Re: "Virtualizing" firewalling scenarios in one physical OpenBSD host

[Andres Perera]

ok here's a more thought out idea

a vpf is the same as a pf only that it has an ioctl that binds its
device minor to a rule # in pf0. access to a vpf0 is the same, posix
vfs permissions. (securelevel affects pf rule write-ability, but i
don't think a per vpf equivalent is useful for this example). only
that the bind ioctl can be done by root exclusively

if you want more vpfs, you need more device minors. that way the user
interfaces are already there (pfctl, systat states), and the pf device
protocol is already there, but the rules are now partitioned which was
the true purpose from the start

On Wed, Jul 4, 2012 at 11:11 AM, Andres Perera  wrote:
> out of curiosity, how would you make pf(4) only handle rules
> pertaining to a certain anchor depending on the process that's
> interfacing with them? i ask because; e.g.,  pfctl -sr should only
> show rules for that client, and other pf(4) operations need to be
> equally restricted. i know that originally you said that the loading
> of the rules is not up to the client but a periodic batch job, however
> that does not match "CheckPoint VSX"
>
> would you make the pf driver check the uid of the caller itself and
> spread out this code throughout every routine that fetches and set
> rules, or where would you place the namespacing?
>
> On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer  wrote:
>> * Franco Fichtner  [2012-07-04 11:43]:
>>> No, the great catch here is that VSX offers you tools to manage up
>>> to 250 of these virtual monsters in a centralized fashion. You can
>>> also give control of these firewalls to your customers. You can put
>>> lots of OpenBSD guests on a host, but there's no way you will be
>>> happy when you are seriously thinking about deploying a VSX.
>>
>> ok, you've been brainwashed by marketing.
>>
>> this is not a question of the firewall at all, but a question of the
>> management interface around it.
>>
>> as said and I repeat it again, use anchors and build sth for specific
>> users to be able to edit specific anchor rulesets. could be as easy as
>> a file per anchor owned by the user in question and a little cronjob
>> that reloads your ruleset including anchors hourly or so.
>>
>> --
>> Henning Brauer, h...@bsws.de, henn...@openbsd.org
>> BS Web Services, http://bsws.de, Full-Service ISP
>> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
>> Managed
>> Henning Brauer Consulting, http://henningbrauer.com/

Re: "Virtualizing" firewalling scenarios in one physical OpenBSD host

[Andres Perera]

out of curiosity, how would you make pf(4) only handle rules
pertaining to a certain anchor depending on the process that's
interfacing with them? i ask because; e.g.,  pfctl -sr should only
show rules for that client, and other pf(4) operations need to be
equally restricted. i know that originally you said that the loading
of the rules is not up to the client but a periodic batch job, however
that does not match "CheckPoint VSX"

would you make the pf driver check the uid of the caller itself and
spread out this code throughout every routine that fetches and set
rules, or where would you place the namespacing?

On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer  wrote:
> * Franco Fichtner  [2012-07-04 11:43]:
>> No, the great catch here is that VSX offers you tools to manage up
>> to 250 of these virtual monsters in a centralized fashion. You can
>> also give control of these firewalls to your customers. You can put
>> lots of OpenBSD guests on a host, but there's no way you will be
>> happy when you are seriously thinking about deploying a VSX.
>
> ok, you've been brainwashed by marketing.
>
> this is not a question of the firewall at all, but a question of the
> management interface around it.
>
> as said and I repeat it again, use anchors and build sth for specific
> users to be able to edit specific anchor rulesets. could be as easy as
> a file per anchor owned by the user in question and a little cronjob
> that reloads your ruleset including anchors hourly or so.
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/

Re: mojibake

[Andres Perera]

On Sun, Jul 1, 2012 at 12:30 PM, Anthony J. Bentley
 wrote:
>> So again, the complaint was that there was mojibake gibberish in
>> Ingo's presentation, because the character encoding isn't specified
>> but defaults to UTF-8 in modern browsers, while the page is actually
>> iso-8859-1 encoded.
>
> Actually, "modern" browsers do not default to a particular encoding (in
> fact, this violates the HTML standard). Instead, they attempt to autodetect
> the charset. Sometimes this works, and sometimes it doesn't -- I've seen
> UTF-8 pages incorrectly detected as ISO-8859-1, and in particularly bad
> cases, vice versa.

i would consider firefox a modern browser, and it does not default to
autodetect. it defaults to iso-8859-1

however, the gui does not allow per html doctype default charset, so a
management configured browser would apply default charset to html1, 4,
... n

there should be no case where this is a problem. all pages should be
html 4 to avoid these silly exchanges. it would be nice if some sort
of style guide clearly stated "pages in www/ are html4, charset
explicitly set to iso-8859-1". in the absence of that, we have these
discussions. having a www/STYLE doc does not require committing to a
particular templating language so hopefully it's a realistic
short-term goal

Re: OpenBSD's webpage desing

[Andres Perera]

On Thu, Jun 28, 2012 at 3:45 PM, Dave Anderson  wrote:
> On Thu, 28 Jun 2012, frantisek holop wrote:
>
>>hmm, on Thu, Jun 28, 2012 at 09:47:00AM -0400, Dave Anderson said that
>>> Using META is _ugly_, especially for specifying a charset (since the
>>> page will be read up through the META element using the charset
>>> specified in the real header or assumed by the browser -- and that
>>> charset could be incompatible with the actual encoding.)  Why not just
>>> use the AddDefaultCharset directive to ensure that a charset is
>>> specified in the real header for all pages?  Or is this known to break
>>> some browsers that are still in use?
>>
>>because AddDefaultCharset is a braindead concept.
>
> No, just one that needs to be applied only when appropriate.  The truly
> braindead idea is that of partially parsing a file in order to find out
> what charset you should have been using in doing that parsing.  This
> only "mostly works" because, for the typical page content from the
> beginning through any META elements, the encoding specified by most
> charset values happens to match the encoding specified by 8859-1.

[...]

the cool thing about tags is that you can access; e.g., local man
pages through file:// and have a properly decoded page. no need for a
server

most charsets coincide with the first 127 characters of ascii, so
what's the problem anyway. yea some browsers will reread the whole
html but it's a minimal cost if you place the meta tag at the
beginning

Re: OpenBSD's webpage desing

[Andres Perera]

imo the issue has more to do with one page using a completely
different scheme than all the others. that happens when you copy-paste
massive tags at the beginning of every doc instead of using your
preferred flavor of "#include". you could of course go another route
and try to justify it by saying it's html1 unlike the rest, but that's
just as useless as fixating on the charset

On Thu, Jun 28, 2012 at 9:17 AM, Dave Anderson  wrote:
> On Thu, 28 Jun 2012, Stuart Henderson wrote:
>
>>On 2012-06-28, ropers  wrote:
>>> On 28 June 2012 01:17, Andres Perera  wrote:
>>>>> A http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html
>>>>
>>>>
>>>> that page is encoded iso 8859-1, doesn't state so anywhere, breaks
>>>> with browsers configured to default to utf8 in the absence of encoding
>>>> qualifiers
>>>
>>> $ telnet www.openbsd.org 80
>>> Trying 142.244.12.42...
>>> Connected to www.openbsd.org.
>>> Escape character is '^]'.
>>> GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1
>>> Host: www.openbsd.org
>>>
>>> HTTP/1.1 200 OK
>>> Date: Wed, 27 Jun 2012 23:59:19 GMT
>>> Server: Apache
>>> Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT
>>> ETag: "65f60c9352dee7ec594696cdfb681e86316269ef"
>>> Accept-Ranges: bytes
>>> Content-Length: 32754
>>> Content-Type: text/html
>>>
>>>
>>>
>>> ...
>>>
>>>
>>> Okay, this could transmit "Content-Type: text/html;
>>> charset=iso-8859-1" but doesn't, but that's ok, we can do this on a
>>> page-by-page basis with a META tag, which ought to be ignored by
>>> browsers that don't understand it:
>>
>>IMO if it's worth doing this at all, it needs doing to *all* pages
>>that need it, in one go, consistently.
>>
>>Anything else is likely to be way too much pain for the translators.
>
> Using META is _ugly_, especially for specifying a charset (since the
> page will be read up through the META element using the charset
> specified in the real header or assumed by the browser -- and that
> charset could be incompatible with the actual encoding.)  Why not just
> use the AddDefaultCharset directive to ensure that a charset is
> specified in the real header for all pages?  Or is this known to break
> some browsers that are still in use?
>
>        Dave
>
> --
> Dave Anderson
> 

Re: OpenBSD's webpage desing

[Andres Perera]

that patch is not a solution

a good solution is use m4 or another macro language (maybe cpp since
apparently line-based macro languages are liked by mandoc freaks) to
add an "include" to all pages in the www/* repository

also, a commit hook that ensures that newly added or modified pages
meet a set of requirements

On Wed, Jun 27, 2012 at 8:55 PM, ropers  wrote:
> On 28 June 2012 01:17, Andres Perera  wrote:
>>>  http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html
>>
>>
>> that page is encoded iso 8859-1, doesn't state so anywhere, breaks
>> with browsers configured to default to utf8 in the absence of encoding
>> qualifiers
>
> $ telnet www.openbsd.org 80
> Trying 142.244.12.42...
> Connected to www.openbsd.org.
> Escape character is '^]'.
> GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1
> Host: www.openbsd.org
>
> HTTP/1.1 200 OK
> Date: Wed, 27 Jun 2012 23:59:19 GMT
> Server: Apache
> Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT
> ETag: "65f60c9352dee7ec594696cdfb681e86316269ef"
> Accept-Ranges: bytes
> Content-Length: 32754
> Content-Type: text/html
>
> 
> 
> ...
>
>
> Okay, this could transmit "Content-Type: text/html;
> charset=iso-8859-1" but doesn't, but that's ok, we can do this on a
> page-by-page basis with a META tag, which ought to be ignored by
> browsers that don't understand it:
>
> $ diff -u 'bsdcan11-mandoc-openbsd.html' 'bsdcan11-mandoc-openbsd.html.new'
> --- bsdcan11-mandoc-openbsd.html        2012-06-28 02:12:19.0
+0200
> +++ bsdcan11-mandoc-openbsd.html.new    2012-06-28 02:07:54.0
+0200
> @@ -1,4 +1,7 @@
>  
> +
> +
> +
>  
>  http://www.bsdcan.org/2011/schedule/events/230.en.html";>Mandoc
>  in OpenBSD
>
> Generally speaking, I find that on misc@ the words "you should make"
> are taken far less seriously than even the most pitiful of diffs.
>
> regards,
> ropers

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 7:43 PM, Philip Guenther  wrote:
> On Wed, Jun 27, 2012 at 4:17 PM, Andres Perera  wrote:
> ...
>> that page is encoded iso 8859-1, doesn't state so anywhere, breaks
>> with browsers configured to default to utf8 in the absence of encoding
>> qualifiers
>
> Those browsers are violating the HTTP/1.1 standard.  RFC 2616, section
> 3.7.1, paragraph 4:
>
>   The "charset" parameter is used with some media types to define the
>   character set (section 3.4) of the data. When no explicit charset
>   parameter is provided by the sender, media subtypes of the "text"
>   type are defined to have a default charset value of "ISO-8859-1" when
>   received via HTTP. Data in character sets other than "ISO-8859-1" or
>   its subsets MUST be labeled with an appropriate charset value. See
>   section 3.4.1 for compatibility problems.

firefox and ie are nice enough to assume iso-8859-1. that's not the
case with management configured browsers, where RFCs don't mean a damn

>
>
> And then there's section 3.4.1:
>
> 3.4.1 Missing Charset
>
>   Some HTTP/1.0 software has interpreted a Content-Type header without
>   charset parameter incorrectly to mean "recipient should guess."
>   Senders wishing to defeat this behavior MAY include a charset
>   parameter even when the charset is ISO-8859-1 and SHOULD do so when
>   it is known that it will not confuse the recipient.
>
>   Unfortunately, some older HTTP/1.0 clients did not deal properly with
>   an explicit charset parameter. HTTP/1.1 recipients MUST respect the
>   charset label provided by the sender; and those user agents that have
>   a provision to "guess" a charset MUST use the charset from the
>   content-type field if they support that charset, rather than the
>   recipient's preference, when initially displaying a document. See
>   section 3.7.1.
>
>
> Wait, was that a warning that an explicit charset parameter broke some
> older browsers?  Huh...

wtf? a charset parameter is present in www/index.html so i guess that
particular page isn't catering to an unrealistic section of an rfc

i sense some conflicting interests here

>
>
> Philip Guenther

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 6:18 PM, Ingo Schwarze  wrote:
> Hi,
>
> Matthew Dempsky wrote on Wed, Jun 27, 2012 at 01:53:09PM -0700:
>> On Wed, Jun 27, 2012 at 1:41 PM, Ted Unangst  wrote:
>
>>> Here's something I think would be a *major* improvement.
>>> Fix magicpoint to export slides in a format better than jpg.
>
> That's not the only thing that could be fixed about magicpoint;
> however, fixing magicpoint is not a job for the fainthearted.
>
> The only time i used it so far (ironically, to present about
> mandoc), i ended up publishing the slides in plain HTML,
> with heavy manual postprocessing:
>
>  http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html


that page is encoded iso 8859-1, doesn't state so anywhere, breaks
with browsers configured to default to utf8 in the absence of encoding
qualifiers

all those little things add up, man

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 6:10 PM, Nick Holland
 wrote:
>
> Other than "boring", no one has actually STATED a problem of the OpenBSD
> website.  What message are we not getting across?  If there is a PROBLEM
> you see that makes getting its information to you difficult, please
> state it and indicate what could be done better.  i.e., saying, "what
> you did to the faq/index.html page for this release makes no sense to me
> as I'm blind and using a screen reader" would be constructive and useful
> (and I have no freaking idea what to do about it, and in fact, I've just
> made myself feel really guilty, as if someone WERE to say that to me, I
> don't want to undo it...)

ok

concretely, the man and webcvs pages do not have links back to openbsd.org

good design would be to make the openbsd logo at the top left corner be the
link

that's a big nono in site layout. you should make the site as
browseable as possible

(see how you can talk about design without talking about aesthetics)

another thing is, talking with a professional designer will reveal
many problems like these, the difference being that you'll get
information in meaningful chunks instead of little updates such as
this mail

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:55 PM, john slee  wrote:
> Do you think that if the reader finds reading to be optimal at a
> particular column width, that said reader may well adjust their
> browser window to suit?

sorry but that's complete bs. you are essentially expecting users to
re-size the window according to each site, since it's impossible for
all sites to display optimally under fixed browser-window dimensions
without conceding to capped text width... and that's a situation where
worst case happens to match the usual case

the 60-72 cap train took off ages ago. i don't read books like it's a
chinese fortune string, nor do i subject my newspaper leisure ours to
the same torture

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:55 PM, Peter Laufenberg 
wrote:
>>On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg 
>>wrote:
>>> I'm willing to indirectly donate to OpenBSD by paying a professional
> graphic
>>designer to redo parts of OpenBSD's visual design. His portfolio:
>>
>>that would be cool to presence as a bystander
>
> No te entiendo tío!

i rarely see people talking about the site layout on these lists, and
i think it would be funny to see a typical designer dealing with;
e.g., www/build/mirrors.pl

it would be entertaining to follow the thread of patch submissions and
developer reactions :)

having said that, i think the site is ok

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg 
wrote:
>>> Speaking personally, I wouldn't mind if OpenBSD's website were
>>> updated.  Just no one has volunteered yet to do the dirty work of
>>> actually coming up with a functional design and then updating the
>>> HTML.
>>>
>>> Talk is cheap.
>
> I'm willing to indirectly donate to OpenBSD by paying a professional graphic
designer to redo parts of OpenBSD's visual design. His portfolio:

that would be cool to presence as a bystander

pay the dude regardless of what anybody says, and have him send the
patches to a public mailing list

would've been even more interesting if you told nobody that he was
getting payed for the patches

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

On Wed, Jun 20, 2012 at 1:40 AM, Andres Perera  wrote:
> sorry, but i never sold nm as the sole step granting immunity. i
> explicitly presented it as an example. nevertheless, the full list of
> things i do do not cover all of possible changes you pointed out. i
> constructed it in a way that also works with snapshots:
>
> diff include/sys/syscall{args,}.h with previous db (a la sysmerge);
> double check with with nm /bsd. syscallargs changing returns false
> whether or not nm shows the same set of calls.
>
> (i don't currently diff /sys/* in hopes of finding new or changed bitmap
flags)

i am talking about include/sys, not the kernel source repository

>
> diff include/sys/ioctl.h and header-includes with previous db. i don't
> attempt to detect new includes, this is fragile and is covered by
> acting on sys/*
>
> the rest of files are predictable sets of other kernel apis. i don't
> look at net/pfvar or anything outside sys even though i should
>
> as flaky as it can be, it works most of the time and it's better than
> "let the user decide"
>
> On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky 
wrote:
>> On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera  wrote:
>>> all of the calls in syscalls.master map to a unique function, and all
>>> of them start with sys_. it's true that nm won't tell me about
>>> argument changes. i just risk it a little by assuming no one's that
>>> evil
>>
>> Okay, granted nm will tell you when new syscall entry points get
>> added... but you won't know about new syscall flags, new ioctls, new
>> device nodes, new sysctls, new behavior, etc.
>>
>> Not saying you can't use nm as a backup sanity check, but it's not
>> something I'd recommend relying on by default.  Our userland is really
>> not designed to run on older kernels.

