Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?

[Ste Jones]

On Dec 7, 2007 7:32 PM, Andris <[EMAIL PROTECTED]> wrote:
> On Dec 7, 2007 3:57 PM, Ste Jones <[EMAIL PROTECTED]> wrote:
> > But hey I am not an Openbsd developer and can't comment on the
> > security of lighttpd's code, but I think most people would agree it
> > would be better to have a maintained piece of BSD software opposed to
> > a fairly stagnant bit of GPL.
>
> Please note that Apache (in base) is not GPL; this is the license:
>
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/httpd/LICENSE?r
ev=1.5&content-type=text/plain
>
> Greetings.
>
>
Opps, my bad

Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?

[Ste Jones]

On Dec 7, 2007 4:15 PM, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> Ste Jones wrote:
> > Just to say lighttpd appears to be BSD licensed
> > http://trac.lighttpd.net/trac/browser/trunk/COPYING
>
> Between appears to be and being, there is a difference.
>
> Right from the home page,
>
> http://www.lighttpd.net/
>
> fifth line "And best of all it's Open Source licensed under the revised
> BSD license." have been there for a very long time and the link still is
> dead to the license itself.
>
> I keep looking for it and still not good.
>
> Between appears and being, there is a long way.
>
> Just FYI.
>
> Best,
>
> Daniel
>

I emailed Jan, the lead developer of Lighttpd to see what he said
about the license. His answer is below I would like to say that I
have been running lighttpd in production for the last few months with
out too many hiccups. Vhosts, priv sep + chrooting is all there,
aswell as fastcgi binding for those wanting to run php, ruby etc...
But hey I am not an Openbsd developer and can't comment on the
security of lighttpd's code, but I think most people would agree it
would be better to have a maintained piece of BSD software opposed to
a fairly stagnant bit of GPL.

The only downside of lighttpd that I have come across is that it
doesn't support .htaccess files, thus rules have to added to its
config file.

Cheers
Ste

-- Forwarded message --
From: Jan Kneschke <[EMAIL PROTECTED]>
Date: Dec 7, 2007 5:10 PM
Subject: Re: lighttpd license
To: Ste Jones <[EMAIL PROTECTED]>


It is this at http://trac.lighttpd.net/trac/browser/trunk/COPYING

It should be the normal, nowadays BSD license:
http://opensource.org/licenses/bsd-license.php

cheers,
Jan

Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?

[Ste Jones]

On Dec 7, 2007 3:51 PM, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> Jason George wrote:
> >> Here is two messages from Hugo Leisink (Hiawatha developer). You'll
> >> note that the first has a newer date than the later, that's because I
> >> delete it, and I asked Hugo to send it to me again :P
> >>
> >> Thought that his words could be useful.
>
> It is interesting and honestly I didn't know about this one before your
> post. I went and looked at it. Interesting and I may actually try it in
> real productions to see how it goes.
>
> I actually would welcome a replacement for apache in base and I sure
> would work to make it happen if there really was a will for it, but I
> don't see that happening anytime soon. Plus the license of any such
> software would need to be BSD to be consider to start with. Again, I
> only speak for myself, not the project as I have no business doing so
> and they sure can do it for themselves. But I guess Hugo sadly was
> pretty clear that he would never drop the GPL license and as such there
> isn't any chance in the world to make that happen then. That's his work,
> so his license choice for sure and I definitely respect his choice. I
> wish it was different, but again, not my place to say here.
>
> The only other that might be one day have a chance could be lighttpd as
> it is BSD based, but for the last few months I still try to actually see
> the license and it's still not available:
>
> http://www.lighttpd.net/download/COPYING
>
> As for his comments on attitude, he might be right, all depend. Code is
> judge on merits and OpenBSD list is not a place for the faint of hart
> for sure. Let say it doesn't take prisoners. I am not the most kind at
> time either and so far each time was after a lots of frustrations where
> some looser just doesn't get it, or don't make any effort, but expect
> everyone else to do it form him.
>
> So, it's great that you contacted him and see where he might be, but the
> biggest road block I see his the license for sure.
>
> There is a few things I would love to see changed in the based system,
> but these are only my view and have no impact what so ever. Apache, Bind
> and sendmail are three of them that would remove GPL codes and make it
> even more BSD. GCC was on my list as well, but I am very happy to see
> that there is some work done to may be one day have GCC in port instead
> of base, but again, that's a very long time away from here.
>
> The short of it is that any software that may have a chance to be
> consider to be included in OpenBSD, needs to be BSD, not GPL, or kind of
> BSD with some weird string, etc. But BSD, that's pretty clear over the year.
>
> Thanks
>
> Now going back under my rock.
>
> Daniel
>
>

Just to say lighttpd appears to be BSD licensed
http://trac.lighttpd.net/trac/browser/trunk/COPYING

Re: ssh hangs from Ubunty Feisty 7.04 to OpenBSD

[Ste Jones]

On 4/24/07, Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:

Ter, 2007-04-24 C s 11:32 -0400, Steven Harms escreveu:
> I can verify that ssh between Ubuntu 7.04 and openbsd is completely
> working.  Your issue is with your /etc/ssh_config.
>
> [EMAIL PROTECTED]

I second this verification.

Rui



The only problem I had was due to the default UTF-8 character encoding
opposed to ISO-8859-1 but no connection problems to 3.8, 3.9 or
4.0.

Cheers
Ste

Re: What's up with my pf.conf?

[Ste Jones]

On 2/14/07, mal content <[EMAIL PROTECTED]> wrote:

To clarify:

I can connect from any 192.168.2.* IP to a temporary machine
in the 192.168.1.* network (the empty network between the hardware
router and the openbsd box), so packets appear to be forwarded
correctly. If I try to connect to an external IP, however, the packets
don't seem to go anywhere. I have, on a few occasions, seen responses
from openbsd.org to packets sent earlier which are then blocked by
pf (correctly, as they are no longer associated with any connection).

I have connected a machine to the 192.168.1.* network to sniff
packets with wireshark and see absolutely nothing go through when
a machine at 192.168.2.5 attempts to 'nc' to openbsd.org:80. Watching
pf logs with tcpdump shows that pf certainly believes it has forwarded
packets to the external IP address.

...

In the old days, we'd have opened the switch with bolt cutters and
set fire to the building on the way out.

MC




what does `route show`  say and is the default gateway correct?

Cheers
Ste

Re: php mail() function fails

[Ste Jones]

On 1/12/07, Henning Brauer <[EMAIL PROTECTED]> wrote:

* Joachim Schipper <[EMAIL PROTECTED]> [2007-01-12 15:50]:
> On Fri, Jan 12, 2007 at 12:30:32PM +0100, Henning Brauer wrote:
> > * Lars Hansson <[EMAIL PROTECTED]> [2007-01-12 08:20]:
> > > On Friday 12 January 2007 13:04, noob lenoobie wrote:
> > > > My problem is the following : I'm unable to send mail from php.
> > >
> > > the php mail() function will not work in chroot (unless you install the 
chroot
> > > flavour of the mini-sendmail package).
> >
> > err.. ...unless you make mail work inside the chroot.
> > and since mini_sendmail is a piece of shit, i recomment femail, but I
> > might be biased :)
>
> I'm curious - why do you feel mini_sendmail is 'a piece of shit'? I've
> never given much thought to it, but it has worked well for a couple of
> years now, and femail doesn't seem to do things very differently.

well, it's a bit that I looked at mini_sendmail's code, but it was
horrid.
second, it does not nearly implement RFC282{1,2} correctly. the parser
is horribly incomplete and broken.

> I'll have to admit that mini_sendmail's website sucks, but at least the
> man page doesn't misspell 'environment' (at least in the DESCRIPTION on
> http://unduli.bsws.de/femail/femail.8.html). ;-)

oh well



Just out of interest does femail need a sh in the chroot like mini_sendmail?

Re: imp, apache chroot, mini_sendmail, does not really sendmail

[Ste Jones]

On 11/30/06, dreamwvr <[EMAIL PROTECTED]> wrote:

On Tue, Nov 28, 2006 at 04:38:28AM +0100, Alexander Hall wrote:
> dreamwvr wrote:
> >Hello,
> >   if using imp port in chroot with mini_sendmail can you input?
> >chroot  -u www /var/www echo test |mini_sendmail  -v -p25  
> >works just fine. However IMP is unable to really_send mails.
>
> You are only chrooting your "echo" here. Try something like
>
>  echo test | sudo chroot -u www /var/www mini_sendmail ...
Yeah, duh brain fart. That would help yes. :) IMP in chroot
definately is interesting. Still no sendmail from chrooted IMP.
So there is something else IMP likes to see to exec mini_sendmail.


Did you copy sh in to the chroot?

cheers
ste

Re: dns working but problem w etherape

[Ste Jones]

Thanks, good point. But does not make any difference. No doubt the problem is
in etherape as I can do manual queries just fine.



From my post on openbsd-newbies a few days ago



I had the same problem a year or so ago, with etherape and the lack of dns
http://marc.theaimsgroup.com/?l=openbsd-misc&m=111465469331179&w=2

To get around it you can find a patch here for 0.91
http://www.networkpenetration.com/downloads.html

Basically it adds a -D switch so you can specify the DNS server.
be warned though its a cpu hog and it fragged a machine of mine after
a few weeks of constant running.

Cheers
Ste

Re: figuring out the local IP address of an interface

[Ste Jones]

Is there a way to portably make this work across linux,FreeBSD,NetBSD and 
OpenBSD?


If I remember correctly you can possibly do it with libdnet
http://libdnet.sourceforge.net/

Cheers
Ste

Re: Forum-Software, good and secure, on OpenBSD systems?

[Ste Jones]

On 9/12/06, Michael Schmidt <[EMAIL PROTECTED]> wrote:

Hello,

which experiences or what knowledge are/is available concerning good and
secure forum-software known to run under OpenBSD?
I am interested in feedback on this.


I have been using punbb (punbb.org) for the last few months with out
much stress... seems quite good with no complaints so far.

Hope that helps

Cheers
Ste

Re: is this logically correct ?

[Ste Jones]

On 8/15/06, S t i n g r a y <[EMAIL PROTECTED]> wrote:

Sorry for reposting but as no one answered , & i need to confirm urgent.
here is my first traffic shaping pf.conf file .. although there werent any syntax 
mistakes  but can you have a look to it & see if there is any logical mistake ?

would be very greatfull

regards


intif="epic0"
intnet="10.0.0.0/16"
extif="fxp0"
extad="192.168.0.2/32"
chadd="10.0.0.1/32"
servers="10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6"
mailserver="10.0.0.2"
vip="10.0.0.5"
ports = "21 22 25 53 80 110 119 123 143 443 554 1755 1863 3389 5000 5001 5050 51
00 5190 6667 11999"
allif="{$extif, intif}"
table  persist file "/etc/allowedclients"
table  persist file "/etc/blockedclients"
scrub in all
altq on $extif cbq bandwidth 500Kb queue { def, msn, www, https, smtp, ssh, ftp 
}
queue ftp bandwidth 10% cbq(borrow red)
queue www bandwidth 30% cbq(borrow red)
queue https bandwidth 30% cbq(borrow red)
queue ssh bandwidth 10% cbq(borrow red)
queue def bandwidth 10% cbq(default borrow red)
queue smtp bandwidth 10% cbq
nat on $extif inet proto {tcp, udp } from  to any port { $ports
} -> $extad
rdr on $intif proto tcp from  to any port 80 -> $chadd port 8080
rdr on $extif proto tcp from any to $extad port 25 -> $mailserver port 25
rdr on $extif proto tcp from any to $extad port 80 -> $mailserver port 80
pass out on $extif inet proto { tcp, udp } from  to any port { 
$ports }
pass in on extif proto tcp from  to any port msn queue msn
pass in on extif proto tcp from  to any port ssh queue ssh
pass in on extif proto tcp from  to any port www queue https
pass in on extif proto tcp from  to any port www queue www
pass in on extif proto tcp from  to any port smtp queue smtp
pass in on extif proto tcp from  to any port ftp queue ftp
pass out on extif inet proto udp from any to  port msn queue msn
pass out on extif inet proto udp from any to  port ssh queue ssh
pass out on extif inet proto udp from any to  port www queue htt
ps
pass out on extif inet proto udp from any to  port www queue www
pass out on extif inet proto udp from any to  port smtp queue sm
tp
pass out on extif inet proto udp from any to  port ftp queue ftp






