set tty com0
stty com0 38400
set timeout 5

Last time I booted wrap via pxe was 3.9, but this should work.


Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
mgb
Gesendet: Donnerstag, 7. Juni 2007 12:51
An: misc@openbsd.org
Betreff: WRAP stalling at kernel entry point via pxeboot/tftp

List,

I am attempting to get pxeboot working on a WRAP board with openbsd 4.1
generic however the loading of either kernel, bsd or bsd.rd, is stalling.

I've search around the archives and have taken the steps mentioned here:

http://marc.info/?l=openbsd-miscm=117978591113386w=2

I have updated the BIOS on the wrap board with a PXE.BIN downloaded from
rom-o-matic.net which uses etherboot 5.4.3 and the NIC type natsemi:dp83815.

below is the output from the wrap board:

PC Engines WRAP.2B/2C v1.11
640 KB Base Memory
130048 KB Extended Memory

01F0 - no drive found !
ROM segment 0xe000 length 0x8000 reloc 0x
Etherboot 5.4.3 (GPL) http://etherboot.org
Drivers: NATSEMI   Images: NBI ELF Multiboot a.out PXE   Exports: PXE
Protocols: DHCP TFTP
Relocating _text from: [0008bb80,0009fd90) to [07eebdf0,07f0)
Boot from (N)etwork (D)isk or (Q)uit? N

Probing pci nic...
[dp83815]
natsemi_probe: MAC addr 00:0D:B9:04:47:F8 at ioaddr 0X1000
natsemi_probe: Vendor:0X100B Device:0X0020
dp83815: Transceiver default autoneg. enabled, advertise 100 full duplex.
dp83815: Transceiver status 7869 advertising 05E1
dp83815: Setting full-duplex based on negotiated link capability.
Searching for server (DHCP).
Me: 192.168.1.200, DHCP: 192.168.1.1, TFTP: 192.168.1.1, Gateway 192.168.1.1
Loading 192.168.1.1:pxeboot ...(PXE)done
probing: pc0 com0 pci pxe![2.1] mem[640K 125M a20=on]
disk:
net: mac 00:0d:b9:04:47:f8, ip 192.168.1.200, server 192.168.1.1
  OpenBSD/i386 PXEBOOT 1.11
boot bsd1.rd
booting tftp:bsd.rd: 4679892+742564 [52+169536+154918]=0x57b288
dp83815: Setting full-duplex based on negotiated link capability.
entry point at 0x200120

the loading stalls at this point, tcpdump shows the following:

11:48:27.321421 IP 192.168.1.1.32831  192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:28.319634 IP 192.168.1.1.32831  192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:30.319653 IP 192.168.1.1.32831  192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:34.319901 IP 192.168.1.1.32831  192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:42.320416 IP 192.168.1.1.32831  192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:47.320663 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:48.320728 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:49.320787 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:58.325352 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:59.325417 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:49:00.325480 arp who-has 192.168.1.200 tell 192.168.1.1

I have used a boot.conf which contains this:

set tty pc0

I have tried com0 and the output freezes whilst I type bsd.rd

Many thanks for your time

Re: Embedded system - which ?

[openbsd misc]

Hello,

have a look at www.visionsystems.de

I bought some systems there and everything is working fine. It's a german
company, but I don't think that this is a problem, only shipping might be
expensive.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Uwe
Dippel
Gesendet: Freitag, 1. Juni 2007 16:56
An: misc@openbsd.org
Betreff: Embedded system - which ?

2 questions:

First, we are looking for an embedded system (that is, inclusive casing),
that works with OpenBSD.
Low power, fanless, booting from CF (4GB).
It needs to have a 'full' COM-port (RTS, CTS, DSR, DTR) aside of the serial
console, a full PCI-slot, USB, 1 NIC.
Soekris doesn't fit; neither do the current Infotek offers (though we will
try a sample of the latter).
Any recommendations ?

Secondly, we contacted quite a lot of manufacturers. One promising brand:
Devon. But their answer was quite horrible:
Our units should run OpenBSD but we do not have any experience using it.
Also, the warranty would be invalid if you install the other OS.
Does anyone have a nice template to write to them, and tell them that it
would be to their advantage if they worked with us, instead of threatening
me ? If I write one myself, I am afraid, I might come across as rude and
arrogant.
Anyone with diplomatic abilities ? Their gear sounds interesting: Actually,
something like  IT - Server-Based Computing for the Modern BusinessNTA 6030A
is slightly below Soekris, price-wise, for us. 1GHz Eden; could be more than
enough for a great OpenBSD server/workstation.

Uwe

Re: Problem using flashboot (openBSD based), can't get it to boot

[openbsd misc]

Hello,

 Boudewijn Ector wrote:
 Boudewijn Ector wrote:
 The ; at the end here means that the WRAP BIOS said it could not
do
 LBA reads, so biosboot fell back to CHS reads.


 No O/S


 And since you installed on a different machine, the geometry was
 almost certainly different, so the operating system wouldnt be at
 the same place (cylinder/head/sector), hence it's not found.

 No idea how you can fix it, though.

 Tom


 Thanks anyway, it's a clue at least.
 Maybe some of the gurus here know it?

 Okay, I assume I need to set LBA in bios, and change the CHS settings
of
 the microdrive.
 This can be done using fdisk , but how to determine the correct
values?

 At second, someone attended me on the fact that I'm creating the
image
 using a USB-based cardreader(thus scsi like) and running it as an IDE

 device (at Linux , hda) on my board.
 different kind of bootsection? Can someone confirm this?

 google for WRAP, flashboot, and PXE.

 the 'easiest' way to install is to use the WRAP's own bios  a bsd.rd
to
 get enough stuff up  running to download the .gz image over FTP 
write
 directly onto the card.

 i've done this on a soekris easily, wrap should be similar.

 i'll look for some link-rotted urls later  if i can find them, email
 offlist

 a+
 scorch

it's not easy because of a bios bug. You first have to update the bios.
I wrote a small howto in a forum thread:

http://www.bsdforen.de/archive/index.php/t-15259.html

It's german, let me know if you need an english translation.

For the geometry question: You missed my replay I wrote yesterday?

Regards
  Hagen Volpers

Re: Problem using flashboot (openBSD based), can't get it to boot

[openbsd misc]

Hello,

I'm not a guru, but I'm working with openbsd and wrap systems for one
year ... ;-)

 The ; at the end here means that the WRAP BIOS said it could not do
 LBA reads, so biosboot fell back to CHS reads.


 No O/S


 And since you installed on a different machine, the geometry was
 almost certainly different, so the operating system wouldnt be at
 the same place (cylinder/head/sector), hence it's not found.

 No idea how you can fix it, though.

 Tom


 Thanks anyway, it's a clue at least.
 Maybe some of the gurus here know it?

You can set the bios to lba mode (press s during mem-test to access
bios). Btw, openbsd is the only OS having that problem ... LBA mode on
wrap systems means fix geometry (C/H/S x/32/63 - while the cylinder
count defines the size), so you can use fdisk with the geometry
parameters to configure your cf correctly.

I have another problem with openbsd 4.1 and wrap systems. I create an
image using flashdist and the wrapper script (incl. some modification,
but that should make any difference). For openbsd 4.0 everything works
fine, but doesn't for openbsd 4.1. I think the problem is related to the
geometry problem descriped abouve. To create an image I defined C/H/S to
118/32/63 (none of the systems I have has less than 128MB) for fdisk and
disklabel. First time I created an image file that worked fine until
vnconfig -u. After attaching the image again (vnconfig -c) I wasn't able
to mount the partitions. The geometry was completly different. So I
added the -i option to fdisk and the -r option disklabel. Afterwards I
was able to mount everything again after detaching /attaching the image
file.
After writing the image to a cf card everything works fine on openbsd
4.1.

Now here is the problem: The boot loader is not able to access the cf:

disk: hd0*
 OpenBSD/i386 BOOT 2.13
open(hd0a:/etc/boot.conf): Invalid argument
boot ls
stat(hd0a:/.): Invalid argument
boot machine diskinfo
DiskBIOS#   TypeCylsHeads   SecsFlags   Checksum
hd0 0x80label   126 32  63  0x0 0xd8c3c6b3

I think that fdisk is the problem. disklabel runs after fdisk, but
disklabel defines the geometry (geometry options are set for fdisk but
it looks like they are ignored?!) - remember the -r option - I don't
know what fdisk exactly does (perhaps telling the boot-loader something
about the geometry during setup?!).

I hope someone has an answer or can give hints. The behavior shows a
different between openbsd 4.0-release and openbsd 4.1-stable, but I
wasn't able to find anything in changelog that could explain the
bahavior and more important how to fix it.

I hope my english isn't too bad, please let me know if something isn't
clear ...

Regards
  Hagen Volpers

Re: sshd.config and AllowUsers

[openbsd misc]

Hello,

everything is commented because these are the default settings. If you want to
change a setting you'll have to uncomment and change it.


Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
Jerome Santos
Gesendet: Montag, 26. Mdrz 2007 19:33
An: misc@openbsd.org
Betreff: sshd.config and AllowUsers

I have a few seperate users on my server, one user for which I want to
dissallow ssh login. Now I've read the man page for sshd and I've read a lot
of the documentation on this, but I'm still not clear one one point. By
default, /etc/ssh/sshd.config shows all entries are commented out. I want to
add something like this:

AllowUsers user1, user2, user3

I added that in but also with an # in front like all the other entries. Now
I find that I can still ssh to the box with a user acct that I didn't
include in the entry. Should it be in there without the #? And if so, do I
also then have to uncomment all the other entries??

Thanks

XEN

[openbsd misc]

Hi all,

I wasn't able to figure out if it is possible to run openbsd
as xen guest system. Does anyone know?

Regards
  Hagen Volpers

Re: OpenBSD Wireless Router

[openbsd misc]

 On Fri, Sep 08, 2006 at 05:00:16AM +1000, John Tate wrote:
  I am constantly disappointed with the lack of freedom out-of-the-box
  wireless routers provide. I am interested in a solution on OpenBSD,
because
 
 I haven't used any Soekris device yet but you may be interested in
 this:
 
 http://www.soekris.com/net4511.htm
 

A WRAP system could also be an option www.pcengines.ch

I haven't tried wireless lan with openbsd because it does not support
WPA.

Regards
  Hagen Volpers

Re: Apache-problem

[openbsd misc]

 Hello!
Hello,

 I have just enabled and tested some stuff with the 3.9-apache server.
The
 predefined It Worked!-page works as expected. I have added one more
 directory by adding
 
 Directory /var/www/htdocs/my_test
 Options MultiViews
 AllowOverride None
 Order allow,deny
 Allow from all
 /Directory
 
 to my httpd.conf

This option is only needed to change directory setting (e.g. Security).
In 
this case it is not needed, because the directory belongs to your
document
root.

 the directory my_test is a mount point where I mount my www-drive

Why not mounting it to /var/www/htdocs?

 Accessing this directory from internet works as expected, but if I
access
 it from the internal (192.168.1.*) network the returned address is my
 hostname (which can not be looked up in any DNS). I would like the
servers
 local IP-adress to be returned instead (just as when i access the It
 Worked!-page).

That doesn't make sense (and can't be) as long as you haven't added a
virtual host. Please add your changes to httpd.conf...

 Since the It Worked!-page works without tricks with virtual hosts i
 expect to solve this without using them. How can this be done?

What do you need the virtual host for? I did not understand what you
want to do.

 --
 
 Jon Sjvstedt
 
 d00jon()dtek,chalmers!se jonsjostedt[]hotmail:com
 

Regards
  Hagen Volpers

Re: Apache-problem

[openbsd misc]

  it from the internal (192.168.1.*) network the returned address is
my
  hostname (which can not be looked up in any DNS).
 
 Set ServerName to the IP address, or fix your DNS.
 

Depends on his setup and what he wants to do. I think he wants to use
different names to access the same page (internet and intranet). In this
case it makes more sense to set UseCanonicalName Off (and use
ServerAlias if you want a virtual host to react on two names).

Regards
  Hagen Volpers

Re: ssh auth

[openbsd misc]

Hiho,

 i have a small problem with a ssh authentification, hope i
misunderstood
 it, but.
 
 i try to copy a file with scp from server to another and scp doesn't
ask
 me for a password. problem, i don't setup any key on this box ...
 
 here the details:
 
 soekris4801:touche$ ls ~/.ssh
 authorized_keys   known_hosts
 soekris4801:touche$ touch test
 soekris4801:touche$ scp test [EMAIL PROTECTED]:/tmp/
 test   100%0
  0.0KB/s   00:00
 
 if debug:
 debug1: kex: server-client aes128-cbc hmac-md5 none
 debug1: kex: client-server aes128-cbc hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 debug1: Host 'file' is known and matches the RSA host key.
 debug1: Found key in /home/touche/.ssh/known_hosts:1
 debug1: ssh_rsa_verify: signature correct
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: expecting SSH2_MSG_NEWKEYS
 debug1: SSH2_MSG_NEWKEYS received
 debug1: SSH2_MSG_SERVICE_REQUEST sent
 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug1: Authentications that can continue:
 publickey,password,keyboard-interactive
 debug1: Next authentication method: publickey
 debug1: Offering public key: rsa-key-xxx
 debug1: Server accepts key: pkalg ssh-rsa blen 148
 debug1: Authentication succeeded (publickey).
 
 the key (rsa-key-xxx) exist but, as seen before, not on soekris4801
(no
 id_(dsa|rsa))
 public key is not in authorized_keys (that's another)
 known_hosts if for hosts keys so ...
 
 how can it offer this public key ???

I think you connected to your soekris by using a private key. SSH can
forward that key to authorize to another host (your soekris box provided
the key you used to authorize to your soekris box).


 thanks
 Regards
 
   Julien

Regards
  Hagen Volpers

Volume manager

[openbsd misc]

Hello,

I'm looking for a volume manager comparable to LVM. Is there
a well-tended solution for openbsd? I want to be able to
create / resize partitions at runtime, raid functionality
is not needed.

Regards
  Hagen Volpers

Re: pf - strange behavior

[openbsd misc]

On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
   On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
   Hello,
  
   nobody has an answer for that? :/ Or was my explanation not
english
  enough? =) Please let me know if something is ambiguous.
  
   Regards
 Hagen Volpers
  
  
   Hi,
  Hello,
 
   I do not know about pf, but maybe I can help anyway. Did you
   investigate why these two states look different?
   all icmp 192.168.122.128:512 - 193.99.144.85   0:0
   all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
 
  That's exacly my question. ;-) These states should not be different,
  but they are...
 
   Also, have you tried looking at the state table _after_ restarting
the
   pings? Does it look the same or different?
 
  Yes. It looks different (like the other line) if you wait for 10
seconds
  (udp timeout) before starting the ping again.
 
 Okay, so clearly the answer is here.
 
 The one that works is being set up to redirect through 84.60.163.18 (I
 assume this is your router?). The one that doesn't is sending directly
 to the outside world.
 
 
Hello,

as you can see both should be kept by the same rules:

# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

The public ip address you mentioned is the one on pppoe interface. There
are no other entries that could make any changes (I wrote the rc script
on my own =)).

 
 I don't know what that printout means! It's not documented in the
 manpage. Probably have to check the source to see what it is... Here
 that source is, from /sbin/pfctl/pf_print_state.c:
 void
 print_state(struct pf_state *s, int opts)
 {
   struct pf_state_peer *src, *dst;
   struct protoent *p;
   int min, sec;
 
   if (s-direction == PF_OUT) {
   src = s-src;
   dst = s-dst;
   } else {
   src = s-dst;
   dst = s-src;
   }
   printf(%s , s-u.ifname);
   if ((p = getprotobynumber(s-proto)) != NULL)
   printf(%s , p-p_name);
   else
   printf(%u , s-proto);
   if (PF_ANEQ(s-lan.addr, s-gwy.addr, s-af) ||
   (s-lan.port != s-gwy.port)) {
   print_host(s-lan, s-af, opts);
   if (s-direction == PF_OUT)
   printf( - );
   else
   printf( - );
   }
   print_host(s-gwy, s-af, opts);
   if (s-direction == PF_OUT)
   printf( - );
   else
   printf( - );
   print_host(s-ext, s-af, opts);
 
   printf();
 if (s-proto != IPPROTO_ICMP  src-state  PFOTHERS_NSTATES 
   dst-state  PFOTHERS_NSTATES) {
   /* XXX ICMP doesn't really have state levels */
   const char *states[] = PFOTHERS_NAMES;
 
   printf(   %s:%s\n, states[src-state],
states[dst-state]);
   }
 
 
 It would seem that, for some reason, on the one that doesn't work,
 PF_ANEQ(s-lan.addr, s-gwy.addr, s-af fails (and presumably the
 other test in that if fails because ICMP lacks ports). Yeah. Um, still
 confused. Too bad PF_ANEQ is a macro, so not in the manpages. Perhaps
 grep the tree for it?

Unfortunately I'm not a developer... :(


 -Nick

Regards
  Hagen Volpers

Re: pf - strange behavior

[openbsd misc]

 On 8/20/06, openbsd misc [EMAIL PROTECTED] wrote:
  On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
 On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
 Hello,

 nobody has an answer for that? :/ Or was my explanation not
  english
enough? =) Please let me know if something is ambiguous.

 Regards
   Hagen Volpers


 Hi,
Hello,
   
 I do not know about pf, but maybe I can help anyway. Did you
 investigate why these two states look different?
 all icmp 192.168.122.128:512 - 193.99.144.85   0:0
 all icmp 192.168.122.16:512 - 84.60.163.18:34545 -
193.99.144.85
  0:0
   
That's exacly my question. ;-) These states should not be
different,
but they are...
   
 Also, have you tried looking at the state table _after_
restarting
  the
 pings? Does it look the same or different?
   
Yes. It looks different (like the other line) if you wait for 10
  seconds
(udp timeout) before starting the ping again.
  
   Okay, so clearly the answer is here.
  
   The one that works is being set up to redirect through
84.60.163.18 (I
   assume this is your router?). The one that doesn't is sending
directly
   to the outside world.
  
  
  Hello,
 
  as you can see both should be kept by the same rules:
 
 This is the router machine?

Yes, it is.

  # cat /etc/pf.conf
  ext_if=pppoe0
  int_if=sis1
  set block-policy return
  set skip on lo
  scrub in
  nat on $ext_if from !($ext_if) - ($ext_if:0)
  block in
  pass out keep state
  antispoof quick for { lo $int_if }
  pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
  flags S/SA keep state
  pass in inet proto icmp all icmp-type echoreq keep state
  pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
  192.168.122.2 port { 53 }
  pass quick on $int_if
 
  The public ip address you mentioned is the one on pppoe interface.
There
  are no other entries that could make any changes (I wrote the rc
script
  on my own =)).
 
 misc@ might yell at you for this. I think it's neat, and I like how
 OpenBSD is so simple and clean that I understand I could do that
 completely. However, rc does a lot of stuff, and it's best not to
 tamper with. It also invokes side scripts like netstart. Use rc.local
 and rc.local.conf instead.

I thought that I had a problem in my rc script, too. The installation
bases on flashdist. That's why I'm not able to put back the old rc
script (to many commands are missing). The point is, that two
machines are treated different. I don't think that is problem can
be found in my rc script. I copied the stuff from netstart and the
pf start is identical to rc script.
I think there can be only two reasons for this:
- a bug
- a missconfiguration in my pf.conf

 Try putting the old rc back and see if it fixes things. If it does,
 great. If you still have some time maybe go through and diff it to
 your version and figure out what changed.
 
 
 
 The key point I found in the source was this:
 
 if (PF_ANEQ(s-lan.addr, s-gwy.addr, s-af) ||
 (s-lan.port != s-gwy.port)) {
 print_host(s-lan, s-af, opts);
 if (s-direction == PF_OUT)
 printf( - );
 else
 printf( - );
 }
 
 Because it is that which causes the intermediate host to be printed
 for the state which works.
 
   It would seem that, for some reason, on the one that doesn't work,
   PF_ANEQ(s-lan.addr, s-gwy.addr, s-af fails (and presumably
the
   other test in that if fails because ICMP lacks ports). Yeah. Um,
still
   confused. Too bad PF_ANEQ is a macro, so not in the manpages.
Perhaps
   grep the tree for it?
 
  Unfortunately I'm not a developer... :(
 
 
 Neither am I. I found this by going to http://www.openbsd.org,
 clicking Getting Source-Web and finding the code for pfctl. I
 don't have a working OpenBSD system right now to check out the source
 on, and I was hoping you could. See
 http://www.openbsd.org/anoncvs.html
 
 Or do you mean I don't know C?

Yes, I do... =)

 -Nick

Regards
  Hagen Volpers

WG: pf - strange behavior

[openbsd misc]

Hello,

nobody has an answer for that? :/ Or was my explanation not english enough? =) 
Please let me know if something is ambiguous.

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc
Gesendet: Donnerstag, 10. August 2006 23:31
An: OpenBSD Misc
Betreff: pf - strange behavior

Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 - 193.99.144.85   0:0
all udp 84.60.163.18:3790 - 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 - 84.60.163.18:55884 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 - 84.60.163.18:54733 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 - 84.60.163.18:53237 - 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 - 84.60.163.18:55113 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 - 84.60.163.18:58754 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 - 84.60.163.18:54019 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 - 84.60.163.18:62152 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 - 84.60.163.18:61073 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 - 84.60.163.18:51917 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 - 84.60.163.18:53399 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 - 84.60.163.18:5939 - 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any - (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 - 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp

Re: pf - strange behavior

[openbsd misc]

 On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
 Hello,

 nobody has an answer for that? :/ Or was my explanation not english
enough? =) Please let me know if something is ambiguous.

 Regards
   Hagen Volpers


 Hi,
Hello,

 I do not know about pf, but maybe I can help anyway. Did you
 investigate why these two states look different?
 all icmp 192.168.122.128:512 - 193.99.144.85   0:0
 all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85 0:0

That's exacly my question. ;-) These states should not be different,
but they are...

 Also, have you tried looking at the state table _after_ restarting the
 pings? Does it look the same or different?

Yes. It looks different (like the other line) if you wait for 10 seconds
(udp timeout) before starting the ping again.

I think this behavior is not correct (or my pf.conf isn't). I wasn't
able
to figure out why this happens.

I had these problems on a WRAP system (i386).

 -Nick

Regards
  Hagen Volpers

pf - strange behavior

[openbsd misc]

Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 - 193.99.144.85   0:0
all udp 84.60.163.18:3790 - 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 - 84.60.163.18:55884 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 - 84.60.163.18:54733 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 - 84.60.163.18:53237 - 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 - 84.60.163.18:55113 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 - 84.60.163.18:58754 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 - 84.60.163.18:54019 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 - 84.60.163.18:62152 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 - 84.60.163.18:61073 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 - 84.60.163.18:51917 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 - 84.60.163.18:53399 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 - 84.60.163.18:5939 - 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any - (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 - 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 

smtp proxy

[openbsd misc]

Hello,

I'm looking for a smtp proxy. The idea is, that the proxy checks the
smtp session (if everything is valid and forward the information to an
exchange-server). The forwards should happen step-by-step (the smtp
proxy should be able to drop to be able to deny the recipient). The mail
itself should be streamed (because the proxy should run in memory only).
Does someone know such a solution?

Regards
  Hagen Volpers

Re: smtp proxy

[openbsd misc]

  openbsd misc schrieb:
  Hello,
 
  I'm looking for a smtp proxy. The idea is, that the proxy checks the
  smtp session (if everything is valid and forward the information to
an
  exchange-server). The forwards should happen step-by-step (the smtp
  proxy should be able to drop to be able to deny the recipient). The
mail
  itself should be streamed (because the proxy should run in memory
only).
  Does someone know such a solution?
 
  Regards
Hagen Volpers
 
 
 
 Hi,
 
 use a standard smtp daemon (sendmail, postfix or whatever) and put the
 spooling directory in a ramdisk  :-)
 
 
 guido

Hi,

the problem is, that the smtp proxy should not be allowed to queue a
message,
else the size of the ramdisk would set the maximum message size. To
avoid
that, I need a solution that streams the mail after checking the
envelope
(smtp session) informations. It should also drop the connection if the
exchange server is down.
Without that problem I would take qmail.

Regards
  Hagen Volpers

Re: smtp proxy

[openbsd misc]

 Hi,
 
 use a standard smtp daemon (sendmail, postfix or whatever) and put
the
 spooling directory in a ramdisk  :-)
 
 
   Don't bother with the ramdisk. disk is cheap and fast compared
 to smtp.
 
 
   OpenBSD spamd in front of a cluster of sendmail/postfix running
 boxes which have the valid list of recipients, and where the mail ends
 up (i.e. which exchange server[s]). Not hard to do, and scales almost
 infinetely.  spamd box does greylisting and then round robins the smtp
 connections to a cluster of recieve/process boxes. Those boxes have 
 the list of valid users, and if you want can do some sort of mail
 filtering/processing (i.e. spamassassin, clamav, etc. etc.) whatever
 gets through that is forwarded on to MmmSexChange.
 
   Fooling around with ramdisk/passthough stuff is more trouble
 than it is worth.

The only thing I can use is a ramdisk. I want it to run on a wrap
system. Writing to the cf card is not an option, and all I have
are 128MB RAM. There are only two options:

- forward 25 - exchange (not a good one... I think you know why ;-))
- checking envelope informations - forward to exchange, stream the
  message

I hope that makes it clearer (my mistake in my first mails ;-))

   -Bob
Regards
  Hagen Volpers

Re: Smallest OpenBSD box

[openbsd misc]

Hello,

 Hi,
 
 I would like to know that is the smallest box ( in terms of size )
 that can be used to Install OpenBSD and used as a firewall. It should
 have a hard disk also, and atleast 2 NIC Interfaces.

The smallest box I know is a WRAP system (www.pcengines.ch). It's
15x15cm,
up to 3 nics, one or two mini-pci slots, and one serial port.

 Thankyou so much

no problem... ;-)

 Kind Regards
 
 Siju 

Regards
  Hagen Volpers

Re: Apache proxy settings not working

[openbsd misc]

Hello,

 No it's reverse. I want all incoming requests from the Internet to a 
 certain virtual host (in this case webmail.sendmail.tv) to be
redirected 
 to an internal host running the webmail app server (on 10.10.33.3 port

 81). For some reason, the proxy in OpenBSD's httpd doesn't take the 
 10.10.33.3 portion and replaces it with 0.0.0.0. So this request 
 fails...I saw another poster post a similar bug (on the same arch -
SPARC).

Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd is
chrooted per default) for that.

 Warm regards,

Regards
  Hagen Volpers

Re: broadcast IPs in a public /29 block

[openbsd misc]

Hello,

 while mucking around with reverse DNS for a /29 public netblock i use,
i noticed
 that my ISP, SBC, had only aliased 6 of the 8 IPs in the /29 block for
use with
 rDNS. after seeing this, i did a bit of homework and found graham
toal's
 explanation of the missing IPs ( http://www.gtoal.com/subnet.html )
which
 presents this issue quite clearly. this did leave me with some
additional
 questions though.

it's very important to understand how ip subnetting and routing is
working. Many
people didn't understand (like dns). That's why even companies like
microsoft
have problems in there networks / dns. Read it carefully and think
about.
Having a deeper look into the RFCs is also a got idea.

 i have been hosting websites on these reserved boundary IPs in the /29
block
 with no trouble using binat. should i not be doing this since these
are reserved
 IPs for broadcast? i have moved one domain from the boundary already
since it
 needed rDNS setup. how regularly are these reserved broadcast
addresses at the
 beginning and end of the netblock used and for what sorts of services?

These reserved ip-addresses are needed so it's very regular. Using binat
is a
way to avoid loosing ip-addresses but it's unusual. There is no problem
in using
them (like you did) but it's also normal that you cannot set rdns
entries for
those. Normaly you route a net and do not binat them, therefore the two
reversed ip-adresses are needed.
Talk to you isp and ask him if he can set your rdns entries manually. 

 cheers,
 jake

Regards
  Hagen Volpers

Re: Apache proxy settings not working

[openbsd misc]

 openbsd misc wrote:
 
  Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd
is
  chrooted per default) for that.
 
 Bingo!

;-)

 # mkdir /var/www/etc/
 # cp /etc/hosts /var/www/etc/hosts
 # chown -R www:www /var/www/etc/hosts

Your chown is not a good idea. Should be:

chown root:wheel /var/www/etc/hosts
chmod 644 /var/www/etc/hosts

Never give write right to a webserver... ;-)

 It works!! Thank you

No problem... ;-)

Regards
  Hagen Volpers

Re: Smallest OpenBSD box

[openbsd misc]

That's true. He didn't write his requirements. I'm handling everything
on ramdisks (dnscache from djbdns, squid, log-files) and it's working
fine (for a small environment). Soekris are more expensive, but they
have advantages... :-)
Openbrick could also be an option. I bought some machines here: 
http://www.visionsystems.de/ (Embedded Systems)
It's a german company but I think they ship to other countries, too.

Regard
  Hagen Volpers

 The wrap does not support HDD's, CF only. You'll be better off with a
soekris:
 
 http://www.soekris.com/
 
 Cheers z0mbix
 
 On 08/08/06, openbsd misc [EMAIL PROTECTED] wrote:
  Hello,
 
   Hi,
  
   I would like to know that is the smallest box ( in terms of size )
   that can be used to Install OpenBSD and used as a firewall. It
should
   have a hard disk also, and atleast 2 NIC Interfaces.
 
  The smallest box I know is a WRAP system (www.pcengines.ch). It's
  15x15cm,
  up to 3 nics, one or two mini-pci slots, and one serial port.
 
   Thankyou so much
 
  no problem... ;-)
 
   Kind Regards
  
   Siju
 
  Regards
Hagen Volpers

Re: WPA support / creating a cf image

[openbsd misc]

Thanks for that tip. I wrote a bootsector to my cf card and booted. But it 
looks like biosboot isn't able to use lba (; instead of .), even if I change 
wrap bios setting to lba. I wasn't able to figure out why. At the moment I'm 
playing around with grub and lilo to find out if these have the same problem 
with the wrap system.
I'll ask on the m0n0wall mailinglist how they solved that issue, perhaps I can 
find a solution there... :/

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson
Gesendet: Donnerstag, 3. August 2006 22:00
An: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

On 2006/08/03 14:47, Jeff Quast wrote:
 values differently. There is no problem in dynamicly using OpenBSD's
 idea of C/H/S values at build time. However, OpenBSD on two different
 machines can provide completely different C/H/S values on the exact

yes, this was a bit of a pain for this type of thing until
biosboot(8) got changed to use LBA a couple of years ago.

Re: WPA support / creating a cf image

[openbsd misc]

Hello Jeff,

 Misc,

first of all: my name is Hagen... :-) I have one account for every
mailing list and I cannot change display name
(exchange disadvantage)... ;-)

 Please make sure to update the firmware on your wrap, as you hadn't
 mentioned it. pcengines.ch walks through this. It is quite simple. The
 tinybios revision is usually (..always) out of date. Some features
 listed in the tinybios that come on the wrap don't always work, or
 work correctly.

Thanks for your tip, but I have tinyBios 1.11 installed (the last
one mentioned on pcengines site). I created a new etherboot image
because of an pxeboot bug. So everything should be up to date. I
created mbr several times on two cf cards - fdisk / installboot.
I wasn't able to change to lba mode. I don't know why (I changed
wrap bios settings also). There is always the ;... :/
I don't where I made a mistake (if there is one). I haven't found
a site where someone was able to boot a wrap system without using
C/H/S. Looks like openbsds bootloader isn't able to boot a wrap
system in lba mode. I'm only wondering why freebsd / linux seems
to be able to.
I'll go ahead building my system (basing on flashdist), perhaps
I'll try to get rid of the C/H/S problem afterwards.

 Good luck, let us know how it works out?

I think I'll need that... ;-) Let me know if you have further
tips / ideas. I'll let you know if I found a solution.

 Jeffrey Quast

Regards
  Hagen Volpers

Re: WPA support / creating a cf image

[openbsd misc]

 I understand this is a problem of target systems translating C/H/S
 values differently. There is no problem in dynamicly using OpenBSD's
 idea of C/H/S values at build time. However, OpenBSD on two different
 machines can provide completely different C/H/S values on the exact
 same card. Correct me if im wrong.

 [...]
 
 Just because flashdist asks for C/H/S doesn't mean that the image be
applied
 to a card with that exact C/H/S.  This was the case before OpenBSD
switched
 to the LBA based MBR.  Now, as long as the CF image fits on the card,
it should
 boot.

It should boot, but it doesn't.  I'm using a WRAP system and:

[...]
Using drive 0, partition 3;
Loading;.
[...]

For some reason I cannot use LBA (even if I switch in WRAP bios). I
wasn't able to figure out how. If I use your script everything is
working...
What I don't understand is, why other systems work (m0n0wall for
example).
Any idea?

Regards
  Hagen Volpers

Re: WPA support / creating a cf image (SOLVED)

[openbsd misc]

I got it working now. Looks like the wrap system simulates some kind
of C/H/S in lba mode. OpenBSD is still telling me that I'm in C/H/S
mode:

Using drive 0, partition 3;
Loading;.

But more important is that:

01F0 Master 848A SAMSUNG CF/ATA
Phys C/H/S 1010/16/63 Log C/H/S 505/32/63

The log values seems to be identical on every CF card (except Cylinder).
My two CF cards are totally different:

128MB - C/H/S 498/16/32
512MB - C/H/S 1010/16/63

I'm able to boot both cards with the sme image (created with the
flashdist
wrapper script - gzip image - written with phydiskwrite under windows).

I set cylinders to 60 to get an 60MB image and everything is working
fine now.

Btw, why do I not need to change the bios setting for the m0n0wall
image?
Any idea?

Regards
  Hagen Volpers

 I understand this is a problem of target systems translating C/H/S
 values differently. There is no problem in dynamicly using OpenBSD's
 idea of C/H/S values at build time. However, OpenBSD on two different
 machines can provide completely different C/H/S values on the exact
 same card. Correct me if im wrong.

 [...]
 
 Just because flashdist asks for C/H/S doesn't mean that the image be
applied
 to a card with that exact C/H/S.  This was the case before OpenBSD
switched
 to the LBA based MBR.  Now, as long as the CF image fits on the card,
it should
 boot.

It should boot, but it doesn't.  I'm using a WRAP system and:

[...]
Using drive 0, partition 3;
Loading;.
[...]

For some reason I cannot use LBA (even if I switch in WRAP bios). I
wasn't able to figure out how. If I use your script everything is
working...
What I don't understand is, why other systems work (m0n0wall for
example).
Any idea?

Regards
  Hagen Volpers

Re: WPA support / creating a cf image

[openbsd misc]

Hello,

that's exacly what I'm doing at the moment... :-) But that doesn't create an
image. The problem is in short: C/H/S. But it looks like I already answered my
question within the question ;-). m0n0wall is using phydiskwrite (which was
written to be able to flash cf cards under windows):

*   FreeBSD:
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k
where n = the ad device number of your CF card (check dmesg); use
net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Linux:
gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX)
- some adapters, particularly USB, may show up under SCSI emulation as
/dev/sdX
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Windows:
physdiskwrite net45xx-xxx.img

I'll try to create an image using flashdist (some modifications needed, but I
hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf
card using windows.

Regards
 Hagen Volpers




Von: Ryan Corder [mailto:[EMAIL PROTECTED]
Gesendet: Do 03.08.2006 14:41
An: openbsd misc
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image



On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote:
 My question is, if there is a way to create such an image. For
 me it looks like an openbsd specific problem as it is
 posible with freebsd (www.m0n0.ch/wall). Perhaps here is
 someone who is an idea.

quite possible and easy to do, check out flashdist:
http://www.nmedia.net/~chris/soekris

[...]

WG: WPA support / creating a cf image

[openbsd misc]

Sorry, wrong recipient. ;-) see below...



Von: openbsd misc
Gesendet: Do 03.08.2006 16:15
An: Shane J Pearson
Betreff: AW: WPA support / creating a cf image


Hello,

my problem is, that I need the vpn at bootime. I cannot build a vpn from
client to server, only from openbsd to headoffice. I'm not a fan of wireless
lan, but my customers want it... The only way is to put an access point next
to the wrap system, but I want an all-in-one solution, because it has to be
customer-friendly.
Are there any reasons why wpa is not implemented for now?



Von: [EMAIL PROTECTED] im Auftrag von Shane J Pearson
Gesendet: Do 03.08.2006 15:27
An: misc Misc
Betreff: Re: WPA support / creating a cf image



On 2006.08.03, at 10:41 PM, Ryan Corder wrote:

 First, get past the notion of secure wireless...it doesn't
 exist.  The best solution for a more secure wireless network
 is for you to implement a WEP-encrypted environment and establish
 a VPN over it.

What about an open wireless network, which does not allow anything to
be routed out of the OpenBSD WAP unless it is authpf authorised. Then
only VPN traffic.

This couldn't be considered secure enough?


Shane

Re: WPA support / creating a cf image

[openbsd misc]

Ok, that didn't work. You can create an image. But image will only work on 
identical
cf-cards (same C/H/S). Is that an openbsd specific problem (bootloader) or how 
can
I get rid of that?
I need an image that works on every cf-card. Any idea? I don't want to switch to
freebsd...

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc
Gesendet: Donnerstag, 3. August 2006 16:13
An: [EMAIL PROTECTED]
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

Hello,

that's exacly what I'm doing at the moment... :-) But that doesn't create an
image. The problem is in short: C/H/S. But it looks like I already answered my
question within the question ;-). m0n0wall is using phydiskwrite (which was
written to be able to flash cf cards under windows):

*   FreeBSD:
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k
where n = the ad device number of your CF card (check dmesg); use
net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Linux:
gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX)
- some adapters, particularly USB, may show up under SCSI emulation as
/dev/sdX
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Windows:
physdiskwrite net45xx-xxx.img

I'll try to create an image using flashdist (some modifications needed, but I
hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf
card using windows.

Regards
 Hagen Volpers




Von: Ryan Corder [mailto:[EMAIL PROTECTED]
Gesendet: Do 03.08.2006 14:41
An: openbsd misc
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image



On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote:
 My question is, if there is a way to create such an image. For
 me it looks like an openbsd specific problem as it is
 posible with freebsd (www.m0n0.ch/wall). Perhaps here is
 someone who is an idea.

quite possible and easy to do, check out flashdist:
http://www.nmedia.net/~chris/soekris

[...]

Re: WPA support / creating a cf image

[openbsd misc]

My plan is to build a default flashdist. Afterwards I want to build
tgz to install additional files. But that all doesn't make sense as
long as you aren't able to create a simple image that can be written
to every CF card running on every system (as long as the kernel
supports the hardware).
I found this comment in flashdist.sh:

# This script contains a stupid method which occasionally works to make this
# media bootable on a destination which uses a different c/h/s translation
# than the host system.  Of course, this is really just a hack.  This
# hack is no longer necessary with OpenBSD's newer LBA MBR, but left in place
# because it does no harm.

At the moment I try to figure out how to change the image MBR to LBA.
I hope that's the correct way.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ryan Corder
Gesendet: Donnerstag, 3. August 2006 21:08
An: Jeff Quast
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

On Thu, 2006-08-03 at 14:47 -0400, Jeff Quast wrote:
 I understand this is a problem of target systems translating C/H/S
 values differently. There is no problem in dynamicly using OpenBSD's
 idea of C/H/S values at build time. However, OpenBSD on two different
 machines can provide completely different C/H/S values on the exact
 same card. Correct me if im wrong.

 I don't think rolling your own would help in this way.

 I've heavily modified flashdist.sh to work in a different manner... I
 don't like the idea of building a complete system thats a mangled
 version of OpenBSD that needs to be maintained and provided for you.
 This is the common 'giving the people what they want' distrobution
 format, and making those of us who want to modify it even the
 slightest bit work that much harder.

 I've changed the format of flashdist to accept an overlay/
 directory, containing any /etc/, /bsd, /usr/local, etc. additions or
 changes to overlay over the target CF card after a default install
 (extracting basesets).

that's exactly where I was going with it.  I too have heavily modified
flashdist.sh for my own needs and my stuff sounds similar to yours...an
overlay type of setup.

the problem that the original poster is facing is that the script he is
using does everything for him...including setting up and partitioning
the CF.  What would be nice is for similar script or program that just
gathered everything up that is required for the system to run and create
an image out of that.  Let the user handle setting up the individual CF
cards and just provide an image of the hard drive contents to be
flashed over via dd.

--
Ryan Corder [EMAIL PROTECTED]
Systems Engineer, NovaSys Health LLC.
501-219- ext. 646

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]