Re: OpenBSD's webpage desing
what kind of shit are we talking about here? Scheisster baby eat my caviar turds or sinewy shrimp intestines you have to swallow wholesale lest being called a fag? Don't leave this up for interpretation or commentators unaware of Tourette syndrome tax deductions will /again/ quote out of context and label OpenBSD a psychopath hangout. Btw I read Theo was "probably" going Reiser-loco, that's fucking hilarious. "I left OpenBSD to become a murder profiler". -- p >frantisek holop is a shit eating moron who should >be ignored by anyone who is not a shit eating moron... >FUCK YOU holop. >FUCK YOU holop. >Please SHUT THE FUCK UP you stupid moron, frantisek holop. >I beg all true @misc followers >Search the archives for this shit eating moron's posts. >He is nothing but a shit eating moron troll. > >On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote: >> On Jun 29, 2012 6:56 AM, "frantisek holop" wrote: >> > >> > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that >> > > For dynamic content it's even simpler -- the program producing the >> > > content should also provide the corresponding header information. >> > >> > and it does so inside the of the page. >> > a perfectly normal and accepted practice. >> >> it'll do it in the http header if the developer for the dynamic page >> knows >> what they are doing.
Re: cpu choice for firewall
Frequency, cache and memory bus frequency are the most important things for speed. You need to get the packets to the CPU, and back out quickly. On 2012 Jun 28 (Thu) at 10:50:28 -0700 (-0700), Joe S wrote: :I'm looking to build a new mini-itx firewall based on OpenBSD and :would like to get some advice on CPU selection. I've seen multiple :statements on this list that indicate CPU cache and CPU speed are the :most important factors. Sorry if this is a silly question, but which :cache is most useful for what I'm trying to do? L1, L2, or L3? What's :more important from a CPU point of view? I don't have a specific :amount of throughput that I'm targeting. I'm very curious as to what :kind of differences I'm likely to see. : :By the way, the two CPU's I'm looking at are: : :Intel Atom D2500 (on Intel D2500CC motherboard) :Frequency (MHz): 1867 :L1 cache: 32 KB (code) / 24 KB (data) :L2 cache: 1024 KB :L3 cache: none : :Intel G620 (on Intel S1200KP motherboard) :Frequency (MHz): 2600 :L1 cache: 64 KB (code) / 64 KB (data) :L2 cache: 512 KB :L3 cache: 3072 KB : :The cache numbers are very different on these CPUs. :(both boards are mini-itx and have dual intel gigabit nics) : -- There are very few personal problems that cannot be solved through a suitable application of high explosives.
Re: OpenBSD's webpage desing
>If you guys are serious about anything, go look at ports-readmes. > >It does extract information from the ports tree, and creates readmes for >all ports. > >Currently, it's a static port. It could very well be a dynamic application. > >You can experiment with css, you can experiment with nginx. > >Preferably, don't add large dependencies (python or ruby out of the question), >write it as a perl fcgi or something, you can use Plack or Catalyst or >whatever. If you're considering dynamic pages (which I'm not advocating) you may want to consider Lua. It's tiny, fast, easy to sandbox security & memory-wise, had stable syntax over-time and its manual is a K&R-thin 100 pages. Unlike most languages it's meant to be embedded into existing code rather than run stand-alone; its 3rd party library is minuscule and optional. Wikipedia's switching to Lua for their templates, other famous users are nmap, wireshark, snort, openwrt, world of warcraft & crysis. Obviously if maintainers' know-how is overwhelmingly perl then it's not worth it. /my 2 cents of a Peseta - no language flame war pls. -- p
Re: OpenBSD's webpage desing
>Peter Laufenberg [open...@laufenberg.ch] wrote: >> >> I'm willing to indirectly donate to OpenBSD by paying a professional graphic >> designer to redo parts of OpenBSD's visual design. His portfolio: >> >> www.flexstudio.ch >> >> Richard is a very good friend but still your typical starving artist with >> bills to pay. I did this before for other friends' businesses who loved it. > >As you can imagine, a project full of software developers isn't the best place >to look for advancements in graphic design. WipeOut on Playstation 1. In 1995 Psygnosis UK hired Designers Republic whose portfolio previously included crucifixes with barcodes for underground vinyl sleeves. It was a HUGE advancement for graphic design as well as music (Leftfield, Orbital). Apple is full of developers and getting more industrial design praise than Philippe Stark's lemon juicers. Sure you got your wannabe screwups like Ubuntu whatever and Windows 8, but software and art aren't antagonistic. "Software architecture", "elegant code", etc. -- p
Re: OpenBSD's webpage design
>Peter Laufenberg [open...@laufenberg.ch] wrote: >> >> Richard's not a web designer; he's a graphic designer. He put his portfolio >> on blogspot after I commented that downloading a single, enormous PDF kindof >> sucked, and I didn't know of a CMS that didn't suck. >> > >It should go without saying (after everything that's already been said), but >for www.openbsd.org, technical prowess (clean and concise implementation) is >more important than graphic design skills. Agreed. >If they can't do both, then a new template isn't even worth attempting. Disagreed. Compare the dispatching of tasks in OpenBSD itself; there are different experts for different areas. Vertical vs horizontal. Anyway I'm done with this thread; Ted put it quite clearly. I don't have a major problem with the web site other than I almost dismissed OpenBSD because the site and docs feel 10 years old. Free- and NetBSD looked much nicer but after I saw actual usage stats I gave OpenBSD a 2nd look and forced myself past the floppy/tape references and found OpenBSD's philosophy which just made sense. In other circumstances I might have missed OpenBSD entirely, so I instinctively don't like those red herrings, but I really don't know if more public attention would make OpenBSD a better system. Linux's example seems to show it just goes from bad to worse. -- p
Re: OpenBSD's webpage design
>Peter Laufenberg wrote: >> >> Speaking personally, I wouldn't mind if OpenBSD's website were >> >> updated. Just no one has volunteered yet to do the dirty work of >> >> actually coming up with a functional design and then updating the >> >> HTML. >> >> >> >> Talk is cheap. >> >> I'm willing to indirectly donate to OpenBSD by paying a professional graphic >> designer to redo parts of OpenBSD's visual design. His portfolio: >> >> www.flexstudio.ch > >Since this is a friend of yours, I'll refrain from commenting about that >design. Richard's not a web designer; he's a graphic designer. He put his portfolio on blogspot after I commented that downloading a single, enormous PDF kindof sucked, and I didn't know of a CMS that didn't suck. Web design, graphic design, UI functionality (like smartphone formatting), back-end functionality (like better formatting of man pages) are all different things. There's also industrial design, interior design, architecture, urbanism, and so on. -- p
Re: OpenBSD's webpage desing
I agree 100%; the 1st question an artist would ask is "what are you trying to accomplish?" If you don't want more OpenBSD users/contributors and really the message is "piss off, nothing to see here, we're fine as is, leave us alone", then the current web site as well as references to floppies and tapes in the docs are spot on. Seriously. -- p >On 06/27/12 17:58, Peter Laufenberg wrote: >>>> Speaking personally, I wouldn't mind if OpenBSD's website were >>>> updated. Just no one has volunteered yet to do the dirty work of >>>> actually coming up with a functional design and then updating the >>>> HTML. >>>> >>>> Talk is cheap. >> >> I'm willing to indirectly donate to OpenBSD by paying a professional >> graphic designer to redo parts of OpenBSD's visual design. >... > >No, this is the wrong direction. >A good graphic designer is about as rare as a good programmer, but >that's not what the website is about (and yes, a bad graphic designer is >about as common as a bad programmer). However, I don't know any graphic >designers who understand our goals and needs, and I can't imagine >it...it's kinda like asking a concert pianist for advice on designing a >chop saw. Technically, there's no reason a concert pianist couldn't be >an expert on chop saws, but it is the kind of thing I'd kinda hope they >would keep their hands really far away from, as it could really >interfere with their primary occupation. > >OpenBSD is not trying to SELL anyone anything. IF you chose to come to >OpenBSD, we wish to provide you information on using it, through many >possible tools and mediums. > >If someone comes to the OpenBSD website and walks away because of its >"desing", that's good. If someone becomes an OpenBSD user BECAUSE of >its "desing", I really think that's bad. > >> Graphic design is about communication, it's a means to an end, >> whatever gets in the way is a problem. Why you fail to get your >> message across doesn't matter -- OpenBSD's current anachronistic >> design or Wired-mag type sensory overload. > >Other than "boring", no one has actually STATED a problem of the OpenBSD >website. What message are we not getting across? If there is a PROBLEM >you see that makes getting its information to you difficult, please >state it and indicate what could be done better. i.e., saying, "what >you did to the faq/index.html page for this release makes no sense to me >as I'm blind and using a screen reader" would be constructive and useful >(and I have no freaking idea what to do about it, and in fact, I've just >made myself feel really guilty, as if someone WERE to say that to me, I >don't want to undo it...) > >And really, if the website is about showing the product, what better >could it be than "boring"? Exciting to install? nope. Rushes to do >emergency upgrades because of yet another vulnerability? nope. Exciting >website? nope. Fits, eh? :) > >Nick.
Re: OpenBSD's webpage desing
>TLDR: It's not your place to tell others what they like. Am I? It's not about one individual likes, it's about whether your messages reaches a majority of your audience. Most of the filtering is subconscious and immune to fashion btw. >On 28 June 2012 07:59, Peter Laufenberg wrote: >> It took me _years_ to understand and respect that graphic design >> isn't all that subjective, that it's a craft, with harmonic rules similar >> to music > >Maybe it does, but your comment sounds awfully like many other >designer's wa-wa, emitted when people simply _don't >like_ their creations No it doesn't. However, your "wahhh-wahhh" comment sounds like you think it's all BS anyway. >A good example is the fixed-width websites that someone else >mentioned earlier in the thread. Setting up sites like this takes >away a user's choice for no obvious gain, except perhaps some >laziness on the designer's part. Users might want their content >wider for lots of reasons... such as, perhaps, displaying large >text to aid the vision-impaired. Or they might be viewing it on >a small screen, eg. smartphone... > >Do you think that if the reader finds reading to be optimal at a >particular column width, that said reader may well adjust their >browser window to suit? I never spoke of fixed-width or any technical restrictions; those are set by whoever emits the message, not the designer. -- p
Re: OpenBSD's webpage desing
>On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg >wrote: >> I'm willing to indirectly donate to OpenBSD by paying a professional graphic >designer to redo parts of OpenBSD's visual design. His portfolio: > >that would be cool to presence as a bystander No te entiendo tío! >pay the dude regardless of what anybody says, and have him send the >patches to a public mailing list Maybe if this community wasn't so resistant to change (justified or not). >would've been even more interesting if you told nobody that he was >getting payed for the patches Truth is simpler. -- p
Re: OpenBSD's webpage desing
>> Speaking personally, I wouldn't mind if OpenBSD's website were >> updated. Just no one has volunteered yet to do the dirty work of >> actually coming up with a functional design and then updating the >> HTML. >> >> Talk is cheap. I'm willing to indirectly donate to OpenBSD by paying a professional graphic designer to redo parts of OpenBSD's visual design. His portfolio: www.flexstudio.ch Richard is a very good friend but still your typical starving artist with bills to pay. I did this before for other friends' businesses who loved it. >No one is EXPECTING quality diffs, for our definition of "quality", and >therefore, waiting would be silly. But...if someone shows us something >that is a REAL improvement and not just window dressing, or moving stuff >for the sake of moving stuff, I'm sure we'd look at it. Graphic design is about communication, it's a means to an end, whatever gets in the way is a problem. Why you fail to get your message across doesn't matter -- OpenBSD's current anachronistic design or Wired-mag type sensory overload. Gimmicks like CSS, Javascript, Flash or whatever are a problem more often than not. Richard will argue that more than one color, in addition to black & white, is a distraction (and that Vision Street Wear copied the Swastika). It took me _years_ to understand and respect that graphic design isn't all that subjective, that it's a craft, with harmonic rules similar to music, and that a programmer has as little credibility questioning his skill than him questioning mine. There's a ~5% window I can argue why something he did is counter-message but for the rest it takes me a few days to realize I'm wrong, he's right, a fucking genius in fact. I'm not going to argue the point with anyone; if you think beauty counters functionality I say "iPod click-wheel" or that "opinions are like assholes; everybody has theirs" then you're looking up your own :) -- p
Re: 5.2-beta doesn't exit X and doesn't switch consoles
On 2012 Jun 27 (Wed) at 06:28:06 +0200 (+0200), Tomas Bodzar wrote: :$ dmesg | grep vga NEVER EVER do this. ALWAYS show the full dmesg. -- Boren's Laws: (1) When in charge, ponder. (2) When in trouble, delegate. (3) When in doubt, mumble.
Working Inexpensive UPS
I need a ups for a small VIA motherboard powered firewall, just enough to shut it down orderly. I been unsuccessful in getting my Tripplite OmniV working. What small ups's are working with openbsd 5.1? Thanks in advance      Peter                                               partsm...@weirdwater.org <- Do not Use Â
Re: Hardware/System Question
>On 2012-06-22, Michał Markowski wrote: >> I can recommend this one: >> http://www.parkytowers.me.uk/thin/hp/t5135/index.shtml >> Other HP thin clients should be ok as well. > >They don't appear to be cheap enough to counteract the fact that >performance/spec is probably best described as "optimized for running >as a terminal service client", looks like something a bit newer like >an eee box is only a little more expensive (and comes with a hard drive..) EeePCs and EeeBoxes have an ExpressGate/Splashtop remote BIOS. Not that other BIOSes are necessarily cleaner but this one's a stinker for sure. -- p
Re: Hardware/System Question
> I'm looking for a small system that I can run ftp, web, personal mail and >maybe a build enviroment. I say small system only due to space requirements. >A normal desktop computer or small would work well. This is one that I was >looking at but not sure if it would be i386 since it is an embedded chip. Or >if it would lack the abillity to do what I'm asking. > >http://soekris.com/products/net6501.html >and the net5501. Those seem overkill for ftp/web/mail and underpowered for build, which are wildly different requirements (and bad idea to combine). You can get a cheap Alix for the server part, I'm looking at a Gigabyte GA-H61N-USB3 to build a Mac Mini-like dev box. -- p
Re: ASUS E35M1-M PRO Fusion AMD E-350 APU
>I used a brand new ASUS motherboard I referred to in the subject with the AMD
>Fusion APU and associated chipset(s) with OpenBSD 5.1 i386. This ran well for
>a few days but ultimately dropped to ddb> repeatedly when i copied several
>gigabyte of files from one SATA disk to a softraid mirror of two sata disks.
>All disks were attached to the onboard SATA ports.
>
>One odd thing I noticed was that the reported memory was a) different than the
>8GB installed (I'm running i386, not amd64), and that it fluxuated in top. In
>the dmesg below real mem = 2814578688 (2684MB). I would expect ~3.3GB to show
>up if PAE were not enabled and for 4GB to show up if PAE were enabled.
The model page on asus.com mentions a "brand new UEFI" BIOS, though the UK page
mentions only EFI. Either way they tout a number of smart real-time resource
adjustments; maybe it's eating from your (ample) memory.
># dmesg
>OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012
>dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
>cpu0: AMD E-350 Processor ("AuthenticAMD" 686-class, 512KB L2 cache) 1.61 GHz
>cpu0:
>FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,SSE3,MWAIT,SSSE3,CX16,POPCNT,LAHF,SVM,ABM,SSE4A,WDT
>real mem = 2814578688 (2684MB)
>avail mem = 2758422528 (2630MB)
>mainbus0 at root
>bios0 at mainbus0: AT/286+ BIOS, date 06/16/10, SMBIOS rev. 2.6 @
There's a 2011-12-09 BIOS update.
-- p
Re: OpenBSD as IPv4+6 gateway
>On 6/21/12 7:52 PM, Mark Felder wrote:
>> On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth
>> wrote:
>>
>>> It is not a "school of thought" - it is how it is. I have seen one /126
>>> out in the wild but it is very lonely.
>>
>> I work at an ISP/datacenter. We use /126s for the link net. Handing out
>> /64's "because you can" is stupid in my worthless opinion :-)
>>
>
>They don't do it because they like you or are acting responsibly now,
>but because they need to find a different way to lock you in.
>
>(snip)
>
>But look at the real reason why /126, or /96, or /120 are given in
>Europe a lots specially by France Telecom for example it's not because
>they are so brilliant, but that's their way to lock you in with them and
>not make it easy for you to renumber and if you ever had to do this for
>many computers and multiple subnet, and all, you know what I am talking
>about. No one is looking forward to that and in many cases, company do
>not change ISP because of that simple fact.
Well let me brighten your week-end by putting your French woes in perspective
with Spain's, btw unrelated to any financial crisis. There is no IPv6;
everybody is "working on it" and acting real busy but really has no fucking
clue about IPv6 or 4.
I lost about 5 months' work last Fall because my ISP silently started handing
out "junk" IPv4 addresses from a previously unassigned block. Some routers
(Ciscos and others) had them in a hardcoded blacklist and replied with
counter-measures that'd light up Linux's oh-so-helpful security modules like a
Christmas tree they'd take my whole LAN down, over and again. I spent the
whole time studying the Linux kernel until I switched to OpenBSD. My LAN's
safe now but my connection's still shit.
Despite being Spain's 3rd largest city, Valencia has only two ISPs:
Telefónica, the former state monopoly turned private monopoly, and Ono a
cable operator. When the govt deregulated telecoms they privatised those fat
tax-paid tubes as if they didn't contain 99% air / 1% fiber but water or gas.
When Ono laid its cables it had to get city hall permits to close streets and
dig up pavement.
Every other ISP uses Telefónica's _service_ (not tubes or cables); RJ45 wall
socket, installation receipt and modem are Telefónica's; you just get a
different logo on your bill. The only funny parts are those ISPs' tech support
"rain dance", since they can't do anything about it, and Telefónica's CEO
insulting EU regulators for stifling innovation after paying the yearly fine.
Now Ono is out of cash and put a freeze on any new cabling at any price,
however outrageous ("supply/demand?" Nope). Colt UK's Spanish subsidiary
offered me symmetrical 4 mbps with a 3-year contract for 18'000 Euros... using
Telefónica's rusty cables for the last mile. Before I told them to fuck off
they assured me they'd "turn on the IPv6 box-thingy" by the end of the year,
but if I blew someone they _might_ get me in their VIP beta-test sooner.
So, you don't need customer lock-in when the country's one giant jail.
Bonne fin de semaine,
-- p
Re: Learning C Programming
On Fri, Jun 22, 2012 at 07:55:18AM +0200, Otto Moerbeek wrote: > > Yes, it's a very tough book. > > I have had a similar experience. > Wel, reading an answers book does not really help. Arriving at the > answers yourself (wich requires effort indeed) is much better. Agreed, the answer book is cheating yourself. One may be better off reading someone elses code. > A mentioned in the preface, K&R requires some knowledge about general > programming concepts and/or access to someone with experience. And it > requires real study, not just causal reading, as others have said > before. This is interesting "K&R requires some knowledge about general programming concepts", I couldn't agree more considering how I struggled with K&R. Perhaps though not only general programming concepts but general computing concepts as well? I have a book from Tanenbaum that I wish I had read before I tried the others. Perhaps something like Tanenbaum's Modern Operating Systems, could pave the way to easier understanding. Because how can you visualize pointers when you can't visualize how a process looks like, or how memory address translation is used between kernel and userland? Idealy something like that is combined together in a book but I haven't found one like it. > I'm probably biased, I learned C the hard way: I only had access to > the reference manual part of the 1st edition, a long long time ago, > must have been 1985. That reference manuals was about 30 pages > (somehat smaller than the reference manual in the 2nd ed). You turned out alright and wrote some awesome code. :-) > If you find K&R hard, still be sure to return to it after you feel > more confortable with C. C is a small language. K&R could not have > said it better in the preface to the 2nd ed: "C is not a big language, > and it is not well served by a big book". While it is a small book > they not only teach the language itself, but a lot about style, > standard idiom and general approach of writing C. When someone is done with K&R and they liked the little algorithms perhaps it's time to go to the next good book "The Practice of Programming" by Kernighan and Pike. This one was recommended to me and whatever someone recommends to me I buy. I too like that book. > As often, a small book might require more effort, but in the end is > more effective. > > -Otto Well said. -peter
macppc will it survive?
Hi, Since deraadt mentioned the names of people who left to bitrig and I'm wondering what will happen to the macppc port? Is it going to go the route of the mac68k port too? I saw some commits earlier on it so that got my hopes up... I have a G4 Cube running OpenBSD/macppc and it has a lifetime of another 2 years or so despite being 11 years old. Its benefit is it's low watt draw (35 watts) and its silence no fans. I replaced its hd with an ssd so it doesn't hum. I sleep beside it iow. -peter
Re: OpenBSD forked
>On Tue, Jun 19, 2012 at 10:58 PM, Jay Patel wrote: >> Hi all users, >> >> I am users too. Thanks cody. I am learning C too. from "C primus >> plus" any thoughts from devs. which we should read? > >Udacity.com had a good python class. Intro, from zero background, to >writing a mini-google (crawler + indexer) in 7 weeks. Apparently the >original form of duckduckgo (or another search engine) was written in >one page of python. WTF? Python must be the best way NOT to learn anything about C. -- p
Re: OpenBSD forked
>On Tue, Jun 19, 2012 at 10:58 PM, Jay Patel wrote: >> Hi all users, >> >> I am users too. Thanks cody. I am learning C too. from "C primus >> plus" any thoughts from devs. which we should read? > >Udacity.com had a good python class. Intro, from zero background, to >writing a mini-google (crawler + indexer) in 7 weeks. Apparently the >original form of duckduckgo (or another search engine) was written in >one page of python. WTF? Python must be the best way NOT to learn anything about C. -- p
Re: OpenBSD forked
geez, it's a /segway/ -- p >Dont steal the thread. >On Jun 18, 2012 9:55 AM, "Peter Laufenberg" wrote: > >> speaking of stuck CAPSLOCK, anyone else having DEL/INS problems on US >> keyboards w/ Euro key on 5? They're cheapo USB Dell manufactured by >> Logitech. Tweaking wscons flags didn't help (not running X11); should I >> remap keys individually? >> >> -- p >> >> >NO. GPL IS COUNTER-PRODUCTIVE TO TRUE FREE SOFTWARE. >> >YES, I KNOW I AM SHOUTING. PLEASE EDUCATE YOURSELF >> >ABOUT THE PERVERTED GOALS OF THE FSF. >> > >> >On Mon, Jun 18, 2012, at 02:55 PM, Indunil Jayasooriya wrote: >> >> > Their work getting rid of GNU stuff will, inevitably, affect OpenBSD >> (if >> >> > they succeed at that anyway). >> >> > >> >> >> >> Hmm, I personally prefer BSD Style licence. For me, BSD Philosophy >> >> has >> >> much more freedom. NOT Copyleft. ( I love it very much ) I'd like to see >> >> more BSD style stuffs coming in. >> >> >> >> anyway GPL is also doing a good job in the world of Open Source. >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> Thank you >> >> Indunil Jayasooriya
Re: Story behind PCC's removal?
On 2012 Jun 18 (Mon) at 17:16:25 + (+), Aaron W. Hsu wrote: :lack of maintainer That is exactly the case. Nobody actually did the work make it rock our socks. -- Shaw's Principle: Build a system that even a fool can use, and only a fool will want to use it.
Re: OpenBSD forked
speaking of stuck CAPSLOCK, anyone else having DEL/INS problems on US keyboards w/ Euro key on 5? They're cheapo USB Dell manufactured by Logitech. Tweaking wscons flags didn't help (not running X11); should I remap keys individually? -- p >NO. GPL IS COUNTER-PRODUCTIVE TO TRUE FREE SOFTWARE. >YES, I KNOW I AM SHOUTING. PLEASE EDUCATE YOURSELF >ABOUT THE PERVERTED GOALS OF THE FSF. > >On Mon, Jun 18, 2012, at 02:55 PM, Indunil Jayasooriya wrote: >> > Their work getting rid of GNU stuff will, inevitably, affect OpenBSD (if >> > they succeed at that anyway). >> > >> >> Hmm, I personally prefer BSD Style licence. For me, BSD Philosophy >> has >> much more freedom. NOT Copyleft. ( I love it very much ) I'd like to see >> more BSD style stuffs coming in. >> >> anyway GPL is also doing a good job in the world of Open Source. >> >> >> >> >> >> >> -- >> Thank you >> Indunil Jayasooriya
Re: OpenBSD forked
On Sun, Jun 17, 2012 at 12:24:38PM -0600, Theo de Raadt wrote: > make of it what you will. > > it's too stressfull. perhaps i should become an ex-OpenBSD > developer too, those people seem to have much more glamourous > lives... Having followed OpenBSD for quite some time I noticed that good developers come and go. They come in, make something great happen, and disappear again. Also there have been forks and I also noticed that no fork gets a light judgement. Rightfully so. And then I always appreciated the permanent element in OpenBSD that guides our attention to areas we as users and sideliners don't always see immediately. I'll keep buying CD's when available and I do donations here and there when I feel like it, and I don't regret it. If I were you I'd stay for as long as the salary is good and if there is more money to go around employ some people in Calgary or something. Made in Canada is great! I just can't see you working for google or microsoft :-P. -peter
Re: OpenBSD forked
>Funny thing is, I've never been upset about the 20+ OpenBSD and >ex-OpenBSD developers who now work for google. Do they still work on OpenBSD and contribute back? -- p
VU#649219 and Bitrig
Just a fyi, or maybe a starting of a discussion: 1) http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=649219&SearchOrder=4 SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware Does someone can prove that OpenBSD amd64 is not affected?? 2) https://www.bitrig.org/index.php?title=FAQ A NEW OpenBSD fork! Will OpenBSD profit from this project?? :) Have a nice day!
Re: Solid state disk geometry
>On Tue, 12 Jun 2012 18:31:38 +0200 >Peter Laufenberg wrote: > >> >Some SSD controllers use compression > >I wonder if they use the average compression ratio to boost advertised >capacity? Define "average" :) Nah that'd be too obvious given SSDs are often used for video editing. Manufacturers are happy with the "kilo" fineprint on box stickers but who cares. -- p
Re: pfsync/carp causing large number of network errors
Myles Merrell writes: > Recently, we noticed all of our network traffic inside the > firewall slowed down to the point where it was difficult to access anything. > After some nosing around we noticed that f2, the em2 interface which is using > CARP pfsync, was causing an extremely large amounts of errors, essentially > choking out the rest of the network traffic. possibly dumb question but better eliminate the obvious: you did set up a separate network for the pfsync traffic? my next thought is that large numbers of errors on a specific interface tends to point to a hardware problem, either the card itself, the cables involved or the switch port. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Solid state disk geometry
>On 2012-06-12, Peter Laufenberg wrote: >>>On 06/11/12 19:25, Jens A. Griepentrog wrote: >>>> Let me know, please, whether it makes sense to modify disk geometry >>>> for solid state disks? >>> >>>If you knew what physical block size your SSD worked with, you might -- >>>MIGHT -- see some benefit using that, but the 4k offsets seem to work >>>just fine. I doubt you would feel any difference... >> >> Intel's answer about X25 SSDs' erase block size on their support forums is >> pretty much "fuck off". > >Some SSD controllers use compression, so even if you have details >of flash block sizes you can't make any calculations about partition >alignment based on them. The _erase_ block size surely is power of 2 and fixed. Even if the controller uses some elaborate Russian doll blocks, any formatting recommendation would be better than Intel's verbatim "we don't disclose that". It's a policy decision; they ship some bloatware Windows7-only extension. I don't know if other manufacturers are such pricks they won't tell you how to best use their hardware, I know my next SSD won't be from Intel. -- p
Re: Solid state disk geometry
>On 06/11/12 19:25, Jens A. Griepentrog wrote: >> Let me know, please, whether it makes sense to modify disk geometry >> for solid state disks? > >If you knew what physical block size your SSD worked with, you might -- >MIGHT -- see some benefit using that, but the 4k offsets seem to work >just fine. I doubt you would feel any difference... Intel's answer about X25 SSDs' erase block size on their support forums is pretty much "fuck off". -- p
Re: setsockopt question
On Mon, Jun 11, 2012 at 12:16:28PM -0400, Simon Perreault wrote:
> On 2012-06-10 11:26, Peter J. Philipp wrote:
> >+if (setsockopt(udp[i], IPPROTO_IPV6,
> >+IPV6_HOPLIMIT,&on, sizeof(on))< 0) {
>
> s/IPV6_HOPLIMIT/IPV6_RECVHOPLIMIT/
>
> RFC 3542 for more info.
>
> Simon
Awesome, it works now! Thank you!
-peter
Re: About wine ?
>On Mon, Jun 11, 2012 at 3:49 PM, Peter Laufenberg >wrote: >> Qemu seems like a good project given the flack it gets on wikipedia (very >> Cartesian, I know), how well can it run on OpenBSD? what's holding it back? >> which kernel improvements/patches will help? if all VM is counter-security, >> why? Where do we come from and is there life after death? I demand to know. > >Qemu is fine on OpenBSD, but slow, because for some time already it's >without KVM in OpenBSD. Probably one of the reasons for www.bitrig.org I see. Lofty goals with a questionable fork rationale. Maybe removing doc references to floppies and tapes would improve the "modernity" perception. >From Jiri: >Why don't you first search archives? - digressions into exotic sports cars? - marketing plugs? - out of date? -- p
Re: About wine ?
>On Mon, Jun 11, 2012 at 10:35:50AM +0800, z_axis wrote: >> I know wine port has been stopped. I wonder whether or not it is >> applicable to port wine to OpenBSD ? >> Wine works great on FreeBSD, why cannot it run on OpenBSD ? > >Somebody has to resolve the issues in the code :) > >Take it from ports in Attic, IIRC. If you need Windoze, install >an ESXi box and voila. I personally don't care for WINE but would really like to know more more about virtualization options on OpenBSD hosts; VirtualBox is the only reason I need to keep some Debian hosts around (that and my secret crush on Larry Ellison). F.ex. compat_linux is x86-only and it's not clear how it plays with chroot, which I know is imperfect, but saying "it can run Linux Skype!" without some sandboxing doesn't seem too safe. Qemu seems like a good project given the flack it gets on wikipedia (very Cartesian, I know), how well can it run on OpenBSD? what's holding it back? which kernel improvements/patches will help? if all VM is counter-security, why? Where do we come from and is there life after death? I demand to know. -- p
setsockopt question
Hi,
I was reading through the ip6(4) manpage and I thought it'd be a cute idea to
put the example code into my dns daemon. So I took my latest source found at
http://wildcarddns.cvs.sourceforge.net/wildcarddns/
and applied this patch:
--- main.c.orig Sun Jun 10 17:13:31 2012
+++ main.c Sun Jun 10 17:13:34 2012
@@ -453,8 +453,13 @@
#endif
syslog(LOG_INFO, "setsockopt: %m");
}
+ } else if (res->ai_family == AF_INET6) {
+ if (setsockopt(udp[i], IPPROTO_IPV6,
+ IPV6_HOPLIMIT, &on, sizeof(on)) < 0) {
+ syslog(LOG_INFO, "setsockopt: %m");
+ }
}
-
+
ident[i] = bind_list[i];
/* tcp below */
@@ -611,8 +616,15 @@
#endif
syslog(LOG_INFO, "setsockopt: %m");
}
+ } else if (pifap->ifa_addr->sa_family == AF_INET6) {
+ on = 1;
+ if (setsockopt(udp[i], IPPROTO_IPV6,
+ IPV6_HOPLIMIT, &on, sizeof(on)) < 0) {
+ syslog(LOG_INFO, "setsockopt: %m");
+ }
}
+
ident[i] = pifap->ifa_name;
if ((tcp[i] = socket(pifap->ifa_addr->sa_family,
SOCK_STREAM, IPPROTO_TCP)) < 0) {
@@ -2673,8 +2685,22 @@
ttlptr = (int *)
CMSG_DATA(cmsg);
received_ttl = (u_int)*ttlptr;
#endif
- break;
}
+
+#ifdef __OpenBSD__
+ if
(cmsg->cmsg_level == IPPROTO_IPV6 &&
+ cmsg->cmsg_type ==
IPV6_HOPLIMIT) {
+
+
if (cmsg->cmsg_len !=
+
CMSG_LEN(sizeof(int))) {
+
syslog(LOG_INFO, "cmsg->cmsg_len == %d", cmsg->cmsg_len);
+
continue;
+
}
+
+
ttlptr = (u_char *) CMSG_DATA(cmsg);
+
received_ttl = (u_int)*ttlptr;
+ }
+#endif /* __OpenBSD__ IPV6 */
}
if (rflag) {
I'm sad to report that it didn't work. I got setsockopt errors looking like
so:
Jun 10 17:03:37 uranus wildcarddnsd[27884]: restarting on SIGHUP
Jun 10 17:03:37 uranus wildcarddnsd[23411]: starting up
Jun 10 17:03:37 uranus wildcarddnsd[11938]: opening configfile
"/etc/wildcarddns.conf", device: /dev/wd0a, inode: 78749, ctime: 1320681296
Jun 10 17:03:38 uranus wildcarddnsd[11938]: setsockopt: Protocol not available
Jun 10 17:03:38 uranus wildcarddnsd[11938]: skipping interface enc0
Jun 10 17:03:38 uranus wildcarddnsd[11938]: setsockopt: Protocol not available
Jun 10 17:03:38 uranus wildcarddnsd[11938]: setsockopt: Protocol not available
Jun 10 17:03:45 uranus wildcarddnsd[11938]: request on descriptor 33 interface
"em1" from 2a01:4f8:d13:1980::2000 (ttl=0, region=255) for "centroid.eu."
type=ANY(255) class=1, answering "centroid.eu."
Notice the "Protocol not available" errors. I'm wondering if there is
something I'm doing wrong that someone can spot right away. Let me know, I'd
be grateful!
-peter
Re: Ways to handle DNS amplification attacks with OpenBSD
Kostas Zorbadelos writes: > there is a need to restrict a specific type of DNS queries (ANY queries) > in our nameservers. We faced a DDoS attack in our resolvers and the > thing is that we could not simply cut access to DNS resolution to > specific client IPs, the queries came from our own unsuspecting > customers. My first impulse when reading the sans diary item was to rate-limit, possibly via the overload table mechanism, and if not blocking them outright perhaps put the DNS requests from the overloads in a minimal-bandwidth queue. That may or may not be appropriate to your context, and I suspect detection may be the main priority. While string matching in PF is not an option, I vaguely remember snort users coming up with patterns to match earlier DNS tomfoolery, so there's a chance you may be able to get useful info and possibly even a working snort setup to deal with this one. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PHP issue with native Apache and ProxyPass
>I wanted to proxyfy another WordPress instance, running on a remote OpenBSD >5.1 installation. >So far, the remote installation works like a charm. > >But when I configure the reverse-proxy, URL with PHP files and variables >aren't managed properly. > >The remote website is located on http://192.168.0.28:80/ (DocumentRoot is >/var/www/htdocs). >The proxy directives I set up are: > ProxyPass /test/ http://192.168.0.28:80/ > ProxyPassReverse /test/ http://192.168.0.28:80/ >(I modified WordPress so that it publishes itself as >https://www.tumfatig.net/test/) > >Working URLs look like: > https://www.tumfatig.net/test/wp-content/themes/twentyeleven/style.css > https://www.tumfatig.net/test/wp-includes/css/admin-bar.css?ver=20111209 > https://www.tumfatig.net/test/wp-includes/wlwmanifest.xml > https://www.tumfatig.net/test/xmlrpc.php >Any such URL doesn't work: > https://www.tumfatig.net/test/xmlrpc.php?rsd > >The proxy log says: > [Wed Jun 6 10:58:31 2012] [error] [client 82.241.119.38] File does not > exist: >proxy:http://192.168.0.28/xmlrpc.php?rsd > >The Web navigator says: > > >404 Not Found > >Not Found >The requested URL /test/xmlrpc.php was not found on this server. > > >But, from the LAN and the proxy server itself, running `ftp >"http://192.168.0.28/xmlrpc.php?rsd"` gets the file properly from the 5.1 >server... > >Anyone gets why only PHP files with variable passed are not translated >properly by my configuration ? Maybe because HTTPS isn't port 80? That or the all the junk Javascript WP spews? :) -- p
Re: No audio on auvia0 / "VIA VT8233 AC97"
On 5 June 2012 12:18, Brett wrote: > > doh! I tried that and it does not work for me. Perhaps the connector or > chip is flaky, and the PCI is the way to go. > > I suspect it's the chipset support rather than the connector. Google suggests that it's actually a Realtek ALC653 and there were difficulties getting it working in Linux. See : https://bugtrack.alsa-project.org/alsa-bug/view.php?id=1622
Re: No audio on auvia0 / "VIA VT8233 AC97"
>>Also try 44100 Hz. > >I tried but audioctl will not let me lower the Hz rate below 48000 Hz. Probably the native freq but it's strange it'd interpolate in software. >> >Is there something else I can try before getting a PCI soundcard? >> >> Update BIOS and any other firmware. > >As far as I know, the BIOS is the only firmware existing on this computer. The on-board audio firmware could be embedded in the BIOS. >I'm on BIOS version 210. According to >http://www.asus.com/Motherboards/AMD_Socket_939/A8VMX/#download the 2 BIOS >updates more recent than this one are to "Support new CPUs." I wonder how >accurate this info is (i.e. do they fail to mention other things the BIOS >update achieves...). I'm kind of reluctant to flash the BIOS in case I brick >the beast. Forthcoming technical docs are rare in my experience. Other stuff you can try: measure voltage on your minijacks (or sample from other PC), check any digital audio jumpers, make sure your AMD videocard has no audio out like HDMI, some multimedia-heavy Linux live CD. cheers, -- p
Re: No audio on auvia0 / "VIA VT8233 AC97"
Not 100% sure from the logs but you've got a lot of mixer channels muted, maybe PCM isn't getting amped. Also try 44100 Hz. >I don't have windows available to update bios You probably don't need Windows, just a boot CD like from PE Builder, Ultimate Boot CD, etc. Intel and Dell also have some ISO images you can reuse. >Is there something else I can try before getting a PCI soundcard? Update BIOS and any other firmware. -- p >dmesg, pcidump, mixerctl, audioctl, and mplayer output below all came from >amd64-5.1 and mplayer from packages: > >== > >OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012 >dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC >real mem = 1072365568 (1022MB) >avail mem = 1029746688 (982MB) >mainbus0 at root >bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0720 (45 entries) >bios0: vendor American Megatrends Inc. version "0210" date 09/05/2005 >bios0: ASUSTeK Computer INC. A8V-MX >acpi0 at bios0: rev 0 >acpi0: sleep states S0 S1 S4 S5 >acpi0: tables DSDT FACP APIC OEMB >acpi0: wakeup devices PCI0(S4) PS2K(S4) PS2M(S4) UAR1(S4) P7P8(S4) USB1(S4) >USB2(S4) USB3(S4) USB4(S4) EHCI(S4) ILAN(S4) SLPB(S4) PWRB(S4) >acpitimer0 at acpi0: 3579545 Hz, 24 bits >acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >cpu0 at mainbus0: apid 0 (boot processor) >cpu0: AMD Athlon(tm) 64 Processor 3500+, 2200.45 MHz >cpu0: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW >cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line >16-way L2 cache >cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative >cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative >cpu0: AMD errata 89, 97 present, BIOS upgrade may be required >cpu0: apic clock running at 200MHz >ioapic0 at mainbus0: apid 1 pa 0xfec0, version 3, 24 pins >acpiprt0 at acpi0: bus 0 (PCI0) >acpiprt1 at acpi0: bus 1 (P0P1) >acpiprt2 at acpi0: bus 2 (P0P7) >acpiprt3 at acpi0: bus 4 (P7P9) >acpiprt4 at acpi0: bus 3 (P7P8) >acpicpu0 at acpi0: PSS >aibs0 at acpi0: RTMP RVLT RFAN >acpibtn0 at acpi0: SLPB >acpibtn1 at acpi0: PWRB >cpu0: Cool'n'Quiet K8 2200 MHz: speeds: 2200 2000 1800 1000 MHz >pci0 at mainbus0 bus 0 >pchb0 at pci0 dev 0 function 0 "VIA K8M800 Host" rev 0x00 >agp at pchb0 not configured >pchb1 at pci0 dev 0 function 1 "VIA K8M800 Host" rev 0x00 >pchb2 at pci0 dev 0 function 2 "VIA K8M800 Host" rev 0x00 >pchb3 at pci0 dev 0 function 3 "VIA K8M800 Host" rev 0x00 >pchb4 at pci0 dev 0 function 4 "VIA K8M800 Host" rev 0x00 >pchb5 at pci0 dev 0 function 7 "VIA K8M800 Host" rev 0x00 >ppb0 at pci0 dev 1 function 0 "VIA K8HTB AGP" rev 0x00 >pci1 at ppb0 bus 1 >vga1 at pci1 dev 0 function 0 "ATI Radeon VE" rev 0x00 >wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) >wsdisplay0: screen 1-5 added (80x25, vt100 emulation) >radeondrm0 at vga1: apic 1 int 16 >drm0 at radeondrm0 >pciide0 at pci0 dev 15 function 0 "VIA VT8251 SATA" rev 0x00: DMA >pciide0: using apic 1 int 21 for native-PCI interrupt >pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x07: DMA, channel 0 >configured to compatibility, channel 1 configured to compatibility >wd0 at pciide1 channel 0 drive 0: >wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors >wd0(pciide1:0:0): using PIO mode 4, DMA mode 2 >pciide1: channel 1 disabled (no drives) >uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x90: apic 1 int 20 >uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x90: apic 1 int 22 >uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x90: apic 1 int 21 >uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x90: apic 1 int 23 >ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x90: apic 1 int 22 >usb0 at ehci0: USB revision 2.0 >uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1 >viapm0 at pci0 dev 17 function 0 "VIA VT8251 ISA" rev 0x00: SMI >iic0 at viapm0 >spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0 >spdmem1 at iic0 addr 0x51: 512MB DDR SDRAM non-parity PC3200CL3.0 >auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x70: apic 1 int 22 >ac97: codec id 0x414c4761 (Avance Logic ALC655 rev 1) >audio0 at auvia0 >pchb6 at pci0 dev 17 function 7 "VIA VT8251 VLINK" rev 0x00 >vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x7c: apic 1 int 23, address >00:13:d4:cc:b4:36 >rlphy0 at vr0 phy 1: RTL8201L 10/100 PHY, rev. 1 >ppb1 at pci0 dev 19 function 0 "VIA VT8251 PCIE" rev 0x00 >pci2 at ppb1 bus 2 >ppb2 at pci2 dev 0 function 0 "VIA VT8251 PCIE" rev 0x00 >pci3 at ppb2 bus 3 >ppb3 at pci2 dev 0 function 1 "VIA VT8251 PCIE" rev 0x00 >pci4 at ppb3 bus 4 >pchb7 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00 >pchb8 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00 >pchb9 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00 >kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00 >usb1 at uhci0: US
Re: Large (3TB) HDD support
On 4 June 2012 15:06, Christian Weisgerber wrote: > Peter Kay wrote: > > > GPT is a foregone conclusion unless you are blind to the future. The only > > alternative is OS specific disk hackery, and that does no-one any > favours. > > Well, OpenBSD/i386 (and now /amd64) has used such hackery since the > very beginning and doesn't fare too badly with it. > > Back in the day, I used to run FreeBSD with "dangerously dedicated" > disks that didn't have MBR partitioning at all, just a pure BSD > disklabel. (FreeBSD eventually discouraged/abolished this due to > some BIOSes refusing to boot disks without an MBR partition table.) > > Let's leave aside the boot techie stuff which I included mainly as a interesting (to me) related point. I don't have a particular issue with most of the disk hackery that OpenBSD currently performs, but the key detail is that at least under x86, powermac and sgi platforms [1] it seems to work within the boundaries of the native disk partitioning by using a custom disk format, performing custom partition labelling or using a native partition as a container for a custom format (disklabel inside MBR partition). That strategy tends to co-exist quite nicely with other tools/BIOSes/OSes that might inadvertently read the disk (with the exception of the pure BSD disklabel as you say). That's not the case with storing data outside the 2TB limit enforced by the MBR design. It seems to me it would be more sensible to stick a disklabel inside a new OpenBSD GPT partition type. All the data are successfully protected by a known standard and both the users and disk tools are happy. I'll grant that multiboot is a rare and usually inadvisable configuration (although I'd suggest it's useful on laptops sometimes), but protecting all the data on a uniboot system sounds advisable. GPT's main selling point is that it is superior to MBR if you use > either as your native partitioning scheme. That doesn't apply to > OpenBSD. > > GPT is also useful if you want different operating systems to coexist > on the same disk. For OpenBSD, that's more of a grudgingly tolerated > configuration and not recommended. > > [1] I don't have experience of the other platforms apart than sparc, and that was some time ago.
Re: SMTP server pools at odds with the RFC?
Theo de Raadt writes: > it is still false to say that greylisting wasn't permitted by the > original RFC's. > > it was, and it is. Any reasonable interpretation (IMO) of the relevant parts of RFC5321 and RFC2821 means that greylisting is well within the protocol specs. That did however not stop people from claiming otherwise, and it was a bit disappointing back in 2008 to find that the update did not provide even clearer language. All water under the bridge soonish now, it seems. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: SMTP server pools at odds with the RFC?
Simon Perreault writes: > Not only is greylisting fine from a protocol point of view (as others > have pointed out), the IETF is also well aware of it. This is about to > become an RFC: > http://tools.ietf.org/html/draft-ietf-appsawg-greylisting That's a marked improvement over what appeared to be the status only a few years back. I still don't quite see why they left the crucial parts of RFC5321 as ambigous as they had been in the predecessor, but a greylisting RFC on the standards track is a very welcome development. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Large (3TB) HDD support
>On Mon Jun 4 2012 08:16, Peter Laufenberg wrote: >> UEFI has gotten more press, and given RH an opportunity to present >> itself as defender of freedom, but it's really an evolution of PCs >> running black-box code when and where it can do most harm. > >In fact, RH betrayed the OSS community It's not exactly their 1st offence :) >They probably say, it's only 99 dollars, so what? $99 is too little, hopefully they'll charge a lot more so they'll break economies of scale while users scramble to avoid Win8 and possibly we'll see mobos without a mind-boggling array of environmental sensors every web browser already wired to javascript. -- p
Re: Large (3TB) HDD support
>On Mon Jun 4 2012 08:16, Peter Laufenberg wrote: >> UEFI has gotten more press, and given RH an opportunity to present >> itself as defender of freedom I meant that sarcastically -- p
Re: apmd closes/crashes on lid close
dump "xset -q" and "wsconsctl -a", compare working/non-working states, check for possible race condition? -- p >"xset dpms 5 10 15" isn't doing anything either, nor "xset s 4". > >On Sun, Jun 3, 2012 at 11:40 PM, Robert Connolly < >robertconnolly1...@gmail.com> wrote: > >> Sometimes apmd crashes from a system suspend, and sometimes it does not. >> >> Sometimes xidle runs xlock, and sometimes it does not. >> >> Sometimes xlock asks for a password, and sometimes it does not. >> >> Can anyone tell me whether they have all of these working consistently and >> reliably? >> >> They were not working for me yesterday. This morning it all worked >> perfectly. Hours later, none of it worked.
Re: Large (3TB) HDD support
>Of course, it isn't /quite/ that simple. GPT is still fairly new, and >whilst it's not too difficult to get a number of operating systems to boot >from GPT, sharing a disk has a number of gotchas. Exposing dormant OpenBSD partitions to an untrusted OS is stupid unless you have no other choice like on a single-HDD laptop -- but it's unlikely to be a 3TB HDD. I think docs should actively discourage multibooting and present it as a potential risk rather than a feature so people stop bragging how many OSes they crammed on a single disk. Most live-CD firmware updates should also be done with the OpenBSD HDD unplugged. -- p
Re: Large (3TB) HDD support
>> 2012/6/1 Tyler Morgan : >> > http://www.openbsd.org/faq/faq14.html#LargeDrive >> >> That doesn't mention GPT, which is the problem with drives >2TB. >> https://en.wikipedia.org/wiki/GUID_Partition_Table >> >> Can OpenBSD already boot from a 4TB drive on an UEFI system? > >Try to buy systems that don't rely on UEFI. In the next few years, >prepare to buy systems and find out they require UEFI, and then demand >a refund. Prepare for it to get even worse than that. There are already a number of BIOSes out there capable of nasty (or "really cool") stuff pre-OS boot. The BIOS setup page may look like a DOS relic but it doesn't mean it actually is. F.ex. prior to Vista's launch, MS demoed a fullscreen video before any boot code was actually run. UEFI has gotten more press, and given RH an opportunity to present itself as defender of freedom, but it's really an evolution of PCs running black-box code when and where it can do most harm. -- p
Re: Large (3TB) HDD support
Can we please differentiate GPT from EFI. GPT may be part of the EFI specification, but it's a standalone piece - implementing GPT is not going to restrict anyone's freedom to do what they want with a machine. Some possibilities EFI offers are more contentious.. GPT is a foregone conclusion unless you are blind to the future. The only alternative is OS specific disk hackery, and that does no-one any favours. Single disk 2TB+ partitions will not even attract comment inside the next 5 years. Several operating systems out there can happily read GPT disks using a non EFI BIOS (provided it's not necessary to boot from it), and even in the case where it's a GPT disk with a GPT only OS (i.e OS X Intel) on a non EFI BIOS, there are workarounds to get it to boot. Of course, it isn't /quite/ that simple. GPT is still fairly new, and whilst it's not too difficult to get a number of operating systems to boot from GPT, sharing a disk has a number of gotchas. Google is your friend for details here. I can also say, having done it (and the fact it's not easily googleable) that although 'hybrid GPTs' (a GPT disk where the protective fake MBR is hacked to become a real MBR) are frowned upon (there is potential for breakage) it does work and it's even possible to hack in an extended partition (OpenBSD's Fdisk is much better than the alternatives for doing this piece of hackery). It's entirely possible to get a disk sharing OpenBSD, NetBSD, Linux, Vista Windows 7 and OS X without any of them overwriting data from the others. Just be careful. (for clarity, OS X was the only OS using a real GPT partition : everything else was on MBR, despite the fact that Windows 7/Vista SP2 x64 (not 32bit), Linux and NetBSD will boot from GPT partitions with appropriate hackery. Note that IIRC vanilla NetBSD 5.x will need a customised kernel to run from a hybrid MBR on GPT, otherwise it gets confused by the presence of a GPT header. The boot loader was the hackintosh chameleon with Windows 7's partition manager as a slave (very flexible once you get to know it. Use easyBCD))
Re: Thinkpad T60 "sticky touchpad" (amd64/5.1-stable)
>I have a Lenovo Thinkpad T60 amd64 laptop (dmesg below) running 5.1-stable
>(fresh install of -release from the CD set, then CVS update to -stable).