 *B:B$., B8B8,.B$B:*B(B(B(*B$ Stingray *B:B$., B8B8,.B$B:*B(B(*B$



shouldn't allif="{$extif, intif}" be allif="{$extif, $intif}"

If you want to verify the queues, install pftop (in the ports) and
check the Queue View when you have a bit of traffic to see if they are
being added to the correct one.

cheers
ste

Missing Man Page bio (3)?

[Ste Jones]

Hello,

Just wondering if there is a missing man page or if bio (3) references
should be removed from the following pages

SSL_accept.pod
SSL_connect.pod
SSL_do_handshake.pod
SSL_get_fd.pod
SSL_get_rbio.pod
SSL_read.pod
SSL_set_bio.pod
SSL_set_fd.pod
SSL_shutdown.pod
SSL_write.pod


Cheers
Ste Jones

Re: Transparent Bridge fail-over?

[Ste Jones]

On 5/4/06, Ken Ebling <[EMAIL PROTECTED]> wrote:


On May 4, 2006, at 10:26 AM, Ste Jones wrote:

> I think you might be after STP (spanning tree protocol) not CARP
>
> Cheers
> Ste


Thanks for the advice.   I found a document explaining how to set it
all up.  They do mention that with switces, failover may take a few
minutes because of mac address cache flush time, and that getting
smart switches that can flush cache when it detects an stp change
will improve failover time.

My stupid question is, can I use hubs instead of switches to reduce
failover time?  I'm not sure if using a hub would cause any problems,
as I've never dealt with STP before.

Any insight you could offer would be greatly appreciated.

Thanks again,

Ken Ebling




I have never setup STP but if you were to use a hub you are only
moving the convegence problem to the devices on the end, be it a
router or clients. Instead of a few next hop mac updates between a
switch and the STP bridges , all the devices would need to update thus
increasing total convergence time.

If however you were to use a hub you could look into dropping your ARP
cache timeouts or possibly use gratious ARP... again never done

Cheers
Ste

Re: Transparent Bridge fail-over?

[Ste Jones]

On 5/4/06, Ken Ebling <[EMAIL PROTECTED]> wrote:

Hello,

I'm wondering if any of the changes to CARP in OpenBSD 3.9 allow
machines without an IP address to use CARP for fail-over.

Thanks,

Ken Ebling




I think you might be after STP (spanning tree protocol) not CARP

Cheers
Ste

OT: Thoe's x commit and homeland security audit

[Ste Jones]

Is Theo the automated code scanner mentioned here?
http://news.yahoo.com/s/zd/20060502/tc_zd/177195

In reference to this commit
http://www.openbsd.org/cgi-bin/cvsweb/XF4/xc/programs/Xserver/hw/xfree86/common/xf86Init.c.diff?r1=1.13&r2=1.14

7 days before the official patch
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/x11r6.9.0-geteuid.diff

Just curious

Cheers
Ste

Re: 3.7: weird IP address problem

[Ste Jones]

On 4/24/06, Toni Mueller <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I have a box that once had two IP addresses on one interface. I
> deconfigured one of them using ifconfig -alias.
>
> Now, when I want to use any (?) program on that box to go over this
> interface, it wants to use the addresses which is no longer present. I
> double-checked to ensure that there is no NAT in the way, and also used
> all netstat and ifconfig otions I know to convince myself that the old
> address is gone. I also tried to 'ifconfig ifname inet
> the-one-and-only-address' just in case there would be a different
> handling of addresses assigned with and without using -alias, but to no
> avail.
>
> What could that be, and why can't I see this address anywhere?
>
> I'd rather not reboot only to make a change in IP numbers effective...
>
>
> Best,
> --Toni++
>
>

I've noticed the same thing before with aliases. Down and upping the
interface combined with a route flush && sh /etc/netstart should fix
the problem probably wouldn't do this over ssh though.

cheers
ste

Re: Small office with BSD blueprint

[Ste Jones]

> Why is DHCP a bad idea?
>

rogue dhcp servers, broken clients, possible man in the middle attacks
and unauthorised access problems
http://www.networkpenetration.com/dhcp_flaws.html

cheers
ste

Re: VPN: solutions that interoperate with win xp

[Ste Jones]

On 12/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> heya,
>
> i've been grinding away to get a VPN setup where i can have win xp clients
> connect to my openbsd firewall and access the network behind it. i have tried 
> a
> number of things, none of which have yet worked for all my users. i am very 
> much
> interested in hearing from other admins who have currently working solutions
> along these lines. i have setup isakmpd between my home and my business
> location, so i know i am not a complete idiot when it comes to this stuff ;).
>
> when i tried to use the native windows IPsec implementation, both as described
> in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was 
> not
> able to get anywhere. when i used ipseccmd.exe, it would not give me any 
> useful
> debugging outputs and crashed a couple times while i was trying to set this 
> up.
> i would very much like to have a setup using the native IPsec in win xp, but 
> am
> utterly in the dark as to the win xp configuration side of things.
>
> i have also setup openvpn, which works great for me from home, and i have been
> able to successfully get this working. however, one of the users that connects
> to my VPN is having problems making openvpn and his kerio firewall "play 
> nice",
> and a working openvpn configuration cannot survive a reboot due to win xp 
> being
> such a great OS.
>
> i am also aware of "the green bow" VPN client that is known to interoperate 
> with
> isakmpd. i have avoided using this solution since i know it to be a resource 
> hog
> on win xp. anybody else's views on this software would be nice.
>
> anything that you think could help me get a VPN with win xp talking to my
> openbsd firewall would be awesome. i would love a "howto" for the win xp 
> boxes,
> but a smack with the cluestick is likely all i need. it would be nice for this
> to NOT use certificates, as i'd like to get a shared secret setup working 
> first,
> then switch to certs later.
>
> cheers,
> jake
>
>

Hello

I am looking at doing the same thing, from a conversation i had over
the weekend i think you need to use virtual-id's and run proxy arp on
the internal interface.

Hope that helps
Cheers
Steve

Re: routing tables

[Ste Jones]

On 11/15/05, David fire <[EMAIL PROTECTED]> wrote:
> hi
> i read the man page fro netstat route routed ifconfig all the section 6 of
> the facks and i cant find where i should put the routing info now i am doing
> route add 198.162.15.0/8  .. route add
> 10.98.0.0/16   but when i reboot i must put it
> again.
>
> where i should put that
> thanks!!!
> David
>
>

man hostname.if and check the !command-line section

cheers
ste

Re: A great article ( found on the OpenBSD site)

[Ste Jones]

another article worth a mention???

Hard-as-nails OpenBSD releases v3.8
http://www.tectonic.co.za/view.php?id=680

Re: OpenBSD's 10th birthday

[Ste Jones]

On 10/18/05, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> Now it is really OpenBSD's 10th birthday ;)
>
>

Happy Birthday to you
Happy Birthday to you
Happy Birthday dear OpenBSD
Happy Birthday to you

Congratz for the last 10 years

You birthday present should have arrived from paypal by now :P


Cheers
Ste Jones

Re: want to get a zaurus - anybody in japan willing to help?

[Ste Jones]

http://www.openbsd-support.com/ 

Not sure if they will be able to help you out but they are in Japan ;)

Cheers
Ste Jones