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

sorry, but i never sold nm as the sole step granting immunity. i
explicitly presented it as an example. nevertheless, the full list of
things i do do not cover all of possible changes you pointed out. i
constructed it in a way that also works with snapshots:

diff include/sys/syscall{args,}.h with previous db (a la sysmerge);
double check with with nm /bsd. syscallargs changing returns false
whether or not nm shows the same set of calls.

(i don't currently diff /sys/* in hopes of finding new or changed bitmap
flags)

diff include/sys/ioctl.h and header-includes with previous db. i don't
attempt to detect new includes, this is fragile and is covered by
acting on sys/*

the rest of files are predictable sets of other kernel apis. i don't
look at net/pfvar or anything outside sys even though i should

as flaky as it can be, it works most of the time and it's better than
"let the user decide"

On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky 
wrote:
> On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera  wrote:
>> all of the calls in syscalls.master map to a unique function, and all
>> of them start with sys_. it's true that nm won't tell me about
>> argument changes. i just risk it a little by assuming no one's that
>> evil
>
> Okay, granted nm will tell you when new syscall entry points get
> added... but you won't know about new syscall flags, new ioctls, new
> device nodes, new sysctls, new behavior, etc.
>
> Not saying you can't use nm as a backup sanity check, but it's not
> something I'd recommend relying on by default.  Our userland is really
> not designed to run on older kernels.

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

and that will be an exception that i'll have to deal with, which is
entirely reasonable given that they rarely do change

another rare exception i could skirt around would be white space
changes that would deter me from diffing syscalls.master instead of
`nm /bsd` during automation, but the problem doesn't even come to that
with snapshots, since i don't have a source referral; i only have the
binary interface of the symbol list

On Wed, Jun 20, 2012 at 12:18 AM, Philip Guenther  wrote:
> On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera  wrote:
>> all of the calls in syscalls.master map to a unique function, and all
>> of them start with sys_. it's true that nm won't tell me about
>> argument changes. i just risk it a little by assuming no one's that
>> evil
>
> Heh.  *Yesterday* tedu asked me to add some backwards compat to a diff
> I set around that did exactly that, changing the argument list for an
> existing syscall.  I guess I'm winning the evil contest with tedu!
>
>
> Philip Guenhter

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

since packages are done in synch with snapshots, i do not use the
trees because i rather use packages

it's not clear whether or not changes in snapshots are allowed to make
the packages incompatible with what you find in the repositories.
perhaps i would be able to retract what i said as silly (and benefit
from knowing exactly what is it i'm running at the same time)

On Tue, Jun 19, 2012 at 9:24 PM, Theo de Raadt 
wrote:
>> never mind the premise that snapshots contain changes not found in the
>> trees, you state things to the effect of "user chooses wether or not
>> to reboot to new kernel". didn't even bother; e.g., comparing nm
>> outputs
>
> well, hang on.  quite often those diffs in snapshots are not yet
> commited for a reason.
>
> those diffs are being tested by people brave enough to test snapshots.
> of course, if people are brave enough to test snapshots, and any last
> minute bugs are found in those diffs and fixed.. and everyone will be
> able to run those juicy bits earlier.
>
> the diffs in snaps are chosen by me to try to advance so that i can
> help that process ahead (but at the same time not drive myself
> insane).  after all, if i pick the wrong diffs at the wrong time, i
> going break all of the build machines at the same time...

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

all of the calls in syscalls.master map to a unique function, and all
of them start with sys_. it's true that nm won't tell me about
argument changes. i just risk it a little by assuming no one's that
evil

On Tue, Jun 19, 2012 at 9:22 PM, Matthew Dempsky  wrote:
> On Tue, Jun 19, 2012 at 5:44 PM, Andres Perera  wrote:
>> didn't even bother; e.g., comparing nm
>> outputs
>
> Er, what are you expecting to divine by comparing nm output?

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

ultimately naive/incomplete approach

never mind the premise that snapshots contain changes not found in the
trees, you state things to the effect of "user chooses wether or not
to reboot to new kernel". didn't even bother; e.g., comparing nm
outputs

Re: About wine ?

[Andres Perera]

On Mon, Jun 11, 2012 at 1:30 PM, Peter Laufenberg 
wrote:
>>On Mon, Jun 11, 2012 at 3:49 PM, Peter Laufenberg 
wrote:
>>> Qemu seems like a good project given the flack it gets on wikipedia (very
Cartesian, I know), how well can it run on OpenBSD? what's holding it back?
which kernel improvements/patches will help? if all VM is counter-security,
why? Where do we come from and is there life after death? I demand to know.
>>
>>Qemu is fine on OpenBSD, but slow, because for some time already it's
>>without KVM in OpenBSD. Probably one of the reasons for www.bitrig.org
>
> I see. Lofty goals with a questionable fork rationale. Maybe removing doc
references to floppies and tapes would improve the "modernity" perception.

they also removed code

makefiles really arent set up for mass edits. it's hard to do static checks

>
> >From Jiri:
>>Why don't you first search archives?
>
> - digressions into exotic sports cars?
> - marketing plugs?
> - out of date?
>
> -- p

Re: Large (3TB) HDD support

[Andres Perera]

On Sun, Jun 3, 2012 at 9:18 PM, Peter Kay  wrote:
> Can we please differentiate GPT from EFI. GPT may be part of the EFI
> specification, but it's a standalone piece - implementing GPT is not going
> to restrict anyone's freedom to do what they want with a machine. Some
> possibilities EFI offers are more contentious..
>
> GPT is a foregone conclusion unless you are blind to the future. The only
> alternative is OS specific disk hackery, and that does no-one any favours.
> Single disk 2TB+ partitions will not even attract comment inside the next 5
> years.

it doesn't make sense to put my boot files / os on a 2tb file system.
whether or not this will eventually become a non-issue, i don't see
any oses significantly moving in the opposite direction. not even
windows 7 shys away from having a small boot partition. there's also
no os out there that benefits from having 2tb to move about the boot
partition, let alone to house system files. that could change but not
any time soon, and most definitely not in the next 5 years

Re: File descriptor -> name?

[Andres Perera]

that will potentially show up more than one file, not the one that was opened

On Sat, May 5, 2012 at 3:49 AM, Stuart Henderson  wrote:
> On 2012-05-05, Andres Perera  wrote:
>> not in obsd
>>
>> plan 9/linux keep the name as it was opened
>>
>> think about hardlinks, unlinking and how the kernel only stores the inode #
>
> find(1) can search by inode number, so if you can identify that via ktrace
> and if the file still exists, you can use "find /root/of/fs -inum 1234"

Re: File descriptor -> name?

[Andres Perera]

not in obsd

plan 9/linux keep the name as it was opened

think about hardlinks, unlinking and how the kernel only stores the inode #

On Fri, May 4, 2012 at 11:44 PM, Alan Corey  wrote:
> Is there a way to get the name of a file that's open when all you've got is
> a file descriptor?
>
> I'm working on porting something, that I didn't write. with directories
full
> of source. B I'm seeing a problem with an ioctl being the wrong type, but
I'm
> looking at the code where it happens, I can't see what the file descriptor
> passed in is pointing to. B Seems like there should be a way.
>
> B Alan

Re: OpenBSD 5.1 SSD

[Andres Perera]

doesn't support trim. i remember reading somewhere, maybe a freebsd
mailing list, that calculating when to do trim is tricky because it
can only work on a specific width

On Sat, Apr 14, 2012 at 2:08 PM, Laurence Rochfort
 wrote:
> Hi,
>
> I'm considering purchasing a domestic SSD for my laptop.
>
> Does OpenBSD 5.1 support SSDs and the TRIM command if needed?
>
> Regards,
> Laurence Rochfort

Re: pf anchor strange bihavior

[Andres Perera]

On Thu, Apr 12, 2012 at 9:25 PM, Michel Blais 
wrote:
> Just saw something strange with inline anchor rule and macro :
>
> if I set a anchor rule with a macro inside of it and do pfctl -vnf, only
the
> first value of the macro seem to have the anchor rule following. Every
other
> value will be without bracket and anchor rules.
>
> Exemple :
>
> in the pf.conf
> net="{ em0, em1 }"
> anchor in on $net proto tcp to ! port { 22, 8181, 4000, 4001, 4002
}
> {
> B  B  B  B block in quick on $ext_if1 to 
> B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
> B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
> B  B  B  B pass B in quick on $ext_if2 to 96.*.*.0/24
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.130
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.128/29
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.136/29
> B  B  B  B block in B quick
> B  B  B  B block out quick
> }
>
> pfctl -vnf give me this :
> anchor in on em0 proto tcp from any to !  port = ssh {
> B block drop in quick on em0 from any to 
> B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
> B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.130 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA
> B pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA
> B block drop in quick all
> B block drop out quick all
> }
> anchor in on em0 proto tcp from any to !  port = 8181
> anchor in on em0 proto tcp from any to !  port = 4000
> anchor in on em0 proto tcp from any to !  port = 4001
> anchor in on em0 proto tcp from any to !  port = 4002
> anchor in on em1 proto tcp from any to !  port = ssh
> anchor in on em1 proto tcp from any to !  port = 8181
> anchor in on em1 proto tcp from any to !  port = 4000
> anchor in on em1 proto tcp from any to !  port = 4001
> anchor in on em1 proto tcp from any to !  port = 4002
>
> Is this a limitation of PF, a unanticiped situation or it's just cosmetic ?
> Maybe I'm misinterpreted it.

the lines directly after the braced block also trigger the braced block

it's cosmetic

>
> Thanks
>
> Michel

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Tue, Apr 10, 2012 at 1:53 AM, Mihai Popescu  wrote:
>> Andres Perera wrote:
>> read very slowly
>> if they don't use the following to boot:
>
>> * bootp (requires more than one system)
>> * a cd (requires an optical drive)
>> * a floppy (requires a floppy drive)
>
>> then they boot from hdd. it doesn't matter if it's usb, sata or what have you
>
> I think you are making a confusion between usb mass storage device and
> usd attached hdd device.

there's no distinction for the bios, which is the key part in booting
a system. on x86 it looks for specific data which is common in "mass
storage media" and hdd, *different* to cd boot and floppy boot

>
>> there are no official boot images for hdd. nick is aware of this, and
>> so are the rest of the developers
>
> Yes, they do, since there is no such thing like "images for hdd". I
> let you try to define one.

hah, dd your raw hard drive device to a usb key. you have an hdd
image. moreover, several projects either offer those, or an
alternatively crafted iso which can be used for usb boot because it
doesn't just have "el torito" boot

you are wa over your head son, yet you keep insisting

Re: How to have more than 15 pflog interfaces?

[Andres Perera]

altering the max might have consequences i don't know about:

grep -nC5 PFLOGIFS_MAX /sys/net/if_pflog.h
27-#ifndef _NET_IF_PFLOG_H_
28-#define _NET_IF_PFLOG_H_
29-
30-#include 
31-
32:#define  PFLOGIFS_MAX16
33-
34-struct pflog_softc {
35- struct ifnetsc_if;  /* the interface */
36- int sc_unit;
37- LIST_ENTRY(pflog_softc) sc_list;

what i do know is that the actual bug is netstart unhelpfully
redirecting errors to dev null on ifconfig create

if it didn't, you would have seen "ifconfig: SIOCIFCREATE: Invalid argument"

On Tue, Apr 10, 2012 at 12:46 AM, Siju George  wrote:
> Hi,
>
> I have /etc/hostname.pflog files from 1-25.
> but only till 15 is available through ifconfig
>
>
> pflog15: flags=41 mtu 33152
> B  B  B  B priority: 0
>
> how do I get till pflog25?
>
> Thanks
>
> Siju

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

nope, not all bioses like that

my hp mini's bios is only willing to do hdd emulation on usb sticks,
so a dd'd iso or floppy image will not suffice (and hey, this
inability isn't uncommon either)

On Mon, Apr 9, 2012 at 6:38 PM, Ted Unangst  wrote:
> On Mon, Apr 09, 2012, Andres Perera wrote:
>> if they don't use the following to boot:
>>
>> * bootp (requires more than one system)
>> * a cd (requires an optical drive)
>> * a floppy (requires a floppy drive)
>>
>> then they boot from hdd. it doesn't matter if it's usb, sata or what have
you
>>
>> there are no official boot images for hdd. nick is aware of this, and
>> so are the rest of the developers
>
> Copy the floppy (or cd, for that matter) image onto a USB stick. B Boot
> from it. B Problem solved.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Mon, Apr 9, 2012 at 11:26 AM, Mihai Popescu  wrote:
>> B Andres Perera wote:
>> B i don't understand why is such a simple problem turning into drama
>
> It is not. As for the understanding part, you need to identify what is
> stopping you in the first place - is it that english is not your first
> language and you don't have enough of it, or is it that you read
> between lines, or any other thing. Once you will find it, you can
> asjust it and come to an understanding. Eventually.
>
>> that's outside the conditions. i am talking about a real world
>> situation where i had ONE COMPUTER and it did not have a cd drive
>
> Nick, the FAQ and a bunch of internet out there ARE TALKING about the
> same thing. Didn't you really see this?
>
>> that's it. there's no other way to look at it
>
> Says who? Take a look at soekris.com stuff and believe this boards are
> able to get OpenBSD installed on them and run it successfully. And
> guess what? Only ONE COMPUTER is involved to prepare the OS.

read very slowly

if they don't use the following to boot:

* bootp (requires more than one system)
* a cd (requires an optical drive)
* a floppy (requires a floppy drive)

then they boot from hdd. it doesn't matter if it's usb, sata or what have you

there are no official boot images for hdd. nick is aware of this, and
so are the rest of the developers

the faq requires that you boot with bsd.rd and use that environment to
install to usb media

you cannot do that with a single computer that can only boot from usb
hdd with the official media, so you need to install to qemu

you are obviously not talking about the same situation, and neither is
the other dude. more than that, you've never encountered this problem
or else you'd be familiar with the requirements

you are a humongous idiot

>
> Excuse my intervention, please, but your answers keep remainding me of
> someone I work with, who got a habit of telling people around him how
> they CAN'T accomplish something. Pretty useless.

Re: sending hex string to /dev/ttyU1

[Andres Perera]

funny how so many perl people and online shellcode tutorials are ok
with that contrived syntax

i recommend perl -e 'print pack "i", 0x8800612a'

it'll adjust to endianess as needed

if you are truly interested in sending hex *strings* then it's not of much help

On Sun, Apr 8, 2012 at 4:25 PM, Ted Unangst  wrote:
> On Sun, Apr 08, 2012, edasky wrote:
>> rs232 -d /dev/ttyUSB1-s'\h 2A 61 00 06 88 01 20 87 3E \r" -r8 -hex
>>
>> Now I need to achieve the same result under OpenBSD (5.0)
>
>> Anybody got an idea how to send such a hex string in /dev/ttyU1 ?
>
> Maybe something like perl -e 'print "\x2a\x61\x00\x88"' > /dev/ttyU1
>
> You may need to use stty to set the speed and such first.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

i don't understand why is such a simple problem turning into drama

On Sat, Apr 7, 2012 at 2:10 PM, Nick Holland
 wrote:
> On 04/06/12 07:35, Dan Shechter wrote:
>> Hi, Sorry for the newbe question, but what is wrong with what he is doing?
>>
>> Best regards,
>> Dan
>
> First of all, OpenBSD is completely free software. B we can not, nor do
> we want to stop anyone from making their own "project" (or product)
> based on OpenBSD. B That doesn't mean we always like it.
>
> The problem comes in when people create things that are no longer
> OpenBSD, then the users come to our lists and developers expecting help.
> B Or develop an opinion of OpenBSD based on these non-OpenBSD projects.
> This is often due to lack of maintenance on the part of those "projects"
> -- they put something together because they feel they need it, they
> think, "this is pretty cool", set up a website, make a logo, and ta-da,
> a project is born...and often, that's how it stays.
>
> We also don't like misinformation...for example, this from another part
> of the thread:
>
>> can't install in the first place if your only bootable media can be
>> usb sticks. the alternative to downloading premade images is making
>> them in qemu, which is more work for little gain
>
> That's ONE alternative. B Roughly equivalent to turning right by turning
> left three times (reverse for Drive-on-Left countries). B You can take
> your USB stick and an OpenBSD CD to any same-platform computer in the
> world that can boot from CD and has a USB port and build an install
> device there using standard processes...and you know what you have and
> how you got it.

that's outside the conditions. i am talking about a real world
situation where i had ONE COMPUTER and it did not have a cd drive

that's it. there's no other way to look at it

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Fri, Apr 6, 2012 at 2:17 AM, Mihai Popescu  wrote:
>> Andres Perera 
>
>> if you cant install through network because you only got one machine
>
> So you can't install OpenBSD but you CAN download the pre-made OpenBSD images?

need another machine for bootp

>
>>and feel that guerrilla overwriting your mbr after installing the locks 
>>within another os in
>> order to do a hdd boot is too risky, you're left with this
>
> I've used OpenBSD in a multiboot and it was working perfectly fine, no
> guerilla there.

can't install in the first place if your only bootable media can be
usb sticks. the alternative to downloading premade images is making
them in qemu, which is more work for little gain

>
>> the page you linked does not provide that
>
> It does not, since the page is for a specific purpose. If you take
> your time and go back to the root of FAQ you may find what you are
> looking for. But I guess is nicer for you to spread crazy thing on the
> list.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

?

he is hosting *pre-made* bootable usb images

if you cant install through network because you only got one machine,
don't have a cd drive (e.g. netbook), and feel that guerrilla
overwriting your mbr after installing the locks within another os in
order to do a hdd boot is too risky, you're left with this

the page you linked does not provide that

On Mon, Apr 2, 2012 at 1:26 AM, Jan Stary  wrote:
> On Apr 01 21:30:58, Girish Venkatachalam wrote:
>> After a long long time. Sigh.
>
> Please stop spreading this. All it does is give wrong
> instruction and diverts people who should instead read
> http://www.openbsd.org/faq/faq14.html#flashmemLive

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 4:30 PM, Otto Moerbeek  wrote:
> On Thu, Mar 29, 2012 at 01:31:17PM -0430, Andres Perera wrote:
>
>> On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek  wrote:
>> > On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:
>> >
>> >> On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd 
wrote:
>> >> > On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
>> >> > | > Instead, you'll crank your file limits to... let me guess,
unlimited?
>> >> > | >
>> >> > | > And when you hit the system-wide limit, then what happens?
>> >> > | >
>> >> > | > Then it is our systems problem, isn't it.
>> >> > | >
>> >> > |
>> >> > | i am not sure if you're a suggesting that each program do getrlimit
>> >> > | and acquire resources based on that, because it's a pita
>> >> >
>> >> > Gee whiz, writing programs is hard! B Let's go shopping!
>> >> >
>> >> > | what they could do is offer a reliable estimate (e.g. 5 open files
per
>> >> > | tab required)
>> >> >
>> >> > Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
>> >> > any) *DEAL WITH IT*
>> >>
>> >> but we're only talking about one resource and one error condition
>> >>
>> >> write wrappers for open, malloc, etc
>> >>
>> >> avoiding errors regarding stack limits is not as easy
>> >
>> > There are very few programs that actually hit stack limits. MOst cases
>> > it's unbounded recursion, signalling an error.
>>
>> doesn't change the fact that preempting it takes modifying your
>> compiler's typical function prelude (and slowing down each call)
>>
>> additionally, anticipating FSIZE would greatly slow done each write
>>
>> so no, you can't just "be correct" all the time and pat your self on the
back
>>
>> >
>> >>
>> >> obviously there's no reason for: a. every application replicating
>> >> these wrappers (how many xmallocs have you seen, honest?) and b. the
>> >> system not providing a consistent api
>> >
>> > Nah, you cannot create a apifor this stuff, proper error handling and
>> > adaptation to recousrce limits is a program specfic thing.
>>
>> well, if including logic that gracefully handles the stack limit is
>> not important on the basis of most application's needs, then i don't
>> see how the reverse relation couldn't justify a library with xmalloc
>> and similar. *most* applications that implement this function copy
>> paste the same fatal version. see also `#define MIN/MAX`
>
> You just seem to argue for the sake of it. Anyway
>
> A lot of programs have a *static* limit on stack depth, so those
> programs do not have that problem.
>
> For programs where the stack depth is a functon of the input (for e.g.
> parser and expression evaluation), there are well known techniques to
> control the maxium depth. Most of these programs actually have their
> own parse stack management and do not use the function stack for
> that.
>
> In my experience, I only have seen programs hitting stacks limit when
> the stack limit was very low, like 64k or so. Hitting the stack limit
> is not a real world problem. Our default stack limit is 4M: big enough
> for virtually any program, and small enough to catch unbounded
> recursion before it will eat all vm.
>
> Hitting mem or fd limit *is* as real world problem. Beacuse both
> memory and fd usage can build up, even in a well written program. In
> contrast to stack usage.

in my system, hitting fd limit is completely an artificial problem. i
have 8 gigs of memory and struct file is 120 bytes on amd64. the
default low limit is as silly as would be a 64k stack limit. if i were
designing a browser for machines like these, i wouldn't waste time
optimizing fd usage

even if i had access to the same browser you guys use, which magically
multiplexes a single socket over all connections, including ipc with
child processes that house tabs and plugins like google chrome, i
could afford not to give a shit when tiny fds go to waste whenever i
tried the bloated alternatives

>
> And just using xmalloc or similar for those cases is often not a
> solution, epsecially not for daemon programs. Handling resource
> exhaustion is a difficult problem that cannot be "solved" by just
> quiting your program, even if a lot of program do so.
>
> B  B  B  B -Otto

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 3:46 PM, Ted Unangst  wrote:
> On Thu, Mar 29, 2012, Andres Perera wrote:
>>> Maybe you could also close some of those 999 keep-alive sessions and
>>> pre-load sessions you have open and retry. Seriously why does a
>>> webbrowser need 1024 file descriptors to be open at the same time?
>>> Are you concurrently reading 500 homepages?
>>
>> you are not expected to read 500 homepages at the same time, but you
>> *are* expected to switch to any tab at any time, and the price of a
>> system call to reopen the pertaining file descriptors is unacceptable
>
> What retarded browser are you using that needs to reopen file
> descriptors to switch tabs? B And what retarded OS are you running
> where system calls are so expensive they're user noticable?
>

none of firefox, chrome micromanage to this extent, that's exactly the point

as for the second question, it's conveniently ignoring keep-alive and
*anything* interactive. re-aquiring fds *and* emptying the queue of
pending actions is the cost, not the mere syscall

apparently you or claudio came up with a scheduler that guesses which
tabs are more important, swaps to disk the ones that aren't, and
pretends their ongoing transmissions don't mean anything

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 12:53 PM, Claudio Jeker
 wrote:
> On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:
>> On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd  wrote:
>> > On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
>> > | > Instead, you'll crank your file limits to... let me guess, unlimited?
>> > | >
>> > | > And when you hit the system-wide limit, then what happens?
>> > | >
>> > | > Then it is our systems problem, isn't it.
>> > | >
>> > |
>> > | i am not sure if you're a suggesting that each program do getrlimit
>> > | and acquire resources based on that, because it's a pita
>> >
>> > Gee whiz, writing programs is hard! B Let's go shopping!
>> >
>> > | what they could do is offer a reliable estimate (e.g. 5 open files per
>> > | tab required)
>> >
>> > Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
>> > any) *DEAL WITH IT*
>>
>> but we're only talking about one resource and one error condition
>
> OMG. System calls can fail. I'm shocked. How can anything work?!
>
>> write wrappers for open, malloc, etc
>
> Why wrappers? Just check the freaking return value and design your program
> to behave in case something goes wrong.

guess what, if you do this more than once in your program you have a
wrapper candidate

>
>> avoiding errors regarding stack limits is not as easy
>
> Yes, so embrace them, design with failure in mind.
>
>> obviously there's no reason for: a. every application replicating
>> these wrappers (how many xmallocs have you seen, honest?) and b. the
>> system not providing a consistent api
>
> xmalloc is a dumb interface, since it terminates the process as soon as
> the first malloc fails. Sure it is the right thing for process with
> limited memory needs but browsers are such pigs today that you should be
> better then just showing a "Oups, something went wrong" page on next
> startup.
>
>> after you're done writing all the wrappers for your crappy browser,
>> what do you do? notify the user that no resources can be allocated,
>> try pushing the soft limit first, whatever. they still have to re-exec
>> with higher limits
>
> Maybe you could also close some of those 999 keep-alive sessions and
> pre-load sessions you have open and retry. Seriously why does a
> webbrowser need 1024 file descriptors to be open at the same time?
> Are you concurrently reading 500 homepages?

you are not expected to read 500 homepages at the same time, but you
*are* expected to switch to any tab at any time, and the price of a
system call to reopen the pertaining file descriptors is unacceptable

>
>> why even bother?
>
> because the modern browser suck. They suck big time. They assume complete
> ownership of the system and think that consuming all resources just to
> show the latest animated gif from 4chan is the right thing.
>
>>
>> >
>> >
>> > Note that on a busy system, the ulimit is not the only thing holding
>> > you back. B You may actually run into the maximum number of files the
>> > system can have open at any given time (sure, that's also tweakable).
>> > Just doing getrlimit isn't going to be sufficient...
>>
>> doesn't matter
>
> your attitude is the reason why we need multi-core laptops with 8GB of ram
> to play one game of tic-tac-toe.

until now it's been about the interface. glad that someone decided to
be honest by saying they have bias towards the default low limits (and
fitting oses in floppy disks, etc)

:)

>
> --
> :wq Claudio

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek  wrote:
> On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:
>
>> On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd  wrote:
>> > On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
>> > | > Instead, you'll crank your file limits to... let me guess,
unlimited?
>> > | >
>> > | > And when you hit the system-wide limit, then what happens?
>> > | >
>> > | > Then it is our systems problem, isn't it.
>> > | >
>> > |
>> > | i am not sure if you're a suggesting that each program do getrlimit
>> > | and acquire resources based on that, because it's a pita
>> >
>> > Gee whiz, writing programs is hard! B Let's go shopping!
>> >
>> > | what they could do is offer a reliable estimate (e.g. 5 open files per
>> > | tab required)
>> >
>> > Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
>> > any) *DEAL WITH IT*
>>
>> but we're only talking about one resource and one error condition
>>
>> write wrappers for open, malloc, etc
>>
>> avoiding errors regarding stack limits is not as easy
>
> There are very few programs that actually hit stack limits. MOst cases
> it's unbounded recursion, signalling an error.

doesn't change the fact that preempting it takes modifying your
compiler's typical function prelude (and slowing down each call)

additionally, anticipating FSIZE would greatly slow done each write

so no, you can't just "be correct" all the time and pat your self on the back

>
>>
>> obviously there's no reason for: a. every application replicating
>> these wrappers (how many xmallocs have you seen, honest?) and b. the
>> system not providing a consistent api
>
> Nah, you cannot create a apifor this stuff, proper error handling and
> adaptation to recousrce limits is a program specfic thing.

well, if including logic that gracefully handles the stack limit is
not important on the basis of most application's needs, then i don't
see how the reverse relation couldn't justify a library with xmalloc
and similar. *most* applications that implement this function copy
paste the same fatal version. see also `#define MIN/MAX`

>
>>
>> after you're done writing all the wrappers for your crappy browser,
>> what do you do? notify the user that no resources can be allocated,
>> try pushing the soft limit first, whatever. they still have to re-exec
>> with higher limits
>>
>> why even bother?
>
> Stop using the crappy program. We prefer to apply back pressure to
> crappy programming instead of accommodating it.
>
> B  B  B  B -Otto
>
>>
>> >
>> >
>> > Note that on a busy system, the ulimit is not the only thing holding
>> > you back. B You may actually run into the maximum number of files the
>> > system can have open at any given time (sure, that's also tweakable).
>> > Just doing getrlimit isn't going to be sufficient...
>>
>> doesn't matter
>>
>> >
>> > Paul 'WEiRD' de Weerd
>> >
>> > --
>> >>[<++>-]<+++.>+++[<-->-]<.>+++[<+
>> > +++>-]<.>++[<>-]<+.--.[-]
>> > B B B B B B B B B B B B B B B B http://www.weirdnet.nl/

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd  wrote:
> On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
> | > Instead, you'll crank your file limits to... let me guess, unlimited?
> | >
> | > And when you hit the system-wide limit, then what happens?
> | >
> | > Then it is our systems problem, isn't it.
> | >
> |
> | i am not sure if you're a suggesting that each program do getrlimit
> | and acquire resources based on that, because it's a pita
>
> Gee whiz, writing programs is hard! B Let's go shopping!
>
> | what they could do is offer a reliable estimate (e.g. 5 open files per
> | tab required)
>
> Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
> any) *DEAL WITH IT*

but we're only talking about one resource and one error condition

write wrappers for open, malloc, etc

avoiding errors regarding stack limits is not as easy

obviously there's no reason for: a. every application replicating
these wrappers (how many xmallocs have you seen, honest?) and b. the
system not providing a consistent api

after you're done writing all the wrappers for your crappy browser,
what do you do? notify the user that no resources can be allocated,
try pushing the soft limit first, whatever. they still have to re-exec
with higher limits

why even bother?

>
>
> Note that on a busy system, the ulimit is not the only thing holding
> you back. B You may actually run into the maximum number of files the
> system can have open at any given time (sure, that's also tweakable).
> Just doing getrlimit isn't going to be sufficient...

doesn't matter

>
> Paul 'WEiRD' de Weerd
>
> --
>>[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
> B  B  B  B  B  B  B  B  http://www.weirdnet.nl/

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Wed, Mar 28, 2012 at 4:42 PM, Theo de Raadt  wrote:
>> >> Seeing the work that is done on nginx as Daily changelog shows I was
>> >> thinking the same, that eventualy nginx will replace httpd (it cannot
>> >> replace apache).
>> >> About that "too many files open", I run it this once, but Stuart
>> >> Henderson suggested to alter the values in /etc/login.conf. I was
>> >> expecting some decent values there, but I found out from FAQ that the
>> >> default file has the corespondent values for the minimal hardware
>> >> system OpenBSD is able to run on, so the giant machines need
>> >> adjusting.
>> >
>>
>> On Wed, Mar 28, 2012 at 11:44 PM, Theo de Raadt  
>> wrote:
>> > Balony.
>> >
>> > If software cannot cope intelligently with soft resource limits,
>> > then such software is probably broken.
>> >
>> > Otherwise, let's just remove the entire resource limit subsystem, ok?
>>
>> No need to remove it I think, because the sole usage of it has a
>> purpose since you've put it there from the start.
>> I can't call xxxterm as being probably broken because my knowledge and
>> position don't allow me to do that. This package asks for minimum 1024
>> file descriptors
>
> What happens if it opens 1025 files?
>
>> and recommands 2048.
>
> What happens if it opens 2049 files?
>
>> I modified openfiles-max in
>> login.conf. That was the closest place I found to fulfill the request.
>> The other application is shotwell, it crashes when you try to open in
>> thumbnails mode a direcotry full of pictures. I don't know why the
>> developers used the opening all files at once approach.
>
> So you crank your limits.
>
> What happens if it opens 1 file more than your limits?
>
> You crank the limits, again.
>
> What happens if it opens 1 file more than your new limits?
>
> When do you realize that you are the problem, because you don't
> tell the developers to fix their software so that it works in the
> resource limits allocated to it?
>
> Instead, you'll crank your file limits to... let me guess, unlimited?
>
> And when you hit the system-wide limit, then what happens?
>
> Then it is our systems problem, isn't it.
>

i am not sure if you're a suggesting that each program do getrlimit
and acquire resources based on that, because it's a pita

what they could do is offer a reliable estimate (e.g. 5 open files per
tab required)

Re: ksh's HISTFILE

[Andres Perera]

that makes it awkward to use across sessions (defeating the point of the file)

even though it does not appear to have options regarding this, bash
does have a crap ton of settings regarding history handling

whatever the route, i would prefer if ksh didn't have new flags added
to it, but instead sensible behavior by default

On Tue, Mar 13, 2012 at 9:35 PM, Claus Assmann
 wrote:
> On Tue, Mar 13, 2012, Hugo Villeneuve wrote:
>> On Mon, Mar 12, 2012 at 01:03:54PM +0200, lilit-aibolit wrote:
>
>> > export HISTFILE=~/.sh_history
>
>> Because last time I tried, it was unusable if you ran more than two
>> session concurently, as both shell would use the same file directly
>
> Maybe try something like this?
>
> HISTFILE=${HOME%/}/.ksh_hist.$$

Re: SSH, root can repeat commands with up arrow, others cannot

[Andres Perera]

On Sun, Mar 11, 2012 at 3:32 PM, Tobias Ulmer  wrote:
> On Sun, Mar 11, 2012 at 02:43:42PM -0500, Chris Bennett wrote:
>> This started for me a while back.
>> Login as root, I can repeat older commands with up down arrows.
>> History command shows history.
>>
>> su -l otheruser
>>
>> Cannot use up down arrows to access history.
>> History command shows correct history.
>
> You most likely set EDITOR to something containing "vi". ksh parses that
> and switches to vi mode. IMO it's a disgusting "feature", but that
> appears to be just me.
>
> set -o emacs
> set +o vi

after `set -o emacs`, the final line is redundant

>
>>
>> Login remotely as otheruser.
>> Same problem.
>>
>> Chris Bennett

Re: pgt firmware ...

[Andres Perera]

On Mon, Feb 27, 2012 at 7:52 AM, Janne Johansson  wrote:
> 2012/2/27 David Walker :
>> Thank you Peter.
>> I still get the same error message (error line wrapped):
>>
>> pkg_add ./pgt-firmware-1.2p2.tgz
>> Bad pkg_db: No such file or directory at
> [...]
>> Somethings wrong with my environment but what ...
>
> Yes, the thing that makes it impossible for you to run exactly what we
> tell you to, and instead you add ./ when pkg_add
> takes URLs directly.

but that couldn't possibly make a difference so why do you keep repeating

> Now exactly what in your environment is doing that, I can't really tell.
>
> --
> B To our sweethearts and wives. B May they never meet. -- 19th century
toast

Re: looking for hardware recommendations, x86 or otherwise.

[Andres Perera]

On Thu, Feb 2, 2012 at 4:38 PM, Lars  wrote:
> Anon wrote:
>> Obviously you don't live in a 3rd world country. I do and nothing is 50
>> bucks here except the women. Nobody throws anything out except dead cats
>> and PCs cost about 350 USD for a new build based on 3-5 year old NOS parts
>> the Americans dumped on the market after they went obsolete.
>>
>>
>
>
> Well you can get computers in Canada for under 50 dollars, so it would
> require shipping them. B If you do it in massive bulk (palettes or
> containers) it only adds about 5-10 dollars extra shipping cost to each
> computer. B  And if you do it in massive bulk, it means the computer is no
> longer 50 dollars but a bulk discount is applied so only about $40
> dollars.
>
> I have shipped containers across the ocean to other countries before with
> hundreds of computers across Atlantic ocean. If you do not order them in
> bulk then it costs too much to ship them (more to ship them than the price
> of the computer itself!). It's all about bulk and quantity.
>
> So the third world country would have to gather all their funds together,
> and do a bulk purchase, rather than each person purchasing individually.

i have to agree with troll here

some countries have "control de cambio" which means that it's ilegal
to buy dollars/selected foreign currency past a certain extent on a
periodic basis

really, don't speculate about other places unless you know for sure

>
> The advantage of the raspberry pi is that you might be able to shove it
> inside a bubble padded envelope, whereas desktop computers need to be
> packed up on palettes and containers.
>
> Still, you need to buy LCD monitors or CRT, so the lightweight raspberry
> pi is a moot point, since LCD's and CRT's are heavy. Unless you already
> have LCD/CRT monitors and just need the PC part.

Re: FR: Make it possible to turn off untrusted users ability to read cmdline arguments of processes they don't own

[Andres Perera]

they're not necessarily the arguments

see setproctitle(3) and the behaviour of; e.g., sendmail, dhclient, etc

On Wed, Feb 1, 2012 at 7:00 PM, Paul Dejean  wrote:
> Even though it's bad practice, a lot of commonly programs will request
> passwords or similar sensitive information as command line arguments.
> For instance, curl, svn, useradd... There will usually be a way to
> work around doing things this way (curl can read from a config file
> for instance), but doing so is a hassle (have to write a new config
> file for each request).
>
> I would really like some way to turn the access unprivileged users
> have to this information on and off. Ideally I'd like it off by
> default in OpenBSD (secure by default).
>
> Also I would like to add, that even if you folks shoot down this FR as
> being an awful idea. It's good that there's an operating system
> community where I feel comfortable bringing up this request, where I
> wouldn't hear things like:
> "You have untrusted users on your system? What a n00b"
> "All security features are off by default, why should it be our
> responsibility to protects admins from their stupid mistakes?"
> "omg why should you care. hunting for sensitive information? it's not
> like anyone actually does that"

Re: use trap command in a script

[Andres Perera]

signal(3):

"Except for the SIGKILL and SIGSTOP signals, the signal() function
allows for any signal to be caught, to be ignored, or to generate an
interrupt."

On Thu, Jan 19, 2012 at 8:17 AM, Wesley M.  wrote:
> Hi,
>
> I want to see a message on console when i send signal like HUP
> KILL INT and TERM
>
> using for example in a script "manageprocess":
>
>
> #!/bin/ksh
> trap 'echo Kill detected!' 9
> trap 'ctrl-c detected!' 2
>
> run
> it with sudo sh manageprocess
> No message appear
>
> Therefore if i run
> manually this : trap 'ctrl-c detected!' 2
> it works. But trap 'echo Kill
> detected!' 9 doesn't work.
> Why ? Why i can't use it in a script?
>
> Any idea
> ?
>
> Thank you very much.

Re: Install without the DNS domain name from DHCP

[Andres Perera]

On Sun, Jan 1, 2012 at 4:22 PM, bofh  wrote:
> On Sun, Jan 1, 2012 at 2:47 PM, Josh Jevosh  wrote:
>> Hello.
>>
>> I'm installing OpenBSD 5.0. When I configure the networking to DHCP it
goes
>> ahead and sets the DNS domain name to something that it got from my ISP. I
>> would like to only use the short name that I specified as the hostname as
>> the entire hostname excluding the rest of it that comes from my ISP. How
do
>> I do that?
>
> You want to play with the options in /etc/dhclient.conf. B I have
> supersede host-name and supersede domain-name in mine. B However, I
> don't know if you can use
>
> supersede domain-name "";

this constantly comes up on the list for some reason. it shouldn't
because it doesn't do anything

once you actually test it, you'll see that setting an option to the
empty string is the same as not setting the option at all (so dhclient
fallsback to defaults)

maybe it needs to be documented somewhere...

>
> as a valid option. B The better way is probably to include a search
> line in resolv.conf for the domain you are going to use (or the domain
> your ISP gives you). B Or get a free one from dyndns.org (or any other
> free ones).
>
> Everyone should really use FQDN - short names suck and make people lazy.
>
>
> --
> http://www.glumbert.com/media/shift
> http://www.youtube.com/watch?v=tGvHNNOLnCk
> "This officer's men seem to follow him merely out of idle curiosity."
> -- Sandhurst officer cadet evaluation.
> "Securing an environment of Windows platforms from abuse - external or
> internal - is akin to trying to install sprinklers in a fireworks
> factory where smoking on the job is permitted." B -- Gene Spafford
> learn french: B http://www.youtube.com/watch?v=30v_g83VHK4

Re: PF Snort tutorial

[Andres Genovez]

2012/1/3 Bentley, Dain 

> I've been looking around for a good tutorial on implementing snort with PF
> and
> everything I see is old, does anyone know of or have implemented a solution
> using an IDS/IPS with PF on the same box?  If possible I'd like snort of
> some
> other IDS inspect packets and have pf drop them based on the fact they
> match
> certain signatures.  Thanks in advance.
>
>
Implimenting that is really a Pain in the hell out..I did it on a 4.9,
i need to do it from sources, there is no complete tutorial, it works on
4.9, not implemented with PF tought...

Greetings...



--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Andres Perera]

that's interesting

raises a couple of questions: is softraid to have functions found in
generic volume managers such as zfs and lvm? the answer doesn't really
matter because it's a fact that crypto isn't a raid discipline

given that, is "softraid" a poor name for what it offers?

On Mon, Dec 12, 2011 at 5:28 AM, Stuart Henderson  wrote:
> On 2011-12-12, Pavel Shvagirev  wrote:
>> You are right. The more better way would be buying a bigger storage,
>
> or writing a concatenation backend for softraid(4).
>
> softraid_raid0.c would be a good starting point.

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 4:29 PM, John Tate  wrote:
>
>
> On Mon, Dec 12, 2011 at 7:47 AM, Andres Perera  wrote:
>>
>> On Sun, Dec 11, 2011 at 3:29 PM, John Tate  wrote:
>> > I am not replying to every thread on the list. You either have me
>> > confused
>> > with someone else or there is some kind of imposter or person with a
>> > similar name. I'm confused I should say. This was something constructive
>> > to
>> > say regardless, it was an idea. I remember last time I was using OpenBSD
>> > (I
>> > had a hiatus) and mmap changes broke a lot of ports. There is supposed
>> > to
>> > be an emphasis on security, not your scripts. OpenBSD warns about
>> > mistakes,
>> > it emails you about your mistakes, and it could point out this mistake
>> > as
>> > well.
>>
>> not having "block" as default isn't really a mistake, unless pfctl can
>> read your mind
>>
>> if you don't have daemons listening then what's the point of blocking
>> ports?
>
> If you don't have deamons listening then why the hell are you using an
> operating system with so much security on networks.

because i might be a desktop user

i use obsd on my main machine and a netbook

the netbook normally doesn't have any daemons listening outside
localhost, but i still use pf for other reasons, such as managing
routing domains

pf has queue and logging functions aswell... not every config is going
to center around acl

even for those that have daemons facing hostile networks, their admins
may choose a black list policy instead

>>
>>
>> just an example of many situations that could occur
>>
>> >
>> > On Mon, Dec 12, 2011 at 5:55 AM, James Shupe  wrote:
>> >
>> >> No. Modifying a general purpose tool for a specific (albeit common) use
>> >> case is stupid. Any properly implemented warning would cause pfctl to
>> >> exit non-zero, which would break automated scripts that check the exit
>> >> code of pfctl. You would have to add a whole new option to ignore your
>> >> specific use case, and even that would require modifying existing
>> >> scripts.
>> >>
>> >> I wish they would ban you from this list already. I'm sick of seeing
>> >> your reply to every thread when you never have anything constructive to
>> >> say.
>> >>
>> >
>> > I am not replying to every thread on the list. You either have me
>> > confused
>> > with someone else or there is some kind of imposter or person with a
>> > similar name. I'm confused I should say. This was something constructive
>> > to
>> > say regardless, it was an idea. I remember last time I was using OpenBSD
>> > (I
>> > had a hiatus) and mmap changes broke a lot of ports. There is supposed
>> > to
>> > be an emphasis on security, not your scripts. OpenBSD warns about
>> > mistakes,
>> > it emails you about your mistakes, and it could point out this mistake
>> > as
>> > well.
>> >
>> > Perhaps it could be for security(8) to do instead actually. I don't
>> > know, I
>> > didn't design the fucking system, it was just a suggestion.
>> >
>> >
>> >> On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
>> >> > It's just whining! Perhaps if should only do it if it has an Internet
>> >> > IP
>> >> > address not a LAN or WAN one involved.
>> >> >
>> >> > On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson > >> >wrote:
>> >> >
>> >> > > 2011/12/11 John Tate 
>> >> > >
>> >> > >>
>> >> > >> So I have a suggestion worth considering, if the line "block in
>> >> > >> all"
>> >> does
>> >> > >> not appear pfctl -nf should perhaps spit out a warning. Much like
>> >> you've
>> >> > >> done with your pretty compilers over there.
>> >> > >>
>> >> > >>
>> >> > > There are still lots of reasons to run PF even if you don't want
>> >> "block in
>> >> > > all" for a default, so whining on all the other uses you couldn't
>> >> imagine
>> >> > > would not be very productive.
>> >> > >
>> >> > > --
>> >> > > B To our sweethearts and wives. B May they never meet. -- 19th
>> >> > > century
>> >> toast
>> >>
>> >>
>> >
>> >
>> > --
>> > www.johntate.org
>> >
>
>
>
>
> --
> www.johntate.org

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 3:29 PM, John Tate  wrote:
> I am not replying to every thread on the list. You either have me confused
> with someone else or there is some kind of imposter or person with a
> similar name. I'm confused I should say. This was something constructive to
> say regardless, it was an idea. I remember last time I was using OpenBSD (I
> had a hiatus) and mmap changes broke a lot of ports. There is supposed to
> be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
> it emails you about your mistakes, and it could point out this mistake as
> well.

not having "block" as default isn't really a mistake, unless pfctl can
read your mind

if you don't have daemons listening then what's the point of blocking ports?

just an example of many situations that could occur

>
> On Mon, Dec 12, 2011 at 5:55 AM, James Shupe  wrote:
>
>> No. Modifying a general purpose tool for a specific (albeit common) use
>> case is stupid. Any properly implemented warning would cause pfctl to
>> exit non-zero, which would break automated scripts that check the exit
>> code of pfctl. You would have to add a whole new option to ignore your
>> specific use case, and even that would require modifying existing
>> scripts.
>>
>> I wish they would ban you from this list already. I'm sick of seeing
>> your reply to every thread when you never have anything constructive to
>> say.
>>
>
> I am not replying to every thread on the list. You either have me confused
> with someone else or there is some kind of imposter or person with a
> similar name. I'm confused I should say. This was something constructive to
> say regardless, it was an idea. I remember last time I was using OpenBSD (I
> had a hiatus) and mmap changes broke a lot of ports. There is supposed to
> be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
> it emails you about your mistakes, and it could point out this mistake as
> well.
>
> Perhaps it could be for security(8) to do instead actually. I don't know, I
> didn't design the fucking system, it was just a suggestion.
>
>
>> On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
>> > It's just whining! Perhaps if should only do it if it has an Internet IP
>> > address not a LAN or WAN one involved.
>> >
>> > On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson > >wrote:
>> >
>> > > 2011/12/11 John Tate 
>> > >
>> > >>
>> > >> So I have a suggestion worth considering, if the line "block in all"
>> does
>> > >> not appear pfctl -nf should perhaps spit out a warning. Much like
>> you've
>> > >> done with your pretty compilers over there.
>> > >>
>> > >>
>> > > There are still lots of reasons to run PF even if you don't want
>> "block in
>> > > all" for a default, so whining on all the other uses you couldn't
>> imagine
>> > > would not be very productive.
>> > >
>> > > --
>> > > B To our sweethearts and wives. B May they never meet. -- 19th century
>> toast
>>
>>
>
>
> --
> www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

i would concur that anchors are cleaner than redefining macros, but
they do require rewriting rules

On Thu, Dec 8, 2011 at 7:23 AM, Bret S. Lambert  wrote:
> Take a look at pf anchors.
>
> On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
>> Is there a way to control ports on a filter from the command line? I guess
>> I just have manually adding and deleting rules.
>>
>> On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera  wrote:
>>
>> > the documentation is pretty clear by saying that tables can only hold
>> > addresses, not a random set of numbers
>> >
>> > On Thu, Dec 8, 2011 at 6:41 AM, John Tate  wrote:
>> > > Misc,
>> > >
>> > > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
>> > > packets, I am gradually upgrading my pf.conf. I am having trouble with
>> > this
>> > > configuration (ignore some obvious bugs related to table names where
>> > tables
>> > > are defined and the rules I have seen them).
>> > >
>> > > At the moment I am working on doing some things as tables. I want tables
>> > to
>> > > hold the ports, but it appears perhaps they can only hold IP addresses.
>> > The
>> > > following tables do not work from line 10-11...
>> > >
>> > > table  { 22 }
>> > > table  { 22, 53 }
>> > >
>> > > The whole thing is here: http://pastebin.com/VuLNW9Ph
>> > >
>> > > John Tate
>> > >
>> > > --
>> > > www.johntate.org
>> > >
>> >
>>
>>
>>
>> --
>> www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

define the list of ports as a macro and use pfctl -D

not much adding as it is replacing the whole list:
$ echo 'pass proto udp from port $pl' | pfctl -nvf- -Dpl='{1 2 3}'
pass proto udp from any port = 1 to any
pass proto udp from any port = 2 to any
pass proto udp from any port = 3 to any

On Thu, Dec 8, 2011 at 6:45 AM, John Tate  wrote:
> Is there a way to have it so I can add ports from the command line if I
> can't use tables?
>
> On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler  wrote:
>
>> Yes, tables in PF only support IP addresses.
>>
>>
>> On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
>> :At the moment I am working on doing some things as tables. I want tables
>> to
>> :hold the ports, but it appears perhaps they can only hold IP addresses.
>> The
>> :following tables do not work from line 10-11...
>>
>> --
>> Renning's Maxim:
>> B  B  B  B Man is the highest animal. B Man does the classifying.
>>
>
>
>
> --
> www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

the documentation is pretty clear by saying that tables can only hold
addresses, not a random set of numbers

On Thu, Dec 8, 2011 at 6:41 AM, John Tate  wrote:
> Misc,
>
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
>
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
>
> table  { 22 }
> table  { 22, 53 }
>
> The whole thing is here: http://pastebin.com/VuLNW9Ph
>
> John Tate
>
> --
> www.johntate.org

Re: RAM seen vs. RAM available HP ML 570 G2

[Andres Perera]

On Tue, Dec 6, 2011 at 11:18 PM, Stefan Johnson
 wrote:
> Hello all. B Today I replaced OpenSuSE with OpenBSD 5.0 on my HP ML 570 G2
> server.

well, you should have searched for "openbsd and PAE" :)

i don't think they're going to bother at this point, but don't take my
word for it

> The system includes to memory boards for RAM. B One board has 8 gigs, and
> the other has 4.
> The power on self test sees 12 and initializes 12, but after the server
> boots, OpenBSD appears
> to only see 4. B I believe this relates to 32 vs 64 bit, but I'm not
> positive.
>
> The version I installed was i386, not amd64. B The processors are Xeon MP
> 2.2Ghz which only have
> 32 bit instruction sets, which is why I chose i386. B Here is a link to the
> processor specs that
> show this:
>
http://ark.intel.com/products/27300/Intel-Xeon-Processor-2_20-GHz-2M-Cache-40
0-MHz-FSB
>
> The FAQ mentions a trick for utilizing more RAM when all of the RAM isn't
> seen using boot.conf
> at this link:
> http://www.openbsd.org/faq/faq4.html#InstProb
> However, this is for such a small amount of RAM in the given example, that
> I'm not sure this would
> work for me. B Can anyone confirm that I'm pretty much stuck with only
being
> able to utilize 1/3 of
> the full potential, or whether the above trick might actually work (using
> appropriate size values, of
> course)?
>
> Thanks for any help on this!
>
> Stefan Johnson
>
>
>
> Below is dmesg and sysctl output for my box with the GENERIC MP kernel:
>
> OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
> B  B dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel(R) Xeon(TM) MP CPU 2.20GHz ("GenuineIntel" 686-class) 2.20 GHz
> cpu0:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
> real mem B = 4026036224 (3839MB)
> avail mem = 3950120960 (3767MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
> SMBIOS rev. 2.3 @ 0xec000 (92 entries)
> bios0: vendor HP version "P32" date 04/26/2005
> bios0: HP ProLiant ML570 G2
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S4 S5, can't enable ACPI
> mpbios0 at bios0: Intel MP Specification 1.4
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 99MHz
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(TM) MP CPU 2.20GHz ("GenuineIntel" 686-class) 2.20 GHz
> cpu1:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Xeon(TM) MP CPU 2.20GHz ("GenuineIntel" 686-class) 2.20 GHz
> cpu2:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Xeon(TM) MP CPU 2.20GHz ("GenuineIntel" 686-class) 2.20 GHz
> cpu3:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
> mpbios0: bus 0 is type PCI
> mpbios0: bus 1 is type PCI
> mpbios0: bus 5 is type PCI
> mpbios0: bus 9 is type PCI
> mpbios0: bus 13 is type PCI
> mpbios0: bus 16 is type ISA
> ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins
> ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins
> ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins
> ioapic3 at mainbus0: apid 11 pa 0xfec03000, version 11, 16 pins
> bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "ServerWorks CMIC-HE" rev 0x22
> pchb1 at pci0 dev 0 function 1 "ServerWorks CMIC-HE" rev 0x00
> pci1 at pchb1 bus 1
> ppb0 at pci1 dev 2 function 0 "IBM 133 PCIX-PCIX" rev 0x03
> pci2 at ppb0 bus 2
> ciss0 at pci2 dev 4 function 0 "Compaq Smart Array 64xx" rev 0x01: apic 8
> int 15
> ciss0: 3 LDs, HW rev 1, FW 2.84/2.84, 64bit fifo
> scsibus0 at ciss0: 3 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct
> fixed
> sd0: 69459MB, 512 bytes/sector, 142253280 sectors
> sd1 at scsibus0 targ 1 lun 0:  SCSI2 0/direct
> fixed
> sd1: 70001MB, 512 bytes/sector, 143363040 sectors
> sd2 at scsibus0 targ 2 lun 0:  SCSI2 0/direct
> fixed
> sd2: 140006MB, 512 bytes/sector, 286734240 sectors
> "Compaq PCI Hotplug" rev 0x14 at pci1 dev 30 function 0 not configured
> pchb2 at pci0 dev 0 function 2 "ServerWorks CMIC-HE" rev 0x00
> pci3 at pchb2 bus 9
> "Creative Labs SoundBlaster Audigy LS" rev 0x00 at pci3 dev 1 function 0
> not configured
> pchb3 at pci0 dev 0 function 3 "ServerWorks CMIC-HE" rev 0x00
> "Compaq Netelligent ASMC" rev 0x00 at pci0 dev 2 function 0 not configured
> fxp0 at pci0 dev 4 function 0 "Intel 8255x" rev 0x08, i82559: apic 8 int
> 10, address 00:12:79:cc:74:78
> inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
> piixpm0 at pci0 dev 15

Re: Short adsuck guide (local resolver setup)

[Andres Perera]

afaik, _PATH_RESCONF is harcoded into the resolver functions

i guess adsuck ships with its own duplicated routines

On Mon, Dec 5, 2011 at 10:12 AM, E ime Ramov  wrote:
>> i don't get why are you setting nameservers in resolv.conf since
>> dhclient will eventually override those?
>
> That's `/var/adsuck/files/resolv.conf`, not the main one.

Re: Short adsuck guide (local resolver setup)

[Andres Perera]

i don't get why are you setting nameservers in resolv.conf since
dhclient will eventually override those?

On Mon, Dec 5, 2011 at 8:39 AM, Sime Ramov  wrote:
> 
>
> Let me know if you notice anything amiss.
>
> -Sime

Re: Narcicism?

[Andres Genovez]

2011/12/1 John Tate 

> On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern 
> wrote:
>
> > On 12/01/11 02:28, John Tate wrote:
> >
> >> I think I've found a bug in the OpenBSD crowd. They bug the hell out of
> me
> >> and my little mistakes.
> >>
> >> I am not talking about people who actually have a solution, but I can't
> >> seem to ask anything on this list without parrots coming along picking
> on
> >> me. I think some people just hang out here because it's the most anal
> >> bunch
> >> of hackers ever, in recorded history. What are your experiences?
> >>
> >
> I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru
> and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and
> Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can put
> up with being made fun of. At 13 I didn't just start learning Linux I
> started learning C++ as well. I failed to apprehend it properly at that
> age, but at an older age I relearned it well. I am the guru sort of guy, I
> know a hell of a lot but I'm still connecting it and in that sense still
> learning.
>

One thing to point it out:

When you are a real Hacker, you don`t call yourself one, people do.
When you are a real Guru, you don`t call yourself one, people do.

I dont have a big knowledge of OpenBSD, i must say i am just starting, but
the first lesson I learneddon`t make stupid questions on a list or i
will get a paybackIn some way i understand your frustration...

Peace.

>
>
> >
> >> Is it true that occasionally we attract people who either love bullying
> or
> >> are just lazy and pretending to be one of the clever?
> >>
> > Well I get messages that are worthless and seem to be insults.
>
> >
> >> It just figures some of these people sit on the list, and email you
> poorly
> >> researched crap with no answers contain.
> >>
> >> If you hate a question, it truly doesn't belong, bug me.
> >>
> >> But if you just can't answer a question, ignore it.
> >>
> >> John Tate.
> >>
> >> Note: Yes, it's not my list.
> >>
> >>
> > John, if you don't mind, I'll give you some advice:  Do your homework
> > before posting to the list.  Your basic instinct is to click "Send"
> instead
> > of thinking first.  I've lost count of how many of your posts were
> > retracted by yourself, with a big "oops, my bad" or were replied to with
> > RTFM-type responses.  I got a kick out of one retraction where you said
> > something like "Sorry, I was drunk."
> >
> > You're obviously new here.  Sure, it's a tough crowd at times, but that
> > only happens when people don't bother reading the FAQ, or the man pages,
> or
> > trying things out for themselves.  A lot of people have asked "stupid"
> > questions or said something "dumb" -- myself included -- and got painful
> > responses.  I've had my share of facepalm experiences and had my ass
> handed
> > to me plenty of times, but I deserved it.
> >
> > But you know what?  I try to not make a regular occasion of it.  It seems
> > you do.
> >
> > I help a lot of people off-list, and I know for a fact many others do the
> > same.  I've found through years of experience there are two kinds of
> people
> > on this list: those that need a little help and pointed in the right
> > direction, and those that need their hands held for every step.  Guess
> > which category I put you in?  And that's exactly why I've helped you a
> > grand total of zero times.
> >
> > Now you have the gall to come on this list and insult the people that are
> > trying to help you.  I don't think there's anyone on this list that sits
> > idly, waiting for an opportunity to "pick on" or "bully" someone.  Get a
> > grip, get some thicker skin, and most of all, RTFM first.
> >
> > I guarantee that if you take my advice, you'll find this list to be a
> > very, very valuable resource.  Remember, there is a difference between
> > *reading* and *comprehension*.  Work a little harder on the latter and I
> > think you'll find you won't be "picked on".
> >
> > Stop playing the victim.  You're not the first and it's old.
> >
> > --
> > Scott McEachern
> >
> > https://www.blackstaff.ca
> >
> >
>
>
> --
> www.johntate.org
>
>


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Narcicism?

[Andres Perera]

http://johntate.org/fact/johntate

"I now have 7 years of experience in FreeBSD/OpenBSD"

On Thu, Dec 1, 2011 at 2:58 AM, John Tate  wrote:
> I think I've found a bug in the OpenBSD crowd. They bug the hell out of me
> and my little mistakes.
>
> I am not talking about people who actually have a solution, but I can't
> seem to ask anything on this list without parrots coming along picking on
> me. I think some people just hang out here because it's the most anal bunch
> of hackers ever, in recorded history. What are your experiences?
>
> Is it true that occasionally we attract people who either love bullying or
> are just lazy and pretending to be one of the clever?
>
> It just figures some of these people sit on the list, and email you poorly
> researched crap with no answers contain.
>
> If you hate a question, it truly doesn't belong, bug me.
>
> But if you just can't answer a question, ignore it.
>
> John Tate.
>
> Note: Yes, it's not my list.
>
> --
> www.johntate.org

Re: how to find dependencies when building a new kernel

[Andres Perera]

reading the npx(4) gives out a really strong clue as to why you
shouldn't custom compile until you're familiar with everything:

"The npx driver is required for proper system functioning regardless
of whether or not an NPX is present."

so there's no 1:1 mapping between the devices you have and the ones
you may need included in the kernel config. could potentially apply to
other drivers, so why waste time figuring out which ones fall under
this category and which ones don't?

as for your searches, they don't include the struct definition

i can't recall the name of the doc (possibly hosted at openbsd.org)
that explains the layout, but basically, you got the base
/sys/conf/files and arch-specific ones. you are only searching in arch
specific files

so far you have many factors contributing against you being able to
custom compile:
- don't know c
- don't know the kernel source file layout
- doesn't bother looking at official documentation regarding kernel
compilation process

On Tue, Nov 29, 2011 at 7:06 AM, T. Valent  wrote:
> Andres,
>
> may I kindly ask one more question, I'm sure after that I'll get it
> right myself.
>
> See:
> 
> # make
> ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd
> ${SYSTEM_HEAD} vers.o ${OBJS}
> acpi_machdep.o(.text+0xcf): In function `acpi_sleep_machdep':
> : undefined reference to `mem_range_softc'
> [...]
>
> # grep -rw mem_range_softc /sys/arch/i386
>
> [...]
> /sys/arch/i386/i386/mem.c:struct mem_range_softc mem_range_softc;
> [...]
>
> # grep -rw mem /sys/arch/i386/conf/files.i386
> /sys/arch/i386/conf/files.i386:file B  B  arch/i386/i386/mem.c
> 
>
> Still I don't know which option/line is missing. There is no such thing
> as "i386" in GENERIC, from which I derive my config.
>
> Thanks in advance.
> T.

Re: how to find dependencies when building a new kernel

[Andres Perera]

On Tue, Nov 29, 2011 at 4:35 AM, T. Valent  wrote:
> Hi!
>
> I'm trying to build a new kernel. However, while compiling I get
> complaints about undefined references like this:
>
> ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd
> ${SYSTEM_HEAD} vers.o ${OBJS}
> machdep.o(.text+0x2791): In function `sys_sigreturn':
> : undefined reference to `fpu_mxcsr_mask'

andres@pote:~ $ grep -rw fpu_mxcsr_mask /sys/arch/i386
...
/sys/arch/i386/include/npx.h:extern uint32_tfpu_mxcsr_mask;
/sys/arch/i386/isa/npx.c:uint32_t   fpu_mxcsr_mask;
...
andres@pote:~ $ grep -rw npx /sys/arch/i386/conf/files.i386
/sys/arch/i386/conf/files.i386:device   npx
/sys/arch/i386/conf/files.i386:attach   npx at isa
/sys/arch/i386/conf/files.i386:file arch/i386/isa/npx.c
 npx needs-flag

>
> The above line is just an example. I have poked around with more or less
> guessing what could be missing, but after 2 days I'm quite sure I need a
> general solution to finding the dependencies instead of guessing.
>
> I have no skills in kernel coding. I wonder if there's a good way to
> find out which part I am missing in the config file(s).

note how the grep commands required no kernel coding skills

>
> This is what I do:
> edit /usr/src/sys/conf/GENERIC
> I'm fine with this so far.
>
> Now to edit
>
> /usr/src/sys/arch/i386/conf/GENERIC
>
> I do
>
> dmassage -t

i might be wrong, but is this really aggressive auto spelling
corrector for "dmesg"?

>
> and make sure all the hardware I need is included in my config file. I'm
> quite sure I've included everything I need, I get the above mentioned
> problems, which I understand as dependencies. However, I just don't know
> how to find out which line of the config file I have to include to solve
> this.
>
> I know I am recommended to use the generic kernel. I need the kernel for
> an embedded device where the hardware is well known in detail, it is
> always the same, will not change and memory is very limited. So I need
> to get rid of the unnecessary stuff in the kernel.
>
> Thanks in advance!
>
> T.

Re: Kernel without INET6 error on pipex.c

[Andres Perera]

On Thu, Nov 24, 2011 at 6:42 AM, Rod Whitworth  wrote:
> On Thu, 24 Nov 2011 10:09:31 +, Julien Crapovich wrote:
>
>>Hello.
>>Absolutely, but compiling without INET6 is not supposed to generate error.
>>I've just disabled INET6 on GENERIC file, not other hack.
>>
> You are the only one who knows exactly what you did. B Maybe.
> Why should we waste time guessing?
>
> It's a pretty damn stupid thing to do anyway when it is so easy to
> block v6 traffic using GENERIC and, BTW, your kernel is NOT GENERIC.
> It doesn't matter that you were too ignorant to change the name...

i don't understand what does renaming the kernel has to do with anything

the op is right in that "rmoption INET6" is broken, end of

whether that define was meant for developers only or not is another matter

>
> R/
>
> *** NOTE *** Please DO NOT CC me. I  subscribed to the list.
> Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.
>
> Rod/
> ---
> This life is not the real thing.
> It is not even in Beta.
> If it was, then OpenBSD would already have a man page for it.

Re: DNS Google ?

[Andres Perera]

On Tue, Nov 22, 2011 at 2:56 PM, Lars Hansson  wrote:
> On Wed, Nov 23, 2011 at 3:14 AM, patrick keshishian  
> wrote:
>> Unless I'm misreading you, what you say doesn't make much sense.
>
> It makes perfect sense and is in fact also the recommended way to run BIND.

not only recommended by bind books -- djbdns/cache forces a minimum of
two processes

bind tries to do everything at once...

>
>> The setup you suggest is more involved. Two servers: one resolving,
>> and the other dealing w/the authoritative responses.
>
> They don't have to be two different servers, just two different
> processes on the same server.
>
> ---
> Lars

Re: What is wrong with this pf config

[Andres Perera]

On Mon, Nov 21, 2011 at 3:45 AM, John Tate  wrote:
> I am having troubles with this pf configuration, it seems when loaded
> nothing can access my server on the internal interface for the LAN, I
> cannot see why, and it's pretty much based off the very standard
> example in the OpenBSD faq.

assuming your internal net is connected to int_if: none of your rules
even mention your local network and you block by default, so yeah

if int_if isn't part of the int net, please rename the macro to avoid
confusion

>
> When I unload the configuration, I can access the DNS server on the
> firewall running this configuration. It seems to forward everything
> through to the Internet, but blocks DNS which makes it pretty useless.
> I've looked at it at least five times...
>
> [john@baal ~$ cat /etc/pf.conf
> int_if="xl0"
> ext_if="tun0"
>
> rothbard="10.0.0.10"
> baal="10.0.0.2"
> smass="10.0.0.1"
>
> tcp_services="{22}"
> icmp_types="echoreq"
>
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)

you're not passing these packets

>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> B  B  B  B port $tcp_services

i highly doubt you are setting up a public dns server intentionally.
if this is the case, make it clear that you are

> #After this goes forwarded ports... Probably just use ssh tunnels.
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> What is wrong?

you need to read the docs on pf. your rules make no sense

>
> Also can you tell me how to do this so it only needs to load once, and
> not be loaded by a shell script after userland pppoe successfully
> connects?
>
> --
> www.johntate.org

Re: Giving java apps more memory

[Andres Perera]

you can patch the apps to use setrlimit()

you can write a small sh wrapper that sets ulimits and execs your app

you can also set your defaults in /etc/login.conf or ~/.profile

depends on what you want

i use gimp and ff so login.conf/.profile is really more sensible than
wrapping all the monster apps

On Fri, Nov 18, 2011 at 10:42 PM, John Tate  wrote:
> Netbeans crashes with this...
>
> john@rothbard ~$ netbeans
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # java.lang.OutOfMemoryError: requested 32784 bytes for Chunk::new.
> Out of swap space?
> #
> # B Internal Error (allocation.cpp:272), pid=17843, tid=8647815168
> # B Error: Chunk::new
> #
> # JRE version: 7.0
> # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64
> compressed oops)
> # An error report file with more information is saved as:
> # /home/john/hs_err_pid17843.log
> #
> # If you would like to submit a bug report, please visit:
> # B  http://java.sun.com/webapps/bugreport/crash.jsp
> #
> Abort trap (core dumped)
>
> Eclipse crashes with this...
> [john@rothbard ~$ eclipse
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # java.lang.OutOfMemoryError: requested 1565456 bytes for Chunk::new.
> Out of swap space?
> #
> # B Internal Error (allocation.cpp:272), pid=30120, tid=8844312576
> # B Error: Chunk::new
> #
> # JRE version: 7.0
> # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64
> compressed oops)
> # An error report file with more information is saved as:
> # /home/john/hs_err_pid30120.log
> #
> # If you would like to submit a bug report, please visit:
> # B  http://java.sun.com/webapps/bugreport/crash.jsp
> #
>
> How should I proceed?
>
>
> --
> www.johntate.org

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[Andres Perera]

On Sun, Nov 13, 2011 at 9:22 AM, David Walker  wrote:
> On 13/11/2011, Mostaf Faridi  wrote:
>> Can I optimiz this pf.conf?
>> Thanks in advance
>
> I do not open up the truth to one who is not eager to get knowledge,
> nor help out any one who is not anxious to explain himself. When I
> have presented one corner of a subject to any one, and he cannot from
> it learn the other three, I do not repeat my lesson.
>
> http://en.wikiquote.org/wiki/Confucius
>
> http://blogs.nasa.gov/cm/wiki/?id=2738#gen6
>

i like your style :)


> Best wishes.

Re: systat colors?

[Andres Perera]

readelf -d `which systat`
...
 0x0001 (NEEDED) Shared library: [libcurses.so.12.1]
...

On Fri, Nov 11, 2011 at 8:08 PM, STeve Andre'  wrote:
> On 11/11/11 18:58, Stuart Henderson wrote:
>>
>> On 2011-11-10, STeve Andre' B wrote:
>>>
>>> On 11/10/11 16:41, Ted Unangst wrote:

 On Thu, Nov 10, 2011, Joe wrote:
>
> Has anyone already modified systat to support colored text?

 No, nor will they. B colorized utilities are not particularly welcome.
 (i mean, you can do it, but don't expect such patches to be accepted.)


>>> But such a systat could live in ports, quite happily. B See
>>> colorls.
>>
>> Not all that happily. It will keep getting out of sync with the OS.
>>
>>
> OK, point taken. B But if the 'color systat' was a post-processor
> it could take the output and add color escape sequences.
> That then leaves syncing problems for changes in systat's
> output itself, which while happening, isn't that common.
>
> --STeve Andre'

Re: bash script problem

[Andres Perera]

On Fri, Nov 11, 2011 at 9:10 AM, John Tate  wrote:
> I put a comment in before the line with a problem, I don't understand
> why it's not working.
>
> bash# for x in 1 2 3 4; do time dd if=/dev/random of=/home/test$x
> bs=1k count=64k & done \
> while [ $V -eq 0 ]; \
> do \
> #why the hell is this such a problem!

because it breaks the line continuation (`\')

there's no need to use that here anyway, presuming this isn't part of a
makefile

> V = 0 \
> clear \
> echo -n "Jobs running... " \
> if jobs 4; then; echo -n "last job running!"; else; echo -n "last job
stopped";
> B env V=1; fi \
> sleep 1 \
> done
> time cat secure1 secure2 secure3 secure4 > secure_t.vnd \
> time rm secure1 secure2 secure3 secure4
>
> John Tate.
>
> --
> www.johntate.org

Re: OpenBSD and shebang line to a script not supported?

[Andres Perera]

how does linux handle that without going into infinite loops?

On Mon, Oct 31, 2011 at 6:55 PM, Mikolaj Kucharski
 wrote:
> Hi,
>
> Attached archive has small testing scripts to be extracted in /tmp.
> There are 2 tests (exec1 and exec2) with 2 scripts each (4 scripts
> total):
>
> test#1, openbsd:
> $ /tmp/exec1.sh
> exec1.sh executed
>
> test#1, linux:
> # /tmp/exec1.sh
> /tmp/exec1.pl executed
> exec1.sh executed
>
>
> test#2, openbsd:
> $ /tmp/exec2.pl
> /tmp/exec2.pl[3]: use: not found
> /tmp/exec2.pl[4]: use: not found
> /tmp/exec2.pl[6]: syntax error: `(' unexpected
>
> test#2, linux:
> # /tmp/exec2.pl
> exec2.sh executed
> exec2.sh executed
> exec2.sh executed
> ^C
>
>
> What I see is that OpenBSD doesn't support scripts in shebang line and
> executes /bin/sh instead. Am I correct here?
>
>
> PS. Please CC me in replies. Thanks.
>
> --
> best regards
> q#
>
> [demime 1.01d removed an attachment of type application/x-tar-gz]

Re: dhclient, resolv.conf

[Andres Perera]

the dhclient in base, and possibly the isc one, interprets options set
to the empty string as unset

On Sun, Oct 23, 2011 at 1:38 PM,   wrote:
> Jurjen Oskam  wrote:
>
>> supersede domain-name-servers 192.168.1.1;
>> supersede domain-name "";
>
> My dhclient completely ignores
>
> B  supersede domain-name "";
>
> and sets an unwanted search line given by the server. Indeed
> you must give
>
> B  supersede domain-name ".";
>
> To obtain
>
> B  search .
>
> in resolv.conf, what seems to be no problem.
>
> Rod.

Re: do not understand how to upgrade to-CURRENT

[Andres Perera]

nisiquiera en espanol escribes bien

2011/10/22 Zantgo :
> No entiendo como actualizar a -current, que manual tengo que seguir:
>
> http://www.openbsd.org/faq/faq5.html (es decir seguir exactamente lo que eice
> ahi y una vez haya constroido el sistema desde la fuente, ya estare ocupando
> -current)
>
> http://www.openbsd.org/faq/current.html (siguiendo esto exactamente, obtendre
> automaticamente un -current)
>
> Porfavor lo unico que quiero es actualizar a current, pero no se como.
>
> PD: en todos los casos anteriores tengo que estar ocupando un snapshots
> B?Cierto?
>
> PD2: http://www.openbsd.org/faq/current.html, esta obsoleto
>
> Zantgo

Re: Dennis Ritchie

[Andres Genovez]

2011/10/13 David Coppa 

> Today is a sad sad day :(
>
> Rest in Peace.
> Without you, we would never be here.
>
> Cheers,
> David
>
>
People who change the world, unfortunately do not last forever, forever
missed, but his legacy will last forever

Andres.


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: microsoft wireless keyboard and mouse

[Andres Perera]

i don't have much to add right now besides confirming the problem with
"Microsoft Wireless Desktop Receiver 3.1A(0x00f1), Microsft(0x045e),
rev 0.02", wireless mous
e/keyboard combo 2000

i think that the mouse calibration could be an easy problem to sort
out after spending a weekend on it

Re: Why I uninstalled OpenBSD???

[Andres Perera]

On Sun, Oct 2, 2011 at 12:14 AM, Nick Holland
 wrote:
> On 10/01/11 23:08, Christiano F. Haesbaert wrote:
>> Not again people, please.
>>
>> Stop feeding.
>
> Yes.
> Yet another never-heard-from-before-or-again loser (and *always* using a
> gmail account...isn't that interesting?) posting a link to that loser's
> site (which is hosted on google, and MX records point to google). B $0.50
> says it's the same loser who writes that dribble and posts the link here.

well, you narrowed down the list of suspects to the gazillion of
people that use gmail

>
> And then a bunch of people who should know better jump all over him, not
> unjustifiably, but include the link of the crap in their reply, giving
> more advertising to the site and higher search engine ratings. B Mission
> accomplished.
>
> IF you have to reply to someone posting a stupid link (even an
> UNINTENTIONALLY stupid link...you know, the well-intended ones that
> provide bddd advice), do the world a favor and remove the link from
> your reply...
>
> Nick.

Re: Group ownership of files at creation time

[Andres Perera]

S_ISGID bits on a directory are meaningful in sysv, whereas on bsd
open(2) acts as if they were always on

Pear Version > (2008-08-23) Updated to version: pear-1.7.2

[Andres Genovez]

Hi friends,

I am having a lot of problems with the standard version of PEAR that ships
with OpenBSD, the last i can get is (2008-08-23) Updated to version:
pear-1.7.2

But the system insists it require version 1.8, please can anybody give me a
guide, how can I update Pear?

Thanks for any help!*
*
--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Installing Image_Canvas

[Andres Genovez]

Hello,

A little question, if anyone can help

I am using OpenBSD 4.8 GENERIC

I am using

pear-1.7.2.tgz



But when i try to install this, i get this error

# pear install Image_Graph-0.7.2
Did not download dependencies: pear/PEAR, pear/Image_Canvas, use --alldeps
or --onlyreqdeps to download automatically
pear/Image_Graph requires package "pear/PEAR" (version >= 1.3.1)
pear/Image_Graph requires package "pear/Image_Canvas" (version >= 0.3.0)
No valid packages found
install failed
#

Can someone give me a guidance?

Thanks!


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Load average question

[Andres Perera]

On Mon, Aug 8, 2011 at 1:04 PM, STeve Andre'  wrote:
> On 08/08/11 12:59, Theo de Raadt wrote:
>>>
>>> Nick, this is probably the single most frequently asked question... :-)
>>
>> No, it is not. B In the modern world of search engines, this question
>> lands at the same level as trolling. B  If a person's first gut reaction
>> isn't "go type 3 words into a search engine", and instead they craft a
>> 500 line email message to a list, that is trolling.
>>
>> Rikky, here is a diff which solves the problem you are facing:
>>
>> --- w.c Sat Jul 30 15:17:12 2011
>> +++ w.c.new B  B  Mon Aug B 8 10:57:34 2011
>> @@ -430,7 +430,7 @@
>> B  B  B  B  B  B  B  B for (i = 0; i< B (sizeof(avenrun) /
sizeof(avenrun[0]));
>> i++) {
>> B  B  B  B  B  B  B  B  B  B  B  B if (i> B 0)
>> B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B (void)printf(",");
>> - B  B  B  B  B  B  B  B  B  B  B  (void)printf(" %.2f", avenrun[i]);
>> + B  B  B  B  B  B  B  B  B  B  B  (void)printf(" %.2f", 0.001);
>> B  B  B  B  B  B  B  B }
>> B  B  B  B  B  B  B  B (void)printf("\n");
>> B  B  B  B }
>>
>>
>
> Hmmm. B Wrap that around an #ifdef looking for an environment
> variable B ("LOADAV") B and if it isn't set to "IUNDERSTAND" Theo's
> diff is what's shown.

cpp can't look for environment variables

>
> I'm not being entirely facetious.

how facetious are you being, on a scale from 1 to 10?

>
> --STeve Andre'

HOY PUEDE EDITAR SUS LIBROS-julio 2011-

[Andres Rodriguez]

Ediciones Pasisn de Escritores

Impresisn sobre demanda  Impresiones cortas Reediciones

 

HOY PUEDE EDITAR  SU OBRA

EL MEJOR PRECIO DEL MERCADO

 

Promocisn  julio-2011

 

Tamaqo: 14 x 20

Tapas a 4 colores

Sobre papel ilustracisn de 300g

Laminado en opp brillante

Interior 

Blanco y negro

En papel Obra 75/80g extra blanco

Encuadernacisn Binder

50Libros de 60paginas:

Precio final de impresisn$ 540.-

 

Solicite presupuesto  en formatos:  

14x2015x215.5x23

16x2417x2520x2821x28

 

Nuestros servicios

Ediciones sobre demanda

Reedicisn de publicaciones desde 25 ejemplares

Prueba de galera

Tramitacisn sin cargo del ISBN  - Tasa a cargo del escritor

Tramitacisn sin cargo - Ley 11723 - Tasa a cargo del escritor

 

Servicios opcionales

Diseqo de tapas

Servicio de correccisn

Maquetado

 

Nuestras ediciones se abonan en 3 cuotas

Solicite informacisn a:

consultaedic...@pasiondeescritores.com.ar

www.pasiondeescritores.com.ar

NOTA IMPORTANTE: Si no desea recibir informacisn en el futuro, le rogamos
enviar
un mail para ser removido. Este mail no es un SPAMpues incluye un medio de
remocisn, conforme las disposiciones del Decreto 5.1618 . Tmtulo 3 #, aprobado
por el Congreso base de las normativas internacionales sobre SPAM.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
logofirma.jpg]

Re: pf rule?

[Andres Perera]

On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez  wrote:
> 2011/7/20 Wesley MOUEDINE ASSABY :
>> Also,
>> you can see a sample on http://mouedine.net/ruleset49.aspx
>>
>> Wesley.
>>
>> On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
>>  wrote:
>>> Hi,
>>>
>>> Try this:
>>> block log return
>>>
>>> Cheers,
>>>
>>> Wesley.
>>>
>>> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
>>> wrote:
 Hello

 I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
 blocked packets, and send them to /var/log/pfblocklog to be read with
 tcpdump. What and where should be the rule?

>

 Thanks for your attention.
>
> Hello
>
> I changed it to:
>
> # B  B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block log
>
> pass out quick on rl0
>
> antispoof quick for rl0
>
> pass in log on rl0 proto tcp from any to port 22
> pass in log on rl0 proto tcp from any to port 21
> pass in log on rl0 proto tcp from any to port 80

replace all three by:
pass in log on rl0 proto tcp to port { 21 22 80 }

>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

you already pass these packets before. redundant rules make pfctl
output hard to read, so change it to:
match in proto tcp to port ftp rdr-to localhost port 8021

>
> Thank so much both. How does it look?

Re: pf rule?

[Andres Perera]

now for the problems in your rules:

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez  wrote:
> # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block return
>
> pass in quick log on rl0 proto tcp from any to port 22
> pass out quick on rl0 to any
> pass in quick log on rl0 proto tcp from any to port 21
> pass in quick log on rl0 proto tcp from any to port 80

from any/ to any is implied

>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>
> pass B  B  B  B  B  B # to establish keep-state

this negates rule #0

>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010

redundant if #0 works

>
> Thanks for your attention.

Re: pf rule?

[Andres Perera]

ifconfig pflog1 create
touch /var/log/pfblocklog
pflogd -ipflog1 -f$_

pf.conf:

l = "log (to pflog1)"

block return $l
block ... $l

to keep the pfctl rule output readable, match and tag the packets
instead and have a single block + log rule (at the expense of no
"quick")

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez  wrote:
> Hello
>
> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
> blocked packets, and send them to /var/log/pfblocklog to be read with
> tcpdump. What and where should be the rule?
>
> # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block return
>
> pass in quick log on rl0 proto tcp from any to port 22
> pass out quick on rl0 to any
> pass in quick log on rl0 proto tcp from any to port 21
> pass in quick log on rl0 proto tcp from any to port 80
>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>
> pass B  B  B  B  B  B # to establish keep-state
>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
>
> Thanks for your attention.

Re: openbsd 4.9 based UTM

[Andres Perera]

On Tue, Jul 19, 2011 at 6:04 AM, citoyen citoyen  wrote:
> Hi,
> I'm about starting a project of building my own High secure UTM based on
the
> last openbsd flower 4.9,
> i can do all system and network configs B needed by myself B but I'm
wondering
> what language to use in order to get
> my UTM configurable from a web browser.
> any pointers or help are welcome.
>

i built a similar UTM project using openbsd as firewall and freedos
for fileserver (raw device access is way faster than mucking around in
userland)

the web interface should be coded in js

js would generate m4 macros that generate pf rules, spamd rules, etc

low complexity:

js -> m4 -> pf preprocessor -> pf

the m4 macros look like this:

divert(-1)

define(`pu',`pushdef($@)')
define(`po',`popdef($@)')

define(`m4pf_blockrule',
`p(`P', `$1')'
`p(`F', `$2')'
`p(`T', `$3')'
`block proto P from F to T'`'
`po(`P',`F',`T')')

divert(0)dnl

the idea is to replicate the pf.conf syntax in m4 and js so that i can
use the webinterface to do the configuration and users don't need to
learn pf.conf, but they need to learn my interface instead. i thought
of just serving the contents of pf.conf initially, but that's too
complicated and you've seem to have discarded that anyway

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 11:43 PM, patrick keshishian  wrote:
>
> you failed at making any point.

i'll rebrand it into convenient twitter format:

debian splits packages to the point where a single service is a
associated to a single top level package, meaning that there's never a
reason for unused installed services

openbsd limitations do not apply 1:1 to other systems unless they
happen to be openbsd. in the previous sentence, "openbsd" can be
replaced by any word

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 9:40 PM, patrick keshishian  wrote:
> On Mon, Jul 11, 2011 at 5:36 PM, Andres Perera 
>>
>> why would you install a daemon and not run it? how is it any different
>> than X listening on localhost by default in obsd?
>
> Just because you install something doesn't mean you want it run by default.
>
> fingerd, ftpd, rshd, popa3d, tftpd, ntalkd, ntpd, bind, lpd, sshd,
> etc. are installed on OpenBSD, but not necessarily enabled by default.

one trait that all of these programs have in common is their inclusion
in base, which is meant to be a general purpose system. that's a whole
other story from debian and ubuntu. both of these linux distributions
have tags such as "essential" or "required" reserved for crucial
packages; anything else is optional. the packages that brandish the
"required" tag differ significantly from obsd's criteria. suffice to
say, httpd does not qualify as indispensable in debian world

added daemons have different connotations from those included in obsd
base, and this also applies to debian and derivatives. the closest
parallel would be packages built from ports and the automation pkg_add
performs on installing them

>
> When software thinks too much for the operator is when trouble begins.
>
> --patrick

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 8:48 PM, J Sisson  wrote:
> On Mon, Jul 11, 2011 at 7:36 PM, Andres Perera  wrote:
>>
>> why would you install a daemon and not run it? how is it any different
>> than X listening on localhost by default in obsd? if you install a
>> daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the
>> package isn't following distro policy
>
> Why would you start a daemon before you have had a chance to
> configure it for your environment?B  Is it really that hard to run
> update-rc.d after you edit a config file?

that wouldn't be any different than sending a HUP signal or restarting
through rc.d, assuming listening on localhost is ok. for exceptional
situations where it would be not ok, like increasingly rare truly
multi-user systems, you can turn it off globally for newly installed
packages

>
> OpenBSD asks if X should run by default when you install the system.
> On top of that, the default firewall rules explicitly block traffic to X.
> It's quite different in fact.

it does not offer granularity covering both "running X" and "X
accepting connections from localhost", just like the debian package
policy concerning network daemons

>
> Policy?B  Well thank heavens for that...I guess I should run Ubuntu on
> all of my critical infrastructure...their policy will protect me.

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 7:46 PM, J Sisson  wrote:
> On Mon, Jul 11, 2011 at 6:58 PM, Juan Miscaro  wrote:
>
>> On 7 July 2011 15:06, jirib  wrote:
>>
>> Are you kidding? Ubuntu? Where installed daemons are running by default,
>> > where there is no command to disable shitty upstart daemons?
>>
>> Which daemons are those again?
>>
>> apt-get install 
>
> Oh look,  is running before I have a chance to
> configure it and lock it down the way I see fit. B Good thing we
all
> know those Ubuntu/Debian guys are so damned smart and all...
>

why would you install a daemon and not run it? how is it any different
than X listening on localhost by default in obsd? if you install a
daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the
package isn't following distro policy

Re: Recompile OpenBSD without built-in Apache 1.3

[Andres Perera]

see SKIPDIR in mk.conf(5)

add usr.sbin/httpd

On Tue, Jun 28, 2011 at 9:01 PM, Tito Mari Francis EscaC1o
 wrote:
> Good day!
> Is it possible to recompile the whole system while excluding the built-in
> Apache 1.3 web server? I was hoping to save a few more megabytes off the
> base installation of the system. In case it's not advisable, can you please
> discuss the bad side effects of doing so?
> Thanks in advance.

Re: Can command-line options be specified in any place?

[Andres Perera]

On Wed, Jun 22, 2011 at 7:19 AM, Tobias Ulmer  wrote:
>
> The getopt(3) function is inconsistent amongst operating systems and
> could use some polish in my opinion. Maybe there are technical reasons
> why this feature can't be implemented, but this discussion has certainly
> extinguished my curiosity about it.
>

inconsistent implementations are not the problem at all

if the system getopt is patched to always use  FLAG_PERMUTE like
getopt_long, then scripts that expect the old behaviour would have to
be changed. for example, /etc/rc.d/rc.subr:

-rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
+rcexec="su -l -c ${daemon_class} -s /bin/sh -- ${daemon_user} -c"

going through all the scripts is a bigger problem than some other os
using another implementation with remarkably different semantics

Re: Can command-line options be specified in any place?

[Andres Perera]

you can compile gnu coreutils

the reason posix and bsd dont allow options after operands is because
it complicates the implementation of getopt and it introduces
ambiguity, specially with options that take arguments

the gnu getopt has to look at the first characters of every argv
member unless -- is used, which is inconvenient in interactive shells

On Tue, Jun 21, 2011 at 7:09 PM,   wrote:
> Hi,
>
> I'm considering migrating my desktop from Linux to OpenBSD but the
> main feature that
> kept me away from *BSD world for over a decade since I've first tried
> FreeBSD was the
> one that options must only be specified after command before any
> arguments. (At least
> that is true for basic commands). For example on Linux a command
>
> B ls -l foo -h
>
> will print the foo's size with suffix (K, M, G, etc.). On *BSD
> (including Mac OS X) I get error
> message:
>
> B ls: -h: No such file or directory
>
> Is there an easy way to get the desired behavior on OpenBSD? If that
> can only be achieved
> by patching system's sources is there a standard way to maintain my
> personal set of
> patches so that they will be automatically applied every time I upgrade
system?
>
> Best regards,
> Vadim.

Re: vmmap: bad software everywhere

[Andres Perera]

i'm sure you could fathom the idea that some people care more about
streaming video on their browsers than address randomization, the same
way some people care more about speedier local lookups to  a
stationary sync db than making sure a package has  correct @want-lib
by trashing the ftp server on every query

some of these people may even call the alternative they're not using "stupid"

what does that do? nothing

On Sun, Jun 5, 2011 at 9:47 AM, Marc Espie  wrote:
> On Sun, Jun 05, 2011 at 09:46:48AM -0400, Nico Kadel-Garcia wrote:
>> On Fri, Jun 3, 2011 at 6:26 PM, Marc Espie  wrote:
>> > On Fri, Jun 03, 2011 at 06:11:31PM -0400, Nico Kadel-Garcia wrote:
>> >> On Tue, May 31, 2011 at 6:51 AM, Marc Espie  wrote:
>> >>
>> >> > How comes nobody in other OSes noticed ? Well, people probably did, and
>> >> > tweaked their allocators to "work", by using preferably the low address 
>> >> > space,
>> >> > and having addresses that increase slowly, so that a lot of pointers 
>> >> > are below
>> >> > 4GB, and a lot of pointer diffs are under 4GB.
>> >
>> >> Or you could just be engaging in an ad hominem attack without actually
>> >> looking at their implementations and assuming they're not doing it
>> >> right because they're not you or your favorite platform. But hey, we
>> >> don't know anyone who'd do *that* in the OpenBSD community. Right?
>> >
>> > Wrong.
>> >
>> > An ad hominem attack would require me asserting all this for a fact, which
>> > is not what I'm doing. Notice the "probably" ? it makes all the difference
>> > in the world.
>>
>> No, I'm afraid it really doesn't require "asserting the truth". To
>> quote from Wikipedia, "An ad hominem (Latin: "to the man"), short for
>> argumentum ad hominem, is an attempt to link the truth of a claim to a
>> negative characteristic or belief of the person advocating it" It's
>> what I just did to you, in turn. How's it feel?
>>
>> An example or two would have lent powerful credence to your claim. The
>> fix for mono, which Marc Espie notes in this thread, is a very
>> powerful such indicator.
>
> I tend to publish findings early, when I don't have THAT many built
> examples yet. There's also some teamwork, specifically, I don't personally
> oversee everything in OpenBSD. Nobody does. But we do notice trends, and do
> some design work based on that.
>
> You can call that "ad hominem" if you wish, do any kind of rhethoric. For me,
> putting a "probably" in front of a working hypothesis is enough to go forward.
> I expect the facts to be disputed, I don't care much for the rhethoric part o
> it...
>
> I would even venture this is a fundamental activity for us to go forward.
> If you lose yourself in gruntwork, you don't see the bigger picture.
> Sometimes, we do have the luxury of saying "this is complete shit, it 
> shouldn't
> work", and then we break bad software.
>
> On the other hand, "secure by default, runs GENERIC" is the other tenet of
> our culture -> reproducible defaults, no need to tinker with configs to get
> things to work, and also, proceed cautiously, do not invent stupid APIS when
> we don't need to.

Re: Theo's Birthday, have you done anything?

[Andres Genovez]

A little late, but big greetings from Ecuador - South America.

2011/5/19 Mayuresh Kathe 

> Hey, it's Theo's birthday today, have you done anything?
> Yeah, you could wish him, but, how about a small gift?
> How about donating US$10 to the project today?
>
>


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Fallback ruleset loaded at boot time

[Andres Chavez]

Yes you was right i fixed the domain entries in pf.conf and also some
inconsistency with queue configuration on the internal interface and then
everything was great.

Thanks a lot!

2011/4/24 Henning Brauer 

> * Andres Chavez  [2011-04-24 05:44]:
> > I'm wondering why the rc script is loading the fallback ruleset instead
> of
> > mine.
>
> because loading yours failed.
>
> > pfctl -nf /etc/pf.conf  it's OK
> >
> > And if i manually load it with pfctl -f /etc/pf.conf all is going as
> > expected
>
> so you have something in there relying on something not available
> early enough on the boot process. primarily suspect is dns.
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting
>
>


--
*Andris Chavez
IT System / Network Administrator CPF
FreeBSD Server Administrator
http://www.andreschavez.com.ve*

Fallback ruleset loaded at boot time

[Andres Chavez]

Hi guys

I'm wondering why the rc script is loading the fallback ruleset instead of
mine.
I'd set the ruleset as usual at /etc/pf.conf but OpenBSD seems to be loading
the fallback for some reason.

Everything looks good.

# grep ^pf /etc/rc*
/etc/rc.conf:pf=YES # Packet filter / NAT
/etc/rc.conf:pf_rules=/etc/pf.conf  # Packet filter rules file
/etc/rc.conf:pflogd_flags=  # add more flags, e.g. "-s
256"

Permisiones

ls -l /etc/pf.conf
-rw---  1 root  wheel  6517 Apr 25 21:39 /etc/pf.conf

pfctl -nf /etc/pf.conf  it's OK

And if i manually load it with pfctl -f /etc/pf.conf all is going as
expected

Well i'd left my pf.conf file attached if you want to take a look, using
OpenBSD 4.8 Release

Cheers --

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of pf.conf]

Best advice for a link aggregation setup

[Andres Chavez]

Hello misc.. im currently helping a friend  on a link aggregation setup
based on 4.8 with 2 links from the same ISP, so we have followed a bunch of
faqs/how-to's but the fact is that we're in the middle of a bunch  questions
too. So it would be nice if you guys can help us to clear some doubs, take
the right actions if required to.

1) What do we actually need to make sure a link aggregation setup will
work?,  you should know that we got a server HP proliant with only 1 pci
port so the nic is an Intel Dual Gbit port (em0/em1) the nic facing the LAN
is the onboard one and use the bge driver (bge0), and from the same ISP we
got two ADSL links of 2048 mb each

2) Must the two ADSL links support a special feature like bonding or
something like that?

Cheers..

-- 
*
*

Re: pkg_add -L localbase

[Andres Perera]

> it's a complete noop since it will remove the package regardless of
> localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS
> to learn about localbase, as always. in effect, it does not work
> because it's ignored

adding to that, it would've been immediately obvious to anyone testing
delete -L str that it was without effect, so the lack of the
description assumed the commit was tested

anyhoo, aslong as everyone reading understands the real reason why it
wasn't placed in PkgAdd.pm

xoxo

Re: pkg_add -L localbase

[Andres Perera]

On Sat, Mar 19, 2011 at 7:35 AM, Marc Espie  wrote:
> On Sat, Mar 19, 2011 at 07:20:33AM -0430, Andres Perera wrote:
>> about AddCreateDelete.pm r1.15
>>
>> 1. -L was never there (adding back? had to go through the entire log
>> for the file to verify "adding back")
> Of course it was not. you'll have to check the whole history of the tools
> to figure out what happened.

fair enough

>
>
>> 2. PkgCreate.pm declared it separately, and still does
> Yep, should remove that as well.
>
>> 3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't 
>> documented
> "doesn't work". Doesn't mean anything here. What doesn't work ? what do you
> get for error messages ? what are you doing ?
>

it's a complete noop since it will remove the package regardless of
localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS
to learn about localbase, as always. in effect, it does not work
because it's ignored

Re: pkg_add -L localbase

[Andres Perera]

about AddCreateDelete.pm r1.15

1. -L was never there (adding back? had to go through the entire log
for the file to verify "adding back")

2. PkgCreate.pm declared it separately, and still does

3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't documented

is pkg_delete not working with -L now considered a bug, since the
commit portrays that it should work with -L? if so, is the lack of
documentation for the new flag also considered a bug?

hard to tell

Re: pkg_add -L localbase

[Andres Perera]

On Fri, Mar 18, 2011 at 3:45 AM, Gregory Edigarov
 wrote:
> Hello,
>
> Is this working ever?
> Yesterday I was trying to add a certain packages and wanted them to
> reside in the very separate base (/usr/opt) so them will be easilly
> removed after my trial of them.
> I did 'pkg_add -L /usr/opt/ B package' and got:
> pkg_add: Unknown option -L
> Usage: pkg_add [-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D
> name[=value]] [-L localbase] [-l file] [-P type] [-Q quick-destdir]
> pkg-name [...]
>
> What am I missing?

--- usr/src/usr.sbin/pkg_add/OpenBSD/PkgAdd.pm  Mon Jan  3 14:31:04 2011
+++ usr/libdata/perl5/OpenBSD/PkgAdd.pm Fri Mar 18 12:51:28 2011
@@ -68,7 +68,7 @@
 sub handle_options
 {
my $state =3D shift;
-   $state->SUPER::handle_options('aruUzl:A:P:Q:',
+   $state->SUPER::handle_options('aruUzl:A:L:P:Q:',
'[-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D name[=3Dvalue]=
]',
'[-L localbase] [-l file] [-P type] [-Q quick-destdir]
pkg-name [...]');

> --
> With best regards,
> B  B  B  B Gregory Edigarov

nl_langinfo(3) and possibly redundant #include

[Andres Perera]

the synopsis section says
 #include 
 #include 

 char *
 nl_langinfo(nl_item item);

however, nl_types.h is included by langinfo.h

which one is at fault? should the man page be corrected or should the
header not pull nl_types.h?

Re: what is the “Online Certificate Status Protocol”

[Andres Perera]

On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper
 wrote:
> On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote:
>> I use privoxy. In the user.action file i have a redirect rule and a few
websites:
>>
>>
>> { +redirect{s@http://@https://@} }
>> .twitter.com
>> .facebook.com
>>
>>
>> Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets
redirected to HTTPS!
>>
>>
>> But: with wireshark i can see some "OCSP" packets [
http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]
>>
>>
>> Question: What are these packets? Why aren't there in HTTPS?
>>
>>
>> Is my redirection method with privoxy is secure?
>
> The keys to legitimate certificates may fall in the hands of bad guys
> (e.g. when they hack a HTTPS server). This would allow the bad guys to
> redirect your HTTPS connections to their own machines without you seeing
> any warnings until the stolen certificates are no longer valid (which
> should allow them something like a year to steal your credit card).
>
> In order to prevent this, your computer asks a special server whether
> the certificate has been revoked. This is done over the OCSP protocol
> (there are other solutions); the connection is not encrypted, but the
> OCSP server's responses are digitally signed.
>
> So yes, your setup seems to work just fine (or as well as SSL does in
> the first place). The "HTTPS Everywhere" Firefox extension would be a
> less hacky solution, though.

i'm curious as to why do you say that. afaik, https everywhere also
works by rewriting the uri, just like privoxy or squid would, while
not being limited to one browser, not being unable to log actions, not
being unable to scale for a whole site instead of a single system,
etc.

>
> B  B  B  B  B  B  B  B Joachim
>
> --
> PotD: biology/bioperl - perl tools for bioinformatics
> http://www.joachimschipper.nl/

Re: Your web development opinions

[Andres Perera]

On Wed, Feb 23, 2011 at 9:20 PM, Hugo Osvaldo Barrera
 wrote:
> On 23/02/11 20:56, Andres Perera wrote:
>> On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera
>>  wrote:
>>> On 02/23/2011 10:35 AM, Chris Bennett wrote:
>>>>> They're a fucking disaster security-wise.
>>>>
>>>> +1
>>>>
>>>>> In general, blocking javascript won't get you too far, because most of
the
>>>>> issues are not in the client, but rather in the use that's made of
javascript.
>>>>
>>>> I basically block javascript to stop some adveritising and keep some
sites from crashing firefox.
>>>> But many, many sites require javascript to even login (i.e. many bank
websites!)
>>>>
>>>>> - trying to do https and having to deal with corrupt certificate
authorities
>>>>> that don't guarantee too much in the end.
>>>>
>>>> CA's cannot be trusted to even pay attention to carefully securing your
certificate.
>>>> Here in the US, the government can simply ask for your certificate and
get it ( and possibly even use it to impersonate you)
>>>>
>>>> I sign my own certificates, post a copy of serial number and correct name
and IP address on my websites using them. I explain to every customer that I
do not trust external CA's and that I am only using https for encryption of
passwords and paid content.
>>>> No one has complained.
>
> A simple man-in-the middle of that site, and replacing it's content
> would open the door for every site you refer to.
> If it's an SSL website, you're in and endless loop without a CA or
> trusted third party.

i hope that you realize that the loop applies to the initial
distribution of the bundle aswell and that the difference after that is
one is centralized (bigger target) and the other one isn't

you're going to get their crl from them, right? like the millions of
other people that trust them should?

>
>>>>
>>>> Some have told me that I am risking a man-in-the-middle attack. Perhaps.
But I see little reason to trust the CA man-at-the-end!
>>>>
>>>> Chris Bennett
>>>>
>>>
>>> Supposing that's the case, the government can just request a CA a
>>> certificate for your domain, and do a man-in-the middle. B User's won't
>>> get any prompt for invalid cert, and the same "vulnerability" you
>>> described using still exists.
>>>
>>
>> that's flawed because you're assuming his users are trusting equifax,
>> cacert.org, and the countless of others that get bundled in certs packages
for
>> unix, or worse, his users are ussing a browser that comes bundled with its
own
>> set of certs and ssl library (firefox).
>
> That means you'd have to physically give the certificate to every user,
> with no trusted authority, or trusted third party, you have no way of
> establishing a secure (authenticated) communication, except physically
> being with that person.
>
> How do you then pay your taxes? B Check your bank account, etc? B I don't
> like having to trust dozens of CA and it's definitely not the best
> solution, but I don't see any alternative for this sort of thing.

my bank account and other items would never account for the plethora of
bundled certs, nor with the inability of a client to associate cacerts
with specific hosts. the latter is why your argument is flawed, and it
has nothing to do with self-singing

a cert pool should have varying degrees of trust and reach. if firefox
doesn't do this, the problem is firefox and not the server's cert
distribution model

>
>>
>> when you download openssh, does it come with bundled with a known hosts
file?
>>
>> no, you go to the site and look at their public key. if they delegated
their
>> public keys to a central authority they excert no control over, they don't
have
>> the power to shutdown their site when it becomes compromised to display
bogus
>> public keys, or worse
>>
>> simlarly, i dont feed the cert bundle to sendmail, but instead feed it a
>> *single* cert that i'm vary wary of if it changes
>>
>> "ssl everywhere" is a stupid concept because of this. you should only ssl
>> select communications so that managing the certs is plausible
>>
>>> Additionally, you have to make users accept the cert manually the first
>>> time (checking it, of course). B It may not be much of a fuss, but I
>>> don't see you actually fixing any security holes.
>>>
>>> --
>>> Hugo Osvaldo Barrera
>>>
>>>
>
>
> --
> Hugo Osvaldo Barrera