>The touchpad
>
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> wsmouse1 at pms0 mux 0
> pms0: Synaptics touchpad, firmware 6.2
>
>has an irritating problem in 5.1 (which was *not* present on this same
>machine when running 5.0-{release,stable} with X video acceleration
>disabled): When running X (autoconfigured with no xorg.conf), the
>pointer will intermittently jump to and "stick" at either the left side
>of the screen, the top of the screen, or the top left corner.
(snip)
>
>Has anyone else seen this "sticky touchpad" problem?
I've had problems with a synaptics touchpad + USB laser mouse but wasn't using
the touchpad at all. It wasn't stick-related, possibly not X-related, the mouse
would connect/disconnect randomly but it's an old laptop so it's possible the
mouse was just drawing too much power. I haven't investigated the issue further
yet.
-- p
Re: (Kinda O.T.) Digital Millennium Copyright Act used to censor hardware specifications
>On Thu, May 31, 2012 at 11:11, Brett wrote: > >> Pursuant to a rights owner notice under the Digital Millennium Copyright >> Act (DMCA), the Wikimedia Foundation acted under the law and took down and >> restricted the content in question. A copy of the received notice can be > >> Reverse engineering necessary to have open source in the brave new world? > >PCI spec docs (and many others) are copyrighted. Maybe they should be, >maybe they shouldn't, but they are. > >As far as I know, the actual specs cannot be copyrighted (or it's >murky), but knowing wikipedia, somebody probably copied an entire >table from the doc and dropped it into the article. that's a no-no, >and not something I'd find nearly as alarming as "censorship". A DCMA notice is an improvement over the furious clean-up happening behind the scenes. For example: search for "CIPSO", a NetLabel protocol with an IETF RFC, the word appears 1263 times in Linux kernel 3.3. No Wikipedia entry but Linux_Security_Modules links to an ex-entry... without deletion log. Try the "Multi ADM" link on the same page: dead again, no deletion log. Hmm, the page was last edited yesterday. Date of its most recent reference? June 2010. Second most recent? 2006. If you're lucky you can come across "time travel" pages: a days-old edit using future tense to refer to events years in the past. Entrusting the very definition of reality to a bunch of LSD-dropping hippies is JUST NOT RESPONSIBLE :) -- p
Re: ikev2 between openbsd and windows
On Thu, May 31, 2012 at 12:28:47PM +0200, Mike Belopuhov wrote: > > My iked config looks like this: > > > > do you have a "user" specification in your iked.conf? > which user are you trying to authenticate as? > "user" specification occupies a separate line and looks > like that: > > user "username" "password" > > iked can't consult the local password database or radius > or any other authentication service at the moment except > this internal "database". Yes I do have a user entry, right at the top. I didn't think posting it was a good idea. > also, have you tried w/o mschap? you need to select the > "Computerzertifikate verwenden" radio button to turn eap off. I tried that but it had an error, which made me want to try EAP again. > > ikev2 "win7" passive esp \ > > from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ > > srcid 10.0.0.1 \ > > eap "mschap-v2" \ > > config address 172.16.20.1 \ > > config name-server 212.18.3.5 \ > > tag "$name-$id" > > > > looks fine except of absent of the "user" specification. > i'd ditch the "tag" though as i didn't test it but it shouldn't > affect anything. Hmm. What to do... Any hint on how to debug this best? -peter
Re: ikev2 between openbsd and windows
On Tue, May 29, 2012 at 01:55:45PM +0200, Mike Belopuhov wrote: > On Wed, May 16, 2012 at 17:30 +0400, Pavel Shvagirev wrote: > > 2. Doesn't work EAP mode - Windows stops on "Checking username and > > password" error. Then #13803, 1931... > > Hi, > > Just to mention it for those not following source-changes@ > that there was a bug in the message ID handling that prevented > EAP from working correctly. The fix was committed on Friday. > > Cheers, > Mike Hi, I still can't get it to work. I made two screenshots they are here: http://ipv4.goldflipper.net/private/iked-eap1.jpg and http://ipv4.goldflipper.net/private/iked-eap2.jpg My iked config looks like this: ikev2 "win7" passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap "mschap-v2" \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag "$name-$id" I installed the iked from the -current source on top of the 5.0 binary I believe these are the right ones because I see your recent timestamp in them: ikev2_msg.c:/* $OpenBSD: ikev2_msg.c,v 1.15 2012/05/30 09:18:14 mikeb Exp $ Any hint on what I'm doing wrong? Sorry the screenshots are in german, Fehler 13843 is Error 13843. I googled for that but wasn't any wiser after. Regards, -peter
Re: realtek 8188ce "not configured"
>Lenovo won't let me replace the Realtek 8188CE mini-pci card that came >with it with another. The hardware refuses to boot with an >"unauthorized network card detected" or somesuch error (brilliant!). > >What are the chances of getting this card working with obsd? :) bios-mods.com has high-wire patches to bypass the whitelist, thinkwiki.org a couple of less risky tricks but I'd just return the laptop. Some Lenovos have the closed-source "Express Gate" BIOS-level remote desktop, w/ GPU encoding so your system load won't even blink. -- p
Re: Plan 9 to OpenBSD (Was Re: OpenBSD in April's issue of the CACM)
I'm not sure what you mean by social but Plan 9 development from Bell is pretty
slow/opaque and the rest of the community scattered and headless. I don't care
for Inferno and Rob Pike unfortunately took a job at Google ("why Rob,
why??":-). Plan 9's file paradigm is great but their 3-button mouse UI is crap.
Security-wise Plan 9 doesn't have any creds, good or bad, but hardware support
without source review is worthless, i.e. "you don't know where that code has
been". OpenBSD's proactive about security and privacy (f.ex autoconfigprivacy
to mask your MAC on ipv6 sockets), pf is unmatched, etc.
The only thing I miss is an X-less framebuffer in OpenBSD even it'd support
just a console and text editor. IMHO X has to die, it's a huge pile of crap.
-- p
>Hi,
>
>Peter Laufenberg wrote on Wed, May 30, 2012 at 07:51:13AM MST:
>> Actually it's this kind of slander that brought me to OpenBSD. While looking
>> for an OS that didn't embrace "Trusted Computing", I came across Theo's
>> wikipedia entry which pounded on him so extensively that it raised a flag.
>> Extra points for the stab from Linus
>> "no-lube-needed/I-can't-feel-a-thing-by-now". Without the slander I probably
>> would have stuck with Plan 9.
>I have been using OpenBSD exclusively for the last 6 months and I really do
>prefer it (both technically and socially) to Linux (which I had used for the
>past 15 years) and FreeBSD (which I used to administer at work). I only
>started learning about Plan 9 over the past few months and I really like what
>I see so far. The one thing that is keeping me from trying to make more use of
>it is the lack of drivers for some of my hardware. I am curious about what led
>you to go from Plan 9 to OpenBSD. Were they technical in nature or social, or
>a little of both?
>
>Thanks,
>
>David
Re: OpenBSD in April's issue of the CACM
>Ad hominem attacks on people they obviously know nothing about Actually it's this kind of slander that brought me to OpenBSD. While looking for an OS that didn't embrace "Trusted Computing", I came across Theo's wikipedia entry which pounded on him so extensively that it raised a flag. Extra points for the stab from Linus "no-lube-needed/I-can't-feel-a-thing-by-now". Without the slander I probably would have stuck with Plan 9. If you care about setting the record straight (or avoid further distortions) I suggest a short "in response to" section on openbsd.org, more reputable publications may pick it up and of course love being able to quote someone else criticising the powerful. Cherry on the cake would be a quip from Berners-Lee on how the Internet would look had he patented HTTP. As for ACM, I dropped my subscription a year ago cause they were wasting my time on the crapper (admittedly quality reading time:) > From: Peter Laufenberg [mailto:pe...@x.com] > Sent: Thursday, August 18, 2011 5:28 PM > To: xx...@acm.org > Subject: Re: Welcome to your second year as an ACM member! > > Hi, > > I would like to unsubscribe from ACM immediately; I understand there may be > remaining months on my last credit card charge. > > My main motive is the wildly uneven quality of CACM articles. F.ex. the one > about home networking explaining what "D-H-C-P" is so it can spawn a dozen > pages. > > Thanks
Re: More bgpd problems
On Tue, May 29, 2012 at 04:21:12PM +, Matt Hamilton wrote: > I will happily supply what I can. Just let me know how. Hello, I've never used BGPd personally but perhaps I can help you get a backtrace. There is quite possibly two ways to get a backtrace. 1. Make BGPD dump core Recompile the bgpd with debugging symbols (CFLAGS+=-g, LDFLAGS+=-g). And install that. Check the directory of the _bgpd user and make the directory writeable for the _bgpd user. If after another crash a bgpd.core file pops up you got it. You can test this by sending bgpd a SIGABRT and if it didn't core something is wrong, see #2. You then type 'gdb /usr/sbin/bgpd bgpd.core' and type backtrace within gdb. Type quit to exit gdb. Keep the bgpd.core file around by saving it to another location as it should overwrite with each subsequent segfault. 2. Attach gdb to the process and wait Recompile the bgpd with debugging symbols (CFLAGS+=-g, LDFLAGS+=-g). And install that. su to root, tmux the session and from within tmux attach to the bgpd process "gdb /usr/sbin/bgpd " once you're attached bgpd will cease running temporarily, just type "continue" (make sure you don't set any breakpoints). You can now wait until bgpd crashes on signal 11. gdb will break back to the debugger command line and you can type backtrace within gdb. Type quit to exit gdb. When you get to it when it crashed you can attach to the tmux session with "tmux att -d" and have before you the gdb command line. Even better than just a backtrace is going up and down the stack to see where the program crashed. Google for gdb commands. 3. Ask someone else who may have better Ideas. > Although as you said in another post > it is hard to replicate. All I seem to be able to see is that this happens > during some period of network instability. It seems that there is a > ripple affect that something happens and that then causes a bgpd > process to die which then propagates more changes to iBGP peers > and they then sometimes die as well. > > -Matt Cheers, -peter
Re: spamd-setup fails from cron
On Tue, May 29, 2012 at 08:24:07AM +0200, Jan Stary wrote: > When I run the same command from the command line, > everything goes fine. Is the cron job run in a more > restricted environment? you could be hitting the 'zero minute rush', where world+dog tries to connect simultaneously. try shifting to a few minutes past the hour and see if that helps. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd greylisting: false positives
In response to various tidbits that popped up in this thread, I put together some notes on setting up a sane email system, in a "works for me" article: http://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd greylisting: false positives
David Diggles writes: > So there you have it. Don't use spamd with greytrapping if your > secondary MX is going to deliver a bounce. It will confuse SMTP > servers into giving up. Secondary MXes that are not set up to actually receive mail for your domain is one thing (annoying, but just a simple misconfiguration), another thing you need to do is make sure the secondaries have the same or equivalent level of spam and malware protection. That's where things like spamd's syncronization options come in handy. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd greylisting: false positives
David Diggles writes: >>But why are you synproxying for spamd? > > Why shouldn't I? The synproxy was added way back as a way to protect back ends that were less intelligent about connection setup and IIRC even had one or more known SYN-related vulnerabilities, so we had a way to only pass valid, completed connections. In relation to spamd, it doesn't add any security, but carries with it the slight overhead of the syn proxying. > These guys do in their example. > https://calomel.org/spamd_config.html I'd ask them the same question. It rarely if ever makes sense to pile on options just because they're available. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd greylisting: false positives
David Diggles writes: > Or did you mean, this breaks spamlogd, rather? > > pass in on egress proto tcp from any to egress \ > port smtp rdr-to 127.0.0.1 port spamd synproxy state > > This is what it was. The logging is on now. The important ones to log are the rules that pass smtp traffic from the members of the spamd-white table (and nospamd if you're using that) plus the one that passes smtp traffic from your real mail server to elsewhere. See the spamd and spamlogd man pages, it's explained there. But why are you synproxying for spamd? - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Notebook
>I installed VLC, and my webcam works, but my microphone does not seem to be >detected at all. dmesg does not list a usb audio device. What should I do >to investigate this? Is there a better application, other than VLC, for >using a webcam with OpenBSD? Before you install X/KDE, etc., do a vanilla OpenBSD install and read FAQ 13 "multimedia" then test sound from the commandline. >From past experience VLC's docs were way behind implementation (on top of being gigantic) so for debugging it may be the worst application unless you work from source code. -- p
Re: German Government claims to be able to break PGP and SSH
>Peter Laufenberg wrote: > >> My German's rusty but the follow-up article quoting Symantec mentions >> spyware/keylogging, which has been the traditional "technique" used in >> in the past. > >But that's for targeted surveillance. They still cast a wide net: on ccc.de there's a detailed report of one target wanking to phone-sex. >The original article refers >to a bulk grep of 16,400 search terms over 37 million e-mail messages. I just read the PDF, in 2010 they dumped a raw IP stream from which they extracted individual emails (90% spam) in which they searched for words like "bomb". High-tech stuff. The one-sentence answer about PGP has so many qualifiers that only an idiot would read it as a blanket success claim, the gov official was probably puzzled by the question's "half-pregnant" formulation. Golem seem to have buried their story in an embarrassed rush; whoever came up with the title must be flipping BratwC
Re: German Government claims to be able to break PGP and SSH
>car + eimer? ay carambas?!! "Autoeimer", with unlimited strcat() known to overflow students' brains. Yes the "Bundestrojaner". I pictured a fat politician's soggy condom on the back of his doggy-style mistress: "one for the country!" Mild stuff considering German pr0n culture. -- p >On Thu, May 24, 2012 at 10:13 PM, Stuart VanZee >wrote: What do you guys think about the reliability of the news (unfortunatelly in German only) on www.golem.de >>> >>>My German's rusty but the follow-up article quoting Symantec mentions >> spyware/keylogging, which has been the >traditional "technique" used in >> in the past. >>> >>>-- p >> >> Quick, someone, how do you say autobucket in German! >> >> s
Re: German Government claims to be able to break PGP and SSH
>What do you guys think about the reliability of the news (unfortunatelly >in German only) on www.golem.de My German's rusty but the follow-up article quoting Symantec mentions spyware/keylogging, which has been the traditional "technique" used in in the past. -- p
Re: Upgrading OpenBSD
>Outstanding point. The thing is this: With MS >PHP is clearly distinct from the OS. I go get it >from php.org. With BSD I must rely on the >package system. This is taking up a lot of ink; is this a genuine enquiry or a provocation? Search for "Extraneous entries for Visual C++ Standard hotfixes" and ponder the litany of known issues. -- p
A totally meaningless statistics that may serve to cheer you up
It seems that with a boost from the recent http://undeadly.org mention,
the online version of my PF tutorial sped past 120,000 unique visitors
total, with
peter@nerdhaven:~$ grep peter/pf /var/log/httpd/home.nuug.no_log | awk '{print
$1}' | sort | uniq |wc -l
121150
(total # of unique ip addresses/host names hitting somewhere under
http://home.nuug.no/~peter/pf/, with http://home.nuug.no/~peter/pf/newest/
the likely main contributor recently)
and just to produce a meaningless statistic,
peter@nerdhaven:~$ grep -c peter/pf /var/log/httpd/home.nuug.no_log
1916849
for raw # of hits to somewhere in that tree. Here's hoping this produced
at least some CD sales and perhaps the odd book sale.
- Peter
PS Do get your EuroBSDCon submission in, tomorrow's the deadline
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: chromium can't start since two snapshots
Mihai Popescu writes: > I confirm this is happening on i386 too, but I removed the entire > chromium folder and cache. OK, it needs to reconfigure the options ... Here, on amd64, removing only the .config/chromium/SingletonLock did the trick. It would have taken me a while to infer that from the error message, though ;) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Unuseful error message in BIND 9.4.2-P2
I am putting up OpenBSD 5.1 for the first time and I am getting May 17 11:36:59 mail named[6539]: starting BIND 9.4.2-P2 May 17 11:37:00 mail named[6539]: command channel listening on 127.0.0.1#953 May 17 11:37:00 mail named[6539]: running May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error: May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too long May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error: May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40: Message too long May 17 11:37:00 mail named[6539]: zone 254.168.192.IN-ADDR.ARPA/IN: expired May 17 11:37:00 mail named[6539]: zone xxx.xxx/IN: expired May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error: May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too long May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error: May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40: Message too long I have hid the domain name with xxx.xxx. I am building the system as a firewall and the eithernet card with sub network 192.168.209/24 has nothing plugged in. I expect the error will go away the master dns server does actually exist.
Re: IPs in the facebook.com domain accessing OpenSBD firewall
>I wonder if these machines in the facebook.com domain are infected >with some malware bots? Facebook *is* a malware bot:) Let the request through and log what it tries to do next, this could be quite a story. -- p
Re: greylisting and blacklisting rules in pf.conf
ager39...@mypacks.net writes: > What rules should I have in "pf.conf" for both greylisting and > blacklisting? I'd like to blacklist those site that got spam through > the greylisting. Unless you explicitly start spamd in blacklisting-only mode, it will greylist. The spamd related rules I have in a typical pf.conf are table persist table persist file "/etc/mail/nospamd" pass in log on egress proto tcp to port smtp rdr-to 127.0.0.1 port spamd queue spamd pass in log on egress proto tcp from to port smtp pass in log on egress proto tcp from to port smtp pass out log on egress proto tcp to port smtp it's possible you will find my tutorial and slides over at http://home.nuug.no/~peter/pf/ helpful, and you'll find some spamd-related field notes via the blogspot link in my .signature - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ikev2 between openbsd and windows
On Mon, May 14, 2012 at 12:53:34PM +0200, Mike Belopuhov wrote: > 4) Install the server certificate on the server: > >ikectl ca vpn certificate 10.1.0.1 install > > 5) To export the client certificate in a ZIP'ed PFX format, you need >to install zip utility (pkg_add -i zip). > >ikectl ca vpn certificate 10.5.0.1 export > Does the .tgz file need to be extracted at all on the server? I've tried and tried for too long and my certificates are out of sync I think, is there a command to delete everything and just keep the original blank iked structure so that one can start over without old certificates in the way? > 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates >by doubleclicking on them. Make sure that certificates are valid >in the MMC Certificates Snap-In. This gave me a huge headache. I tried using MMC (as administrator and other user) but my vpn client stayed at 13806 error. Perhaps VPN wasn't meant for people like me. > 7) Configure iked to do RSA auth w/o EAP (for the start): > > ikev2 "win7" passive esp \ > from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ > srcid 10.1.0.1 \ > config address 192.168.1.100 \ > config name-server 192.168.0.1 > >Here, 192.168.0.0/24 is a network client is getting access to, >192.168.1.0/24 is a "DHCP"-like network from which client is >getting an ip address (192.168.1.100 specifically). Please >note, that the code to turn this awkwardness into real (DHCP-like) >address pool specification is not written yet. Note that srcid >has to match the host that the certificate is issued to, otherwise >windows will refuse to connect. > >Once you do that you can load iked and see that it hooks up the >server certificate (in the iked -dvv output that is). > > 7) Now on the windows box, go to the Network Connections Center >and create an IKEv2 VPN connection with the client. Make sure >to check the Certificate radio button on the Security tab in >the connection properties, so that you won't do EAP. > > 8) Start the connection. > > 9) Profit!!! > > PS. > > If someone thinks that this might be turned into some sort of a > howto or FAQ entry or whatever, please feel free to reuse any > piece of text. Attribution is welcomed but not required. Would love to write something if it worked considering I've struck out so many times with this. -peter
Re: Thank you for an awsome product...
if you ssh from Windows try Bitvise Tunnelier instead of putty. If you ssh from *nix... just use ssh. -- p > Hello, And thank you for an awsome product...I am a novice, >(just starting out in the linux/unix/bsd world), been a windows server guy and >3d modeler/animator, graphic artist for the last 20 years.I was always afraid >of unix, until recently, I purchased two sun netra x1's, a V100, & a V20z from >ebay cheap with the hopes of learing this new world (for me anyway's) and >setting up a inexpensive render farm. Being completely new to UNIX, I >have learned LOM on these systems, and have successfully installed openBSD on >these systems with little trouble. I of course did my homework on google, and >there is a great deal of information on what to do. Trial and error, but I >have learned so much in the last couple of weeks. I can remote into these >systems with puTTY now that the network is setup. I would like to add, >this was the only OS that installed on my SPARC IIe systems without any >issues! I tried netBSD, freeBSD, and some other crap, and all error out before >install starts. Solaris 11 Express installed fine, (for me a major learning >curve) but I learned from google forums. Unfortunatley, solaris 11 finale >release does not run on older architectures, and was removed. But I found you >guys! I just want to express my grattitude for all of your efforts, and >when I can afford it, I will make some donations to help, (only working part >time at the moment) I am really excited to have accesss to all of the low cost >older servers and be able to implement them into a working secure environment! >I love it!!! Thanks again for all of your hard work, I am sold, and will >continue to learn this, I am not affraid of Unix anymore! >Michael J. Summerfield >Cocoa Florida >Graphic Artist - 3D Modeler - 3D Content Provider > > > > > > http://www.turbosquid.com/Search/Artists/imagetek?referral=imagetek
Re: stresstest + safest crashlog?
>On May 13 17:47:55, Petah wrote: >> I've had a bunch of crashes freezing one PC to such an extent I couldn't >> recover any log, > >You mean, after a reboot? Ctrl-alt-del won't reboot (pc has no X), I have to keep powerbutton down 5 secs. There's one post-reboot log entry unrelated to the panic message I got on screen; the sys drive is an SSD, which may account for the volatility, panic occured while doing a chrooted rsync on the 2nd HDD. Keyboard input seems flaky, tried a bunch. >If you can exit to ddb, the extraction of information (dmesg, panic, >etc) is easy. > >man 8 crash >man 4 ddb >man 8 savecore thx I'll check those, -- p > >> switch tty, ssh from outside and the machine has no serial port. >> >> What's the surest way to get a crashlog? syslog to a 2nd PC, a USB key with >> log-cow, buy a PCI serial port card? >> >> Is there a stress script that can be run on a crashtest dummy PC? >> >> thx, >> >> -- p
Re: Watchdog timeout reset in 5.1 on intel nic:s
I've had the same problem with a KVM, maybe worth a note in the install docs? -- p >On May 11, 2012, at 19:05, "Per-Olov Sjvholm" wrote: > >> On 11 maj 2012, at 11:16, Stuart Henderson wrote: >> >>> On 2012/05/11 01:15, Garry Dolley wrote: On Thu, May 10, 2012 at 03:31:27PM +0100, Stuart Henderson wrote: > In gmane.os.openbsd.misc, Garry Dolley wrote: >> On Tue, May 08, 2012 at 07:58:30PM -0400, Simon Perreault wrote: >>> On 2012-05-08 19:08, Per-Olov Sjvholm wrote: It says "em1: watchdog timeout -- resetting" >>> >>> >>> I saw the same on an amd64 VPS from arpnetworks.com. Network was not >>> functional. Backed out. Did not investigate further. >>> >>> >>> Simon >> >> I had another customer on amd64 report this problem today. Not sure >> what the solution is. I'm recommending either downgrade to 5.0 or >> use i386 arch for now. > > If possible, tracking down the commit which broke it, or at least > narrow it to a reasonably small date range, would help. I have > an archive of snapshot kernels if you want to work through them > rather than cvs checkouts, contact me if you'd like access to them. Guys, I now have an amd64 test VM set up, where I installed stock 5.0. I ran a lot of traffic over em0 without any timeouts. I also have been trying several -current kernels. As of: OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012 I don't see any em0 timeouts. I will continue to try newer ones and report back here... >>> >>> Hmm - Mar 28 is already after 5.1 was released. >>> >>> Could somebody seeing the problem (sperreault?) please send a >>> dmesg from a kernel showing the problem? >>> >> >> >> Hi Stuart >> >> Here is a dmesg on 4.9 where it's working and on 5.1 when it's not working. >> >> http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/ >> >> Note that both are virtual OpenBSDs running on the exact same KVM host >version >> and use the same bios etc. >> >> Regards >> P-O >> -- >> GPG keyID: 5231C0C4 >> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 >> > >I had this once back in the day, not sure which release but it was >mid-4-point-something. It turned out to be the presence of my >external real-hardware (IO-GEAR) KVM switch's - internal - USB HUB >monkeying detection of the upstream real USB keyboard. Once a >keyboard was direct connected, then everything was fine. > >Perhaps your real- and/or pseudo- hardware (and firmware/bios) chain >is impairing similarly. > >Good luck,
Re: a live cd/dvd?
Can you please let us know how you run it, and which packages you needed? The one at www.linux-speakup.org is a kernel module, and it isn't obvious how you use this with OpenBSD. On 2012 May 12 (Sat) at 03:48:35 -0700 (-0700), Eric Oyen wrote: :since when? h. let me think since about OpenBSD 4.2 or so. and yes, I :still need some visual assistance when doing an install/upgrade. : :also, to answer another poster's question: I use speakup from a linux source :package (with the proper line in sysctl.conf enabled for linux binaries. :getting speakup to compile required that I also install a number of packages :not currently in the ports tree. lets just say that it is a real headache. : :now, orca for X using XFCE works ok. it only requires the GTK dependencies, :python 5, some misc dependencies (almost all of which can be found in the :ports tree. still, I don't like using X as it can be a little less than :intuitive for us blind users. : :still, given the number of access avenues we can use (serial port redirect, :virtual framebuffer devices that can be remotely connected to, cheap sound :devices and the like) a number of good possibilities can be taken advantage :of. : :I have had chance to start trouble shooting the raw source code for speakup :and I know what the headache it has: sloppy code and failed documentation. :considering the time it takes to get that binary working, I am opting for a :more hardware solution and get a network capable framegrabber device and run a :lane cable from it to a dedicated lane port on my OS X machine. $234 will get :me one next month. now, if there were a device/brain interface, then I could :see the words in my braincase without the additional distractions of sound. :still, it would be glorious to be able to interface in a way thought possible. : :I wish I could be able to plug right into my brain and show what it has been :missing. : :as for my feat: I installed and hop it works.4.5 openbsd -- Baruch's Observation: If all you have is a hammer, everything looks like a nail.
Re: Sendmail at home
Laurence Rochfort writes: > I want to setup sendmail so that I can send mail from my home network. Shouldn't be too hard, but make sure you get your mail server machine a static IP address *and* a correct DNS entry, complete with reverse resolution. Largish chunks of the net will simply drop SMTP traffic from hosts without correct reverse on the floor. And then of course you get to poke into all the pleasures of striving to keep your inbox relatively sanitary - spamd, spamassassin, clamd etc come to mind. All the necessary tools are ither in base or within easy reach as packages. Do remember to read the supplied documentation and config file comments properly, and you'll get there. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
"block return" on bridge(4)
Hello, >From man pf.conf: "Options returning ICMP packets currently have no effect if pf(4) operates on a bridge(4), as the code to support this feature has not yet been implemented." Just wondering, will this be implemented? If I understand correctly, if "block return" is set on a bridging firewall TCP RST will be sent out when TCP is blocked, but nothing is sent out when UDP or any other protocol is blocked. Right? Thanks, Peter Hallin, Lund University
keyboard question
Hi, I have a USB Keyboard that when I unplug it and plug it back in it doesn't come back as recognized by the system. So I have to log in from the net- book and reboot. Is this common to all OpenBSD workstations or just mine? Here is some info: jupiter$ dmesg|grep -i nova uhidev0 at uhub6 port 1 configuration 1 interface 0 "NOVATEK USB Keyboard" rev 1.10/1.12 addr 2 uhidev1 at uhub6 port 1 configuration 1 interface 1 "NOVATEK USB Keyboard" rev 1.10/1.12 addr 2 I noticed it shows up twice in dmesg here.. but not in usbdevs: jupiter$ usbdevs addr 1: EHCI root hub, Intel addr 1: EHCI root hub, Intel addr 2: product 0x0819, Logitech addr 1: UHCI root hub, Intel addr 1: UHCI root hub, Intel addr 1: UHCI root hub, Intel addr 1: UHCI root hub, Intel addr 2: EPSON Scanner, EPSON addr 1: UHCI root hub, Intel addr 2: USB Keyboard, NOVATEK addr 3: USB-PS/2 Optical Mouse, Logitech addr 1: UHCI root hub, Intel Here is a dmesg: OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8579973120 (8182MB) avail mem = 8337412096 (7951MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf06f0 (79 entries) bios0: vendor American Megatrends Inc. version "0805" date 02/24/2010 bios0: ASUSTeK Computer INC. P6T SE acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET OSFR SSDT acpi0: wakeup devices NPE2(S4) NPE4(S4) NPE5(S4) NPE6(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) NPE1(S4) NPE3(S4) NPE7(S4) GBE_(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 3368.06 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.36 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.37 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.36 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu3: 256KB 64b/line 8-way L2 cache cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.37 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu4: 256KB 64b/line 8-way L2 cache cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.36 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu5: 256KB 64b/line 8-way L2 cache cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.37 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu6: 256KB 64b/line 8-way L2 cache cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, 2806.36 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF cpu7: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 9 pa 0xfec8a000, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (NPE2) acpiprt2 at acpi0: bus -1 (NPE4) acpiprt3 at acpi0: bus
FYA: problem with a few mirrors + SHA256 question + rsync + missing package signings
FYA (I have to post here, because I can't find e-mail address to these mirrors): - # having install50.iso ftp://ftp2.eu.openbsd.org/pub/OpenBSD/5.1/amd64/install50.iso # not having 5.1 ftp://ftp.arcane-networks.fr/pub/OpenBSD/5.1/amd64/ ftp://ftp.irisa.fr/pub/OpenBSD/5.1/amd64/ ftp://ftp.bytemine.net/pub/OpenBSD/5.1/amd64/ ftp://mirror.yongbok.net/pub/OpenBSD/5.1/amd64/ ftp://ftp.piotrkosoft.net/pub/OpenBSD/5.1/amd64/ ftp://ftp.lambdaserver.com/pub/OpenBSD/5.1/amd64/ Question#1: What is the "/pub/OpenBSD/5.1/packages/amd64/SHA256"? Can anyone tell? - # wget -q 'ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.1/packages/amd64/SHA256' -O - | grep curl-7.24.0.tgz SHA256 (curl-7.24.0.tgz) = sRgMosGh+e8luNn+WJhufPBEKVaN0CU+jn/VbQZkBuk= # wget -q 'ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.1/packages/amd64/curl-7.24.0.tgz' # cksum -a cksum curl-7.24.0.tgz 2242721359 659163 curl-7.24.0.tgz # cksum -a md4 curl-7.24.0.tgz MD4 (curl-7.24.0.tgz) = 539aa5a88ca01d8e9fc344be89ed3ec2 # cksum -a md5 curl-7.24.0.tgz MD5 (curl-7.24.0.tgz) = 4d7c00292dfb35a3a791f08e677d30e2 # cksum -a rmd160 curl-7.24.0.tgz RMD160 (curl-7.24.0.tgz) = 8b9fcbbb4b8a4de4db922e70062a529035b29618 # cksum -a sha1 curl-7.24.0.tgz SHA1 (curl-7.24.0.tgz) = 8f04f07cffc3f54b17210c50423e9e1c92aa9985 # cksum -a sha256 curl-7.24.0.tgz SHA256 (curl-7.24.0.tgz) = b1180ca2c1a1f9ef25b8d9fe58986e7cf04429568dd0253e8e7fd56d066406e9 # cksum -a sha384 curl-7.24.0.tgz SHA384 (curl-7.24.0.tgz) = bf93674e1807d9c8181065f79e268845ae145e01f419bb487362aacb0bf00cf1a2553c809ba3d 9d83b8caa0631cb71aa # cksum -a sha512 curl-7.24.0.tgz SHA512 (curl-7.24.0.tgz) = a12eb464625ae9a44c8ce441040081b96e04fa708fc06be8337d9e556caa5b2290748be35fcc3 7bd2c7ba6bcbc8deddffc91fdbca3040e979d42129b80fa09c8 # cksum -a sum curl-7.24.0.tgz 23485 644 curl-7.24.0.tgz # cksum -a sysvsum curl-7.24.0.tgz 65416 1288 curl-7.24.0.tgz # Question#2: Can rsync work with ssh? Or just rsync? - rsync -v -e ssh rsync://ftp5.eu.openbsd.org/OpenBSD/5.1/packages/amd64/SHA256 . u...@ftp5.eu.openbsd.org's password: Question#3: Why are package signings missing? - Why aren't the packages from ex.: "ftp2.eu.openbsd.org/pub/OpenBSD/5.1/packages/amd64/" signed? Would it be a big deal to give out a few extra commands? :O :\ AFAIK pkg_add checks the keys of the downloaded packages if the package is signed (FIXME). Thank you for your attention & Have a nice day!
Re: kqemu in 5.1
Could there be a "KVM" for OpenBSD? I have been wondering for a while if the answer is an absolute no because it could never be trustworthy enough, not likely to happen because of lack of interest, or somewhere in between. Peter Ericson On 04/05/2012, at 8:28 PM, Weldon Goree wrote: > On 05/04/12 06:12, Jes wrote: >> Hi all: >> >> I can't find kqemu between snapshots packages, ports, or even in 5.1 >> packages. I think I've read something about kqemu is deprecated in >> newer versions of qemu (1.0.1) Is this correct? Because performance >> without kqemu is horrible. Any solution? >> >> > > Yes, it was killed upstream since Linux now comes with its own hypervisor (KVM). > > AFAIK OpenBSD currently does not have a working hypervisor since it also can't be dom0 on xen until such time as xen stops randomly overwriting register contents at unpredictable times. > > So, as of now, any virtualization will have to be of the plain qemu or bochs variety. Sorry. > > Best, > Weldon
Re: pfsync changes in current?
On 2012 May 02 (Wed) at 12:09:52 +0300 (+0300), Kapetanakis Giannis wrote: :On 27/04/12 12:58, Kapetanakis Giannis wrote: :> :>>Hi, :>> :>>After upgrading today to latest -current (i386) :>>(f1) OpenBSD 5.1-current (GENERIC.MP) #252: Tue Apr 24 15:58:54 MDT 2012 :>>(f2) OpenBSD 5.1-current (GENERIC) #209: Tue Apr 24 15:50:09 MDT 2012 :>> :>>I still have the same problem. :>>When the primary firewall reboots, It becomes MASTER on the carp :>>interfaces :>>before the pfsync bulk transfer ends: :>> :> :> : :This might be related. I've seen it on the 5.1 announcement: : : o Many pfsync(4) fixes and improvements including jumbo frames and : automatically requesting a bulk update after a physical interface : comes online. : : :When the secondary firewall is MASTER and sees link-up on the :dedicated network interface to the primary firewall (which is :booting) it issues pfsync bulk transfer start thus a carpdemote on :carp and pfsync groups. : :So when the primary firewall comes online it takes over before even :his bulk transfer ends. : No, that is not what that feature does. When pfsync starts any sort of bulk update, it will increase the carp demotion counter which makes it refuse MASTER. Only when the bulk update finishes (or times out), will it decrease the carp demote counter, which will allow it to take MASTER, subject to the normal rules. :Giannis : -- Never offend people with style when you can offend them with substance. -- Sam Brown, "The Washington Post", January 26, 1977
Re: AR5212
Just like everything in OpenBSD, there needs to be people with the desire and time to make them work. We welcome any and all contributions. On 2012 May 02 (Wed) at 12:40:05 +0400 (+0400), Pavel Shvagirev wrote: :Hi everyone : :Seems like there were no progress for making AR5212-based Atheros :Wireless cards 802.11g/n capable. Is there any hope for it in the future? : -- "Yeah, but you're taking the universe out of context."
Re: intel h61 sata ahci problem
hi, > ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x05: msi, > unable to reset controller disregard, I thought I had the latest BIOS, but I didn't. updating it fixed all of my problems. on to installing... -- CUL8R, Peter.
intel h61 sata ahci problem
hi, I got a new Intel dh61ag board, with onboard sata provided through the h61 chipset. When booting with the controller set to ahci, obsd does not find any disks. trying to install 5.0/amd64, I see : ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x05: msi, unable to reset controller and no drives are detected. I can boot in IDE-mode, but performance is dreadful, I get 1MB/s rsyncing from wd0 to wd1, and the machine spends 97% cpu at handling interrupts. Any advice ? Will 5.1 have better support ? -- CUL8R, Peter.
Re: all freezes when I move windows in twm
On 2012 Apr 23 (Mon) at 17:35:19 +0400 (+0400), Alexei Malinin wrote: :ropers wrote: :> 2012/4/23 Alexei Malinin : :> :>> I tried "OpaqueMove" option in my .twmrc - it helped to eliminate :>> freezing during moving of windows. :>> :>> But freezing still occurs under the following conditions: :>> 1) I create an xterm window with undefined geometry resourse, :>> 2) twm draws the window outline and waits until I place it :>> to somewhere on the screen, :>> 3) xmms sound stops during the above twm waiting. :>> :>> PS. Also I noticed that xmms sound was twitching when :>>I was reading e-mail with SeaMonkey :( :>> :> When you say you're still having the problem under those conditions :> and with SeaMonkey - is that with -CURRENT now? Or what version? (If :> it's not -CURRENT, try that next.) :> : :the problem is on i386 OpenBSD-4.9, :my next step will be to check the problem with upcoming OpenBSD-5.1... : -current != 5.1. 5.1 should have the same behaviour as what you are seeing right now. -current has rthreads enabled, which is a 1:1 threading mechanism, and will allow better threading behaviour. fwiw, -current is what 5.2 will become. -- You don't sew with a fork, so I see no reason to eat with knitting needles. -- Miss Piggy, on eating Chinese Food
Re: Kernel "roughing in" tool
Otto Moerbeek writes: > And as explained in FAQ section 5.6, there are many more reasons not > to do it. and amplified by 5.7 "It is assumed you have read the above[Section 5.6], and really enjoy pain." before it proceeds to a description of how you would go about customizing. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Help to compile
On Sat, Apr 07, 2012 at 06:13:07PM +, Morten B. Christensen wrote: > Dear OpenBSD friends, > > Is somebody (with programming experience) willing to compile a small DNS > server for me? > > The source code is a single .c file but my lack of skills is annoying :-( > > The link to Microdns is here http://samiam.org/software/microdns.html > > It is basically an app that gives the same ip out to any query - very easy > instead of taming the beast bind. The usage is for an http catch-all walled > garden. > > Thanks in advance > > Morten Bech Christensen Interesting little server. I think someone who does a little bit of packetry (very small packet about 4 bytes in length) can find out what the person queried before him, so it leaks some data. Perhaps I can turn you on to my dns server called wildcarddnsd. http://wildcarddns.sourceforge.net I developed this daemon on openbsd from the start. Granted it's a little more code than microdns but may not leak like that. Cheers, -peter
ALTQ and VLAN interfaces
Hi All,
I have the following OpenBSD multi-tenant firewall setup:
|
+-+---+++---+---+
| | vlan10 |||vlan11 | |
| | 195.188.200.a |--(em0)--| 195.188.201.a | |
| | 195.188.200.b | | 195.188.201.b | |
| | rdomain 1 | | rdomain 2 | |
| +---+ +---+ |
| |
| +---+ +---+ |
| |vlan160| |vlan161| |
| | 10.1.160.1 |--(em1)--| 10.1.160.1 | |
| | rdomain 160 ||| rdomain 161 | |
+-+---+++---+---+
|
vlan10 and vlan11 represent the PUBLIC side of the firewall and each
vlan has a separate rdomain. A customer could be assigned IP addresses
from both vlan10 and vlan11. Traffic from vlans 160 and 161 is then
natted out of vlan10 and vlan11 using pf rules (and vice-verse, with
some tagging). vlan160 and vlan161 represent the customer side of the
firewall, ip addresses on this side can only be rfc1918, but can be
the same subnets in each vlan (hence separate rdomains). What I'd like
to be able to do is queue traffic as it leaves the firewall, both
north and south, but I'm unsure as to where to enable altq. Should I
do:
# "out" being out of em0
altq on em0 cbq bandwidth 300Mb queue { INT_em0, queue1_out, queue2_out }
queue INT_em0 bandwidth 100Mb cbq(default)
queue queue1_out bandwidth 100Mb cbq(ecn)
queue queue2_out bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan10
pass in on vlan10 from any to 195.188.200.a queue queue1_out
pass in on vlan10 from any to 195.188.200.b queue queue2_out
# "in" being out of em1
altq on em1 cbq bandwidth 300Mb queue { INT_em1, queue1_in, queue2_in }
queue INT_em1 bandwidth 100Mb cbq(default)
queue queue1_in bandwidth 100Mb cbq(ecn)
queue queue2_in bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan160 or vlan161
pass in on vlan160 from any to any queue queue1_in
pass in on vlan160 from any to any queue queue2_in
or should I do:
altq on vlan10 cbq bandwidth 300MB queue { INT_vlan10, queue1_out, queue2_out }
queue INT_vlan10 bandwidth 100Mb cbq(default)
queue queue1_out bandwidth 100Mb cbq(ecn)
queue queue2_out bandwidth 100Mb cbq(ecn)
# Using pass in to keep state for packets coming back out of vlan10
pass in on vlan10 from any to 195.188.200.a queue queue1_out
pass in on vlan10 from any to 195.188.200.b queue queue2_out
# "in" being out of vlan160
altq on vlan160 cbq bandwidth 100Mb queue { INT_vlan160 }
queue INT_vlan160 bandwidth 100Mb cbq(default)
# Using pass in to keep state for packets coming back out of vlan160 or vlan161
pass in on vlan160 from any to any queue queue1_in
pass in on vlan160 from any to any queue queue2_in
With altq statements for each vlan interface.
Ideally I'd want to do altq on the vlan parent interface.
Thanks,
Peter
Re: hi...
don't respond to the spammer, idiot. On 2012 Mar 15 (Thu) at 21:49:56 +0100 (+0100), Francois Pussault wrote: :When it will be 200% discount & free shipping it then only be interesting : :morron spammer -- When you have an efficient government, you have a dictatorship. -- Harry Truman
Re: Which automake and autoconfig versions to compile NTOP v4?
On 2012 Mar 12 (Mon) at 00:44:15 + (+), Kaya Saman wrote: :Would it not just be easier and cleaner to create a new list for :newbies? That way the more advanced stuff could be taken care of on :this list and only people willing to help others could post useful :comments and help on the other list. This mailing list does exist. I've been running it (in a very lazy fasion) since 2002. You can sign up for it at http://mailman.theapt.org/listinfo/openbsd-newbies -- We can predict everything, except the future.
Re: Request for a new list: trolling
0xAAA <0x...@online.de> writes: > My suggestion: We create a new list, eg. "trolling" or "smalltalk" where > other > users can discuss about senseless questions. Wouldn't it be even better if we headed them off with a web forum or even a facebook group? - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Which high end multichannel audio interfaces work?
On 2012 Mar 10 (Sat) at 10:07:25 +0100 (+0100), Jan Stary wrote: :On Mar 09 18:17:50, Jochen Fabricius wrote: :> I want to build a very flexible PC based digital crossover solution, : :What's a "digital crossover solution"? : Ok, seriously. If you do not know what someone is talking about, please do not send noise to the mailing list. I took your exact quote, put it in google, and found relevant answers in *every* *single* *link* on the first few pages. Heck, even the previews had relevance. -- Old age is the most unexpected of things that can happen to a man. -- Trotsky
Re: Snappy Answers to Stupid Questions - WTF?
On Fri, Mar 09, 2012 at 08:28:37AM +0100, Fredrik Staxeng wrote: > Do you want users at all? Or was Linus right? well, we *do* prefer those who come with a sense of humor. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pfsync changes in current?
On 2012 Mar 07 (Wed) at 15:58:21 +0200 (+0200), Kapetanakis Giannis wrote: :Hi, : :I'm running a setup of Active/backup firewalls with carp/pfsync :successfully for the last year. : :Today I've upgraded the primary firewall to the latest snapshot (12 Feb), :and as soon as the firewall booted it became MASTER before pfsync :bulk transfer completed. : :Mar 7 15:42:04 echidna /bsd: carp: pfsync0 demoted group carp by 1 :to 133 (pfsync bulk start) :Mar 7 15:42:04 echidna /bsd: carp: pfsync0 demoted group pfsync by 1 :to 1 (pfsync bulk start) :Mar 7 15:42:04 echidna /bsd: carp: pfsync0 demoted group carp by -1 :to 128 (pfsyncdev) :Mar 7 15:42:04 echidna /bsd: carp: pfsync0 demoted group pfsync by :-1 to 0 (pfsyncdev) : :At this point carp group is also automatically demoted to 0-zero and :it takes over as MASTER. Can you show this piece from the logs? Do you have additional logs? How are the interfaces connected, do you have a dedicated link for the pfsync traffic? Can you also share your ruleset? :I manually did ifconfig -g carp carpdemote to force it to SLAVE :in order for pfsync bulk transfer to complete and don't loose active :connections. : :Mar 7 15:46:11 echidna /bsd: carp: pfsync0 demoted group carp by -1 :to 0 (pfsync bulk done) :Mar 7 15:46:11 echidna /bsd: carp: pfsync0 demoted group pfsync by :-1 to 0 (pfsync bulk done) : :Secondary firewall is running 5.0 GENERIC#96 i386 from 21 Nov 2011. :Can it be a mis-communication between the 2 firewalls due different :versions? : :regards, : :Giannis : -- Perfect day for scrubbing the floor and other exciting things.
Re: My OpenBSD 5.0 installation experience (long rant)
"Dmitrij D. Czarkoff" writes: > "OpenBSD installer should be tuned so that hitting [Enter] all the way > gets you to a bootable system without side effects" My typical install is almost all hitting Enter (with a couple of obvious exceptions9, and it ends with a bootable and very usable system. But then I tend to want OpenBSD as the main or only system. Multiboot setups like the one the OP wanted requires a bit of paying attention and is risky in general. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: My OpenBSD 5.0 installation experience (long rant)
On 2012 Mar 07 (Wed) at 13:26:41 +0100 (+0100), Leonardo Sabino dos Santos wrote: ... :I'm not actually paying :a whole lot of attention to the questions as this is just a test :installation and I figure I can always explore and configure the :system later. : You should always pay attention to an *installation* program. Especially one that installs an *OS*, which is likely to erase your drive. :Next, the disk stuff comes up. A lot of partition information appears :on the screen, followed by the question: : : Use (W)hole disk or (E)dit the MBR? [whole] : :At this point I'm actually trying to remember if there's a way to :scroll back the console, because some information has scrolled of the :screen. I try PageUp, PageDown, Ctrl-UpArrow, Ctrl-DownArrow, but :nothing works, so I press Enter. : :And my partition table is gone. Poof! Instantly, with no confirmation. The confirmation was the part that you quoted. Sorry, but you *do* need to read what the installation program tells you. That is the entire point of having instructions on the screen. -- I really hate this damned machine I wish that they would sell it. It never does quite what I want But only what I tell it.
Re: My OpenBSD 5.0 installation experience (long rant)
On Wed, Mar 07, 2012 at 01:26:41PM +0100, Leonardo Sabino dos Santos wrote: > Next, the disk stuff comes up. A lot of partition information appears > on the screen, followed by the question: > > Use (W)hole disk or (E)dit the MBR? [whole] > > At this point I'm actually trying to remember if there's a way to > scroll back the console, because some information has scrolled of the > screen. I try PageUp, PageDown, Ctrl-UpArrow, Ctrl-DownArrow, but > nothing works, so I press Enter. the OpenBSD installer looks somewhat simplistick, but it's quite consistent in its chosen conventions, such as displaying the default action in square brackets and pressing Enter to accept the entered or displayed value. or the TL;DR version: you said you wanted to use the whole disk for OpenBSD, so of course it took you seriously. > I joined this mailing list just to tell you this: Right now, I feel > like never, ever touching OpenBSD with a ten-foot pole again. The best advice you'll ever get about this paricular situation is to read the FAQ (http://www.openbsd.org/faq/), with particular attention to part 4 (the installation part) and perhaps http://www.openbsd.org/faq/faq4.html#Multibooting for the various multiboot options. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: current releases not updated?
On Wed, Mar 07, 2012 at 09:07:32AM +0100, Didier Wiroth wrote: > In the past current os packages were updated more often, is there a > reason why packages are (somewhat old) or are there some changes in > current update behavior? There was a similar pause in production of snapshots and their packages around release-cutting time about half a year ago too. I'd expect snapshot updates to resume soonish, but I have no firm dates or actual officialish info. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Any experience with AMD Fusion?
I have a Lenovo e205, with the AMD Fusion CPU. no 2d accel, no Xv. other than that, I haven't noticed any probems. On 2012 Mar 06 (Tue) at 20:34:23 +0100 (+0100), Dmitrij D. Czarkoff wrote: :Hi! : :I consider buying Lenovo ThinkPad E325. Among other hardware it features :AMD Fusion E450 APU with Evergreen graphics. : :AFAIK, on linux it is already supported, but the radeon(4) doesn't list :AMD's HD5xxx series, so I wanted to ask: : :*Did anyone have any experience with this hardware under OpenBSD? : :*What should I expect from it (2D acceleration, Xv, UVD support)? : :-- :Dmitrij D. Czarkoff : -- The earth is like a tiny grain of sand, only much, much heavier.
