wikipedia amd64 Intel EM64T W^X OpenBSD
Hi, Reading Through http://en.wikipedia.org/wiki/Amd64#FreeBSD under OpenBSD it says 2004. Complete in-tree support for the platform was achieved prior to the hardware's initial release due to AMD's loaning of several machines for the project's hackathon that year. OpenBSD developers have taken to the platform because of its use of the NX bit, which allowed for an easy implementation of the W^X feature. The code for the AMD64 port of OpenBSD also runs on the Intel processors with EM64T support which contain cloned support for the AMD64 extensions, but since Intel left out support for the page table NX bit in early EM64T processors, there is no W^X support on those Intel CPUs; later Intel EM64T processors added support for the NX bit under the name "XD bit". SMP is supported on OpenBSD's AMD64 port, starting with release 3.6 on November 1st, 200 --- Some time back Theo had mentioned in http://marc.theaimsgroup.com/?l=openbsd-misc&m=112260154519936&w=2 - Our W^X support is just as solid on i386 as it is on amd64, because on all our platforms we are very careful with the mapping of X and W objects. The i386 does fine. - so does this mean that W^X support was available on EM64T processorseven before XD bit was added if you use OpenBSD? may be if it is true some one more knowledgeable can edit the wikipedia entry to make it clearer :-) Thankyou so much Kind Regards Siju
scrub reassemble tcp and nat causes problems with some sites
Hi! I'm running OpenBSD 3.9 GENERIC as a NAT router. If I add the "reassemble tcp" option to my scrub rule in pf.conf, I have trouble connecting to some sites, particulary ebay (ebay.de, ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and some other few sites, from a machine behind the NAT router. Connects time out or have long delays if the site responds at all. If connecting directly from OpenBSD, using lynx or squid running on the router, there is no problem. If I omit "reassemble tcp" everything works fine, i.e. with: scrub all no-df fragment reassemble random-id I've never noticed the problem before because I was running the squid proxy on the router. Now I've moved it to a different machine which is NATted too. Please note that it is not a squid issue as timeouts occur regardless of proxy use if on a NATted machine. Unfortunately I cannot determine why only some sites have troubles and that's why I seeking advice here on howto further diagnose the problem. Any hints are appreciated! Regards, Walter
Re: scrub reassemble tcp and nat causes problems with some sites
Walter Haidinger([EMAIL PROTECTED]) on 2006.07.19 12:28:52 +: > Hi! > > I'm running OpenBSD 3.9 GENERIC as a NAT router. > > If I add the "reassemble tcp" option to my scrub rule in pf.conf, > I have trouble connecting to some sites, particulary ebay (ebay.de, > ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and > some other few sites, from a machine behind the NAT router. > > Connects time out or have long delays if the site responds at all. > If connecting directly from OpenBSD, using lynx or squid running on > the router, there is no problem. This sounds like a MTU problem. Either those sites are blocking ICMP-frag-needed messages or you are. - set the correct MTU - check pf.conf for "scrub max-mss [...]" - google - why do you use no-df? /B. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Icecast defaults
Karel Kulhavy wrote: The icecast.xml.dist in Icecast is containing nonexisting directories - maybe it's intended for the user to fill in, maybe it's just forgotten. The way it is right now is intended, see /usr/local/share/doc/icecast/README.OpenBSD Yeah ... I'll fix the grammar in the first paragraph with the next update. ;-P As the package MAINTAINER, I'm supposed to answer questions like these. Feel free to mail me directly, instead of the lists. In case a package has no MAINTAINER, ports@ is the appropriate list. Moritz
Web mail
Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes? Eric Johnson
Re: scrub reassemble tcp and nat causes problems with some sites
On Wed, 19 Jul 2006, Sebastian Benoit wrote: > This sounds like a MTU problem. Either those sites are blocking Unlikely. I have cable, not a PPTP/PPPoE link. Therefore, no packet encapsulation. I'm aware of the MTU issue with ADSL. > ICMP-frag-needed messages or you are. I think I am. _Only_ reassemble tcp breaks things, but why? > - set the correct MTU > - check pf.conf for "scrub max-mss [...]" No changes necessary, IMHO. > - google Have done this, of course. Turned up e.g.: http://www.benzedrine.cx/pf/msg07352.html http://monkey.org/openbsd/archive/bugs/0312/msg00059.html Similar problem but no solution. > - why do you use no-df? Because of the NFS issue mentionied in pf.conf(5) and the FAQ. May not be useful on the external interface, though. However, the problem persists even without no-df. Regards, Walter
Re: raidctl on a live raid array, and the kernel debugger
I understand what you are saying about this not being an OpenBSD or a raidframe problem. I will try that tool you pointed me to and see what it says. Will it permanently mark the blocks as bad? If the worst happens I'm going to have to rebuild the system, but I don't want it to use those blocks again on rebuild. Will newfs simply take care of it for me? Actually wd1 is the disk causing these problems, but wd0 is the drive marked as failed. Likely due to a crash when I was trying to do a backup. The problems started when I tried to do a backup. Then when the system came backup I noticed that parity reconstruction was failing. So I checked and noticed that wd0 was marked as failed. An attempted in-place reconstruction brings me here. So as of right now I don't have a backup. My raid device is carved up into a few partitions. I'm going to save as much of my data as possible. I'm hoping that those blocks are on a "system" partition like /usr. Does anyone know of a tool that will tell me which partition those blocks are in? Next time my raid will be hardware based. :) Thanks for your help thus far. Jeff Quast wrote: On 7/17/06, Jason Murray <[EMAIL PROTECTED]> wrote: In case the output is not clear enough, there is an error reading block numbers 11722176 through 111722303 on wd1. This is not an issue with raidframe. This is an issue with your IDE disk. (or ide controller, etc...) Test the disk thoroughly using badblocks from the e2fstools port and I am sure it will reproduce the exact same console output. and panic, though a different backtrace. That OpenbSD crashes when an ide disk fails to communicate properly is not the fault of OpenBSD, and definitly not raidframe. OpenBSD actualy tried to do you a favor and step down the communication speed ( /wd1: transfer error, downgrading to Ultra-DMA mode 4 ), in case it were the fault of the ide controller or what have you. I think I can easily guess that this is why raidframe marked the disk bad in the first place. You need to replace the disk with a fresh disk of similar or greater geometry size, copy the disklabel onto the new disk, and reconstruct. This is what raid is for. Unfortunatly for you, your raid is both software and ide. This is why the kernel panics.
Re: wikipedia amd64 Intel EM64T W^X OpenBSD
Siju George wrote: ... so does this mean that W^X support was available on EM64T processorseven before XD bit was added if you use OpenBSD? Sure it was...IF you ran OpenBSD/i386 on it. If you ran OpenBSD/amd64, no. http://archives.neohapsis.com/archives/openbsd/2004-02/2145.html http://www.openbsd.org/amd64.html (I think that second paragraph needs to be updated for the newer Intel chips which emulate amd64 chips in a less sucky way, but I'm not sure of the details, so someone else needs to look that one over) Nick.
Problem with x11/xfce4/xfce4-netload on i386, not on amd64
Hi list, Not terribly important, but I have a problem with the "netload" panel plugin for Xfce4. It shows the in/out rates for my interfaces (vr & re) on my amd64 machine, but on my i386 Vaio laptop with an fxp interface it always shows no traffic. It is able to figure out the IP number for the interface, but the speeds are always zero. Does anyone have a fix, patch, or workaround for this? ... or maybe just an explanation as to why I should not be surprised? Everything is CURRENT, and this is the way it's been since I switched over to Xfce4 a year or so ago. Cheers, Andreas -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Web mail
http://www.squirrelmail.org/ May be not easiest to install, because of specific PHP requirements, but manageable. Haven't heard about security problems much, and also don't really know of any good alternative. Thanks, Pawel. Eric Johnson wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes? Eric Johnson
Re: Problem with x11/xfce4/xfce4-netload on i386, not on amd64
On Wed, Jul 19, 2006 at 03:40:50PM +0100, Andreas Kahari wrote: > Hi list, > > Not terribly important, but I have a problem with the "netload" panel > plugin for Xfce4. It shows the in/out rates for my interfaces (vr & > re) on my amd64 machine, but on my i386 Vaio laptop with an fxp > interface it always shows no traffic. It is able to figure out the IP > number for the interface, but the speeds are always zero. I just ran the plugin, on i386-current (snapshot #987, Jul 16), and it works for me. I am using it on a laptop with the an(4) driver, and have configured the netload plugin to use an0 with "automatic maximum".
nload on OpenBSD - or an alternative
I regularly use nload on Linux to get a quick and dirty view of how much bandwidth something is using. It doesn't seem to be in stock 3.9, and I can't find it in ports either. Fair enough, it's not there. But a quick google reveals that back in November 2002 it was being worked on as a port (Thank you Neohapsis :-) although the actual conent of the posts I found wasn't that encouraging. Did it ever make it in? Might it at some point? Possibly a better question, is there something similar/better already there? If not, I expect I can compile it from source myself, but I'm probably missing something... Richard W
Re: nload on OpenBSD - or an alternative
On 7/19/06, Richard Wilson <[EMAIL PROTECTED]> wrote: I regularly use nload on Linux to get a quick and dirty view of how much bandwidth something is using. It doesn't seem to be in stock 3.9, and I can't find it in ports either. Fair enough, it's not there. But a quick google reveals that back in November 2002 it was being worked on as a port (Thank you Neohapsis :-) although the actual conent of the posts I found wasn't that encouraging. Did it ever make it in? Might it at some point? Possibly a better question, is there something similar/better already there? If not, I expect I can compile it from source myself, but I'm probably missing something... ntop comes to mind, for i386 there is a package more info: http://www.openbsd.org/3.9_packages/i386/ntop-1.1.tgz-long.html
Re: Web mail
On Wed, Jul 19, 2006 at 07:22:13AM -0500, Eric Johnson wrote: > Which web mail package is easiest to install and use on > OpenBSD? Are there any gaping security holes? > > Eric Johnson > http://www.squirrelmail.org/ // gsoares
Re: Web mail
Eric Johnson wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes? Eric Johnson I've been using the sendmail (configured for Internet use) that was part of the OBSD 3.7 install on my two servers for the past 6 months, with zero problems or security-related incidents. -- -wittig http://www.robertwittig.com/ . http://robertwittig.net/
Re: nload on OpenBSD - or an alternative
On Wed, Jul 19, 2006 at 04:34:49PM +0100, Richard Wilson wrote:
> Did it ever make it in? Might it at some point? Possibly a better
> question, is there something similar/better already there?
$ cd /usr/ports && make search key='bandwidth.*monitor'
Port: bwm-ng-0.5p0
Path: net/bwm-ng
Info: realtime bandwidth monitoring of interfaces
Maint: Genadijus Paleckis <[EMAIL PROTECTED]>
Index: net
L-deps:
B-deps:
R-deps:
Archs: any
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: Web mail
On Wed, 19 Jul 2006, Eric Johnson wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes? Ilohamail works for me and in my opinion it's better than Squirrelmail. There is a demo version on the site. If you have a working (IMAP/POP3) server you can try it out before installing it. I am not aware of its security history though, you have to search that yourself. http://blog.ilohamail.org/ https://ssl.ilohamail.org/devdemo/ (development demo) Antti Harri
Re: PF mysteriously blocking some return traffic (FIXED)
Thanks for the off list replies I got. I suspect this was a driver issue as it's working on 3.9 after spending all day reinstalling the firewalls. Ashley -- "If you do it the stupid way, you will have to do it again" - Gregory Chudnovsky
Re: Web mail
[EMAIL PROTECTED]:~/ > pkg_info ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Information for ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Comment: highly configurable webmail client Description: Open WebMail is a webmail system designed to manage very large mail folder files in a memory efficient way. It also provides a range of features to help users migrate smoothly from Microsoft Outlook to Open WebMail. FEATURES: - 1. fast folder access 2. efficient messages movement 3. smaller memory footprint 4. convenient folder and message operation 5. graceful filelock 6. remote SMTP relaying 7. virtual hosting and account alias 8. pam support 9. per user capability configuration 10. full content search 11. strong MIME message capability 12. draft folder support 13. spelling check support 14. POP3 mail support 15. mail filter support 16. message count preview 17. confirm reading support 18. BIG5/GB conversion (for Chinese only) Maintainer: Kevin Lo <[EMAIL PROTECTED]> WWW: http://www.openwebmail.org/ /bkw On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes?
Re: Something like Plesk for OpenBSD
2006/7/18, Bryan Irvine <[EMAIL PROTECTED]>: > I would like recommendations on solutions like Plesk for OpenBSD. AFAIK plesk runs on OpenBSD. If you are looking for something free, I think there is only webmin. --Bryan Try VHCS for something free and i know cpanel with WHM run on FreeBSD, maybe using FreeBSD emulation it can run on Open too, but this is not Free Software. http://vhcs.net/new/ http://www.cpanel.net/
Re: Web mail
http://www.roundcube.net/ It is pretty new still, but I replaced SquirrelMail with it because SquirrelMail is terrible. People seemed to like the change. Very simple to configure, and it's pretty. -Kian On 7/19/06, Bachman Kharazmi <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED]:~/ > pkg_info > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > Information for > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > > Comment: > highly configurable webmail client > > Description: > Open WebMail is a webmail system designed to manage very large mail folder > files in a memory efficient way. It also provides a range of features to > help users migrate smoothly from Microsoft Outlook to Open WebMail. > > FEATURES: > - > 1. fast folder access > 2. efficient messages movement > 3. smaller memory footprint > 4. convenient folder and message operation > 5. graceful filelock > 6. remote SMTP relaying > 7. virtual hosting and account alias > 8. pam support > 9. per user capability configuration > 10. full content search > 11. strong MIME message capability > 12. draft folder support > 13. spelling check support > 14. POP3 mail support > 15. mail filter support > 16. message count preview > 17. confirm reading support > 18. BIG5/GB conversion (for Chinese only) > > Maintainer: Kevin Lo <[EMAIL PROTECTED]> > > WWW: http://www.openwebmail.org/ > > /bkw > > On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: > > Which web mail package is easiest to install and use on > > OpenBSD? Are there any gaping security holes?
web based FTP client?
Hi, is any 'good' web based ftp client around which can run in chrooted Apache? Thanks for your help George
Re: Problem with x11/xfce4/xfce4-netload on i386, not on amd64
On Wed, 19 Jul 2006, Andreas Kahari wrote: Not terribly important, but I have a problem with the "netload" panel plugin for Xfce4. It shows the in/out rates for my interfaces (vr & re) on my amd64 machine, but on my i386 Vaio laptop with an fxp interface it always shows no traffic. It is able to figure out the IP number for the interface, but the speeds are always zero. For what it's worth, it works fine here on current/macppc. Can you reproduce this on another i386 box ? -- Antoine
Re: Web mail
one problem though, it doesn't support the maildir format :-( George On Wed, Jul 19, 2006 at 06:59:06PM +0200, Bachman Kharazmi wrote: > [EMAIL PROTECTED]:~/ > pkg_info > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > Information for > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > > Comment: > highly configurable webmail client > > Description: > Open WebMail is a webmail system designed to manage very large mail folder > files in a memory efficient way. It also provides a range of features to > help users migrate smoothly from Microsoft Outlook to Open WebMail. > > FEATURES: > - > 1. fast folder access > 2. efficient messages movement > 3. smaller memory footprint > 4. convenient folder and message operation > 5. graceful filelock > 6. remote SMTP relaying > 7. virtual hosting and account alias > 8. pam support > 9. per user capability configuration > 10. full content search > 11. strong MIME message capability > 12. draft folder support > 13. spelling check support > 14. POP3 mail support > 15. mail filter support > 16. message count preview > 17. confirm reading support > 18. BIG5/GB conversion (for Chinese only) > > Maintainer: Kevin Lo <[EMAIL PROTECTED]> > > WWW: http://www.openwebmail.org/ > > /bkw > > On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: > >Which web mail package is easiest to install and use on > >OpenBSD? Are there any gaping security holes?
Re: Web mail
2006/7/19, Bachman Kharazmi <[EMAIL PROTECTED]>: [EMAIL PROTECTED]:~/ > pkg_info ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Information for ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Comment: highly configurable webmail client Description: Open WebMail is a webmail system designed to manage very large mail folder files in a memory efficient way. It also provides a range of features to help users migrate smoothly from Microsoft Outlook to Open WebMail. FEATURES: - 1. fast folder access 2. efficient messages movement 3. smaller memory footprint 4. convenient folder and message operation 5. graceful filelock 6. remote SMTP relaying 7. virtual hosting and account alias 8. pam support 9. per user capability configuration 10. full content search 11. strong MIME message capability 12. draft folder support 13. spelling check support 14. POP3 mail support 15. mail filter support 16. message count preview 17. confirm reading support 18. BIG5/GB conversion (for Chinese only) Maintainer: Kevin Lo <[EMAIL PROTECTED]> WWW: http://www.openwebmail.org/ /bkw On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: > Which web mail package is easiest to install and use on > OpenBSD? Are there any gaping security holes? In packages is horde, you can too search in the net about neomail. Both are webmail for easy use.
Re: web based FTP client?
not that I know of, but it would take about 20 minutes to write in PHP[1]. [1] or the language of your choice. --Bryan On 7/19/06, FTP <[EMAIL PROTECTED]> wrote: Hi, is any 'good' web based ftp client around which can run in chrooted Apache? Thanks for your help George
Re: best place to specify ipv6 default route
On Wed, 2006-07-19 at 00:05:25 +0200, Paul de Weerd wrote... > You should a) use grep -C and b) check out 3.9 or -current ;) Yea I'm on 3.7-RELEASE still. ugh. > [1]: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=112930507105045&w=2 Aw damn, that's nice! Thanks todd@ - Eric
Re: web based FTP client?
On Wed, 2006-07-19 at 19:22:00 +0200, FTP wrote... > is any 'good' web based ftp client around which can run in chrooted Apache? Runs in chroot'ed apachehrmm...methinks you are new to all of this, right? Maybe you should contact your local sysadmin and ask him the explain how things work between client, server, and where things are run. If you mean that a client executable served back from a webserver, thats easy: it'd be a non-executable object under any document root. > Thanks for your help If you have a browser, you have an FTP client. However, FTP over HTTP is the major suck.
looking for clue
Hi I'm looking for clue. Does anyone have any? -p -- Here my ticker tape .signature My name is Peter Philipp lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,136p There is no such thing as a certified security specialist Security is the countermeasure to a constantly changing idea of how to compromise a system when given the opportunity What you really mean is a certified security historian, and even that depends on how up-to-date you are and on your cognitive abilities Feeling special still? How well can you program? Finally respect a brain that can recite lyrics perfectly, the cognitive abilities are unmatched So long and thanks for all the fish!!!
Re: Network debuggery on OpenBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 19, 2006, at 8:48 AM, Scott Francis wrote: On 7/18/06, R. Tyler Ballance <[EMAIL PROTECTED]> wrote: Howdy, I'm working on debugging a quirky bug (aren't they all) when using an OpenBSD NFS client with a FreeBSD NFS server, I'm certain it's agnostic of the NFS server, but I can't say for sure because we rely on FreeBSD servers, and the Mac OS X and redhat NFS clients function properly. I'm still working out the specific, and appropriate reproduction steps for the bug, but in short, it leaves the OpenBSD machine completely frozen. Interestingly enough, the OpenBSD machine still responds to pings over the network, but all physical and virtual terminals become completely locked. (This excludes the keyboard shortcuts to drop the machine into ddb when ddb.console => 1 ) The basic question is, what are my options for pinpointing this bug? From what I remember correctly I can setup ddb over a serial console through some means, but the machine is atop a bookshelf and about 50ft from my workstation ;) I've examined the tcpdump output on the server side of things, but nothing out of order, with the exception of the sudden drop in data being transferred, is noticable on that side of things. I'm wondering if there's anyway from ddb I can accurately gauge _where_ the lock up is happening, and then of course, how it is happening ;) you're on the right track with tcpdump, I think - I'd be running it on the OpenBSD client and outputting to a file, and when/if the box freezes again, you should be able to reboot and see at which point network data stopped logging for the client. That's a novel idea, hadn't thought of it to be honest ;) I'm still quite uncertain that this is a network related problem at all. I've yet to peg down exactly where the problem is stemming from, but it seems to be more in how OpenBSD is handling the NFS mounts when certain actions are performed and then interrupted. The real world test scenario for this bug is when a user uploads a large file, and is either prematurely disconnected, or interrupts the transfer for any reason, the OpenBSD client will lock up. The test-case for this is using dd(1) to transfer large amounts of data to the NFS mount and then interrupt (with a SIGINT) and then the machine will proceed to lockup. I'm testing today whether Actions like a mv(1) or cp(1) from a local disk to the NFS mount act in the same manner when sent a SIGINT. Are you using soft/interruptible mounts on the server side? What version of OpenBSD and NFS? 3.9-RELEASE on OpenBSD, and yes, interruptible mounts are enabled. Cheers, - -R. Tyler Ballance Lead Developer, bleep. LLC http://www.bleepsoft.com iD8DBQFEvnoUqO6nEJfroRsRAjs2AJ9so78tFX4LY5vo4+VOGvdpKqpKGwCdG2+h oz3962FQ2oMwZ7KFCVrfkJk= =FLXw -END PGP SIGNATURE-
Re: web based FTP client?
On Wed, Jul 19, 2006 at 12:43:39PM -0500, Eric Pancer wrote: > On Wed, 2006-07-19 at 19:22:00 +0200, FTP wrote... > > > is any 'good' web based ftp client around which can run in chrooted Apache? > > Runs in chroot'ed apachehrmm...methinks you are new to all of this, > right? Maybe you should contact your local sysadmin and ask him the explain > how things work between client, server, and where things are run. > > If you mean that a client executable served back from a webserver, thats > easy: it'd be a non-executable object under any document root. > > > Thanks for your help > > If you have a browser, you have an FTP client. > > However, FTP over HTTP is the major suck. > > the browser itself is only for anonymous ftp :-( I actually wanted FTP over HTTP Thanks George
Re: looking for clue
On Wed, 2006-07-19 at 20:21:01 +0200, Peter Philipp wrote... > Hi I'm looking for clue. Does anyone have any? > Hey, aren't you the idiot that kept renegotiating your DHCP lease? There's no clue here for you to find; we don't speak Martian. - Eric
Re: looking for clue
On Wed, Jul 19, 2006 at 08:21:01PM +0200, Peter Philipp wrote: > Hi I'm looking for clue. Does anyone have any? Given your recent questions, I would suggest further reading on Threat Modeling and specifically Attack Trees. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: web based FTP client?
On Wed, 2006-07-19 at 20:27:52 +0200, FTP wrote... > the browser itself is only for anonymous ftp :-( I actually wanted FTP > over HTTP Browser can do authenticated FTP. Please consult your documentation, this is not an OpenBSD problem. - Eric
Re: looking for clue
On Wed, Jul 19, 2006 at 11:33:16AM -0700, Darrin Chandler wrote: > On Wed, Jul 19, 2006 at 08:21:01PM +0200, Peter Philipp wrote: > > Hi I'm looking for clue. Does anyone have any? > > Given your recent questions, I would suggest further reading on Threat > Modeling and specifically Attack Trees. > > -- > Darrin Chandler| Phoenix BSD Users Group > [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ > http://www.stilyagin.com/ | Dear Darrin, Thanks for your reply. I'll get back to you. -p -- Here my ticker tape .signature My name is Peter Philipp lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,136p There is no such thing as a certified security specialist Security is the countermeasure to a constantly changing idea of how to compromise a system when given the opportunity What you really mean is a certified security historian, and even that depends on how up-to-date you are and on your cognitive abilities Feeling special still? How well can you program? Finally respect a brain that can recite lyrics perfectly, the cognitive abilities are unmatched So long and thanks for all the fish!!!
Re: looking for clue
On 7/19/06, Peter Philipp <[EMAIL PROTECTED]> wrote: Hi I'm looking for clue. Does anyone have any? -p too funny!
Re: web based FTP client?
On Wed, 19 Jul 2006, Eric Pancer wrote: > On Wed, 2006-07-19 at 20:27:52 +0200, FTP wrote... > > > the browser itself is only for anonymous ftp :-( I actually wanted FTP > > over HTTP > > > Browser can do authenticated FTP. Please consult your documentation, this is > not an OpenBSD problem. > Browsers make excellent ftp clients for users! Authenticated or not, .. man ftpchroot (base system). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: looking for clue
On Wed, Jul 19, 2006 at 08:21:01PM +0200, Peter Philipp wrote: Hi I'm looking for clue. Does anyone have any? Google provide some: http://www.hasbro.com/clue/ Make sure you fit the minimum requirements however: http://www.hasbro.com/clue/pl/page.browse/dn/default.cfm May be CLUE JR. might fit. Hope this help
Re: Web mail
I second roundcube nomination. The SquirrelMail 1.5.x CVS tree is .. correct that.. ahem .. was wy better than 1.4.x, but 1.5 has been beyond hope for some time now. RoundCube is where it's at. Requires MySQL, and still missing a search feature, but it pretty much works right out of the box. It has been a few months since I last checked out 1.5.x squirrelmail. Maybe it's gotten better since. On 19/07/06, Kian Mohageri <[EMAIL PROTECTED]> wrote: http://www.roundcube.net/ It is pretty new still, but I replaced SquirrelMail with it because SquirrelMail is terrible. People seemed to like the change. Very simple to configure, and it's pretty. -Kian On 7/19/06, Bachman Kharazmi <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED]:~/ > pkg_info > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > Information for > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > > Comment: > highly configurable webmail client > > Description: > Open WebMail is a webmail system designed to manage very large mail folder > files in a memory efficient way. It also provides a range of features to > help users migrate smoothly from Microsoft Outlook to Open WebMail. > > FEATURES: > - > 1. fast folder access > 2. efficient messages movement > 3. smaller memory footprint > 4. convenient folder and message operation > 5. graceful filelock > 6. remote SMTP relaying > 7. virtual hosting and account alias > 8. pam support > 9. per user capability configuration > 10. full content search > 11. strong MIME message capability > 12. draft folder support > 13. spelling check support > 14. POP3 mail support > 15. mail filter support > 16. message count preview > 17. confirm reading support > 18. BIG5/GB conversion (for Chinese only) > > Maintainer: Kevin Lo <[EMAIL PROTECTED]> > > WWW: http://www.openwebmail.org/ > > /bkw > > On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: > > Which web mail package is easiest to install and use on > > OpenBSD? Are there any gaping security holes?
Re: Web mail
On Wed, Jul 19, 2006 at 07:26:01PM +0200, FTP wrote: > one problem though, it doesn't support the maildir format :-( there is a unofficial/suckz patch/openwebmail to make maildir support at http://www.agneau.org/openwebmail/ *the squirrelmail is a better choice* // gsoares
Re: Web mail
It is pretty new still, but I replaced SquirrelMail with it because SquirrelMail is terrible. People seemed to like the change. Very simple to configure, and it's pretty. but it's pretty good too :) -- Hi, I'm a .signature virus! Copy me to your .signature file and help me propagate, thanks!
Re: web based FTP client?
On Wed, 2006-07-19 at 20:27 +0200, FTP wrote: > the browser itself is only for anonymous ftp :-( I actually wanted FTP over > HTTP what about http://user:[EMAIL PROTECTED] ? altogether a bad idea though...however no more insecure that using plain-old-FTP in the first place. Might or might not work as web browsers don't tend to know anything about passive mode FTP and instead use active mode for everything. later. ryanc -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219- ext. 646
Re: Web mail
On Wed, 19 Jul 2006 07:22:13 -0500, Eric Johnson wrote > Which web mail package is easiest to install and use on > OpenBSD? Are there any gaping security holes? > > Eric Johnson Someone posted a question about a week or two ago for a chrooted web-based email system. Nick Holland (I think) wrote how if you really understood programming, you would know how extremely difficult implementing a chrooted web-based email system really is. (This is my words, Nick probably meant or said something else entirely but that's what I got out of it even if I'm mistaken.) Anyways Nick suggested Openwebmail. I tried it and I would say without a doubt it's the easiest to install. It was hard to figure it out for me but after I did, I said to myself, that was easy. Here's what you do: Get sendmail running and spamd (most of this requires only uncommenting lines in several configuration files). Now you have a spam fighting MTA. Use pkg_add openwebmail to install it. This will install all the dependencies. Read the readme.txt file on openwebmail's website. It shows how to change the rights (chmod) of a few files in /var/www/cgi-bin/openwebmail/*. These same files are owned by user 276 for some reason, you need to change the owner to the right user but I forget which (I think root). Now read man ssl to get httpd running with with https. Add httpd_flags="-u -DSSL". Now go into /var/www/conf/httpd.conf and modify it so that all http request go to https. This is in the virtual table section. Then reboot. The beauty is this: I don't need pop or imap or mysql or php or python or ruby installed. All I need is a base openbsd system and openwebmail (using pkg_add). You may want to read man starttls too so that your MTA can encrypt email to any MTA that understands and uses starttls. One other guy posted that openwebmail doesn't support maildir. Maildir is supposedly better, but with valid reasons. Even though those reasons sound good I haven't come across any reasons that say mbox should not be used or is not capable of handling a significant amount of users. Sendmail with mbox has been around handling thousands of users in universities and corporations way before qmail and postfix came about so sendmail and mbox should be more than adequate. One thing I've read that's a disadvantage to maildir is that you can run out of inodes and that's bad when it happens. Keep in mind, I'm no big times email administrator so take this with a grain of salt but this has been my experience and research so far. I'd be glad to hear from some people how I'm wrong on this. I would find it interesting.
OPENBSD isakmpd VPN Problems
Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. I know this is going to look like a lot of information but I don't really know what else to do: HOME GATEWAY This is isakmpd.conf on the home end: [General] Listen-on= [Phase 1] = work [work] Phase = 1 Transport = udp Address = Local-address= Configuration = Default-main-mode Authentication =sharedsecret [Phase 2] Connections = VPN-home-work [VPN-home-work] Phase = 2 ISAKMP-peer=work Configuration = Default-quick-mode Local-ID = internal-net Remote-ID = remote-net [internal-net] ID-type=IPV4_ADDR_SUBNET Network = 192.168.2.0 Netmask = 255.255.255.0 [remote-net] ID-type=IPV4_ADDR_SUBNET Network = 10.113.10.0 Netmask = 255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE=ID_PROT Transforms=3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE=QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE This is isakmpd.policy: KeyNote-Version 2 Authorizer: "POLICY" Licensees: "sharedsecret" Conditions: app_domain == "IPsec policy" && esp_present=="yes" esp_enc_alg != "null" -> "true"; WORK GATEWAY This is isakmpd.conf on the work end: [General] Listen-on = [Phase 1] = steveHome [Phase 2] Connections = VPN-Peachnet-steveHome [steveHome] Phase = 1 Transport = udp Address = Local-address = Configuration = Default-main-mode Authentication = sharedsecret [VPN-Peachnet-steveHome] Phase = 2 ISAKMP-peer = steveHome Configuration = Default-quick-mode Local-ID = local-internal-network Remote-ID = steveHome-net [local-internal-network] ID-type = IPV4_ADDR_SUBNET Network = 10.113.10.0 Netmask = 255.255.255.0 [steveHome-net] ID-type = IPV4_ADDR_SUBNET Network = 192.168.2.0 Netmask = 255.255.255.0 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE This is isakmpd.policy on the work end: KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:sharedsecret" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; END CONFIG FILES - Now as far as I know the config files are OK (I've tired them every which way) Now here is what I do. I start up the work end of the VPN (isakmpd -d -DA=90 >& outfile) and then start up the home end the same way. the outfile on the home end is here: http://bartowpc.com/home_outfile outfile on the work end is here: http://bartowpc.com/work_outfile (I marked the file about halfway down at around the point where I start my home isakmpd) I can provide the TCPDUMPS too if necessary. I know this is a lot of info to pore over but I'm at my wits end. The VPN between my home and work isn't even the ultimate goal here but I'm trying to take it one step at a time. Thanks a ton for any help!!
Re: OPENBSD isakmpd VPN Problems
Steve Glaus wrote: Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. May be worth to have 3.9 both place. Here is something that might help: http://www.securityfocus.com/infocus/1859 Also may be good to read: http://www.undeadly.org/cgi?action=article&sid=2006062116 and this specially: http://www.undeadly.org/cgi?action=article&sid=20060606210130 man 8 ipsecctl man 8 isakmpd man 5 isakmpd.conf So many changes happened in the last few months and many things have been replace that I think trying to setup a VPN using what we may call the old way is a waist of time. I have seen many articles and examples in the last few months explaining all the great changes to this that I would say trying to use 3.7 for this is wrong. But I may be wrong for sure. It's just based on what was posted in the lately really. I am not 100% sure, but I think even some of the best changes are in current that make the setup very simple now based on articles on undeadly.org about the subject. Just a thought. Hope this help you some.
Re: Web mail
Eric Johnson wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes? I've used Horde/IMP for several years now and like it. I wouldn't exactly call it "easy to install," though - look around online for walkthroughs, as certain parts of it get messy. --Todd
Re: scrub reassemble tcp and nat causes problems with some sites
> Unfortunately I cannot determine why only some sites have troubles > and that's why I seeking advice here on howto further diagnose > the problem. > > Any hints are appreciated! It's a stab in the dark but I would start with the assumption that some sites are using server load balancing and that "reassemble tcp" is breaking this somehow. Then I'd try and prove that assumption by looking at the tcpdumps specifically for how "reassemble tcp" changes may be interfering. Get tcpdumps on both router interfaces with and without the "reassemble tcp" option. Do this for a similar file on both a working website and broken (ebay) website. Tips on doing this: - be careful not to filter too much, you might miss an important icmp reply from an interim router - make sure tcpdump's snaplen is big enough to get all the headers - including http - try and replicate the issue with small html files so the packet captures aren't too busy - ensure that each capture sees the tcp handshake and FIN Then load the comparable captures into Ethereal/Wireshark and stare at them until it makes sense :-) Steve
[RTLWS8-CFP] Eighth Real-Time Linux Workshop 2nd CFP
We apologize for multiple receipts. Eighth Real-Time Linux Workshop October 12-15, 2006 Lanzhou University - SISE Tianshui South Road 222 Lanzhou, Gansu 73 P.R.China General Following the meetings of developers and users at the previous 7 successful real-time Linux workshops held in Vienna, Orlando, Milano, Boston, and Valencia, Singapore, Lille, the Real-Time Linux Workshop for 2006 will come back to Asia again, to be held at the School for Information Science and Engineering, Lanzhou University, in Lanzhou China. Embedded and real-time Linux is rapidly gaining traction in the Asia Pacific region. Embedded systems in both automation/control and entertainment moving to 32/64bit systems, opening the door for the use of full featured OS like GNU/Linux on COTS based systems. With real-time capabilities being a common demand for embedded systems the soft and hard real-time variants are an important extension to the versatile GNU/Linux GPOS. Authors are invited to submit original work dealing with general topics related to real-time Linux research, experiments and case studies, as well as issues of integration of real-time and embedded Linux. A special focus will be on industrial case studies. Topics of interest include, but are not limited to: * Modifications and variants of the GNU/Linux operating system extending its real-time capabilities, * Contributions to real-time Linux variants, drivers and extensions, * User-mode real-time concepts, implementation and experience, * Real-time Linux applications, in academia, research and industry, * Work in progress reports, covering recent developments, * Educational material on real-time Linux, * Tools for embedding Linux or real-time Linux and embedded real-time Linux applications, * RTOS core concepts, RT-safe synchronization mechanisms, * RT-safe interaction of RT and non RT components, * IPC mechanisms in RTOS, * Analysis and Benchmarking methods and results of real-time GNU/Linux variants, * Debugging techniques and tools, both for code and temporal debugging of core RTOS components, drivers and real-time applications, * Real-time related extensions to development environments. Further information: EN: http://www.realtimelinuxfoundation.org/events/rtlws-2006/ws.html CN: http://dslab.lzu.edu.cn/rtlws8/index.html Awarded papers The Programme Committee will award a best paper in the category Real- Time Systems Theory. This best paper will be invited for publication to the Real-Time Systems Journal, RTSJ. The Programme Committee will award a best paper in the category Real- Time Systems Application. This best paper will be invited for publication to the Dr Dobbs Journal. Moreover, the publication of the other papers in a special issue of Dr Dobbs Journal is in discussion. Abstract submission In order register an abstract, please go to: http://www.realtimelinuxfoundation.org/rtlf/register-abstract.html Venue Lanzhou University Information Building, School of Information Science and Engineering, Laznhou University, http://www.lzu.edu.cn/. Registration In order to participate to the workshop, please register on the registration page at: http://www.realtimelinuxfoundation.org/rtlf/register-participant.html Accommodation Please refer to the Lanzhou hotel page for accomodation at http://dslab.lzu.edu.cn/rtlws8/hotels/hotels.htm Travel information For travel information and directions how to get to Lanzhou from an international airport in China please refer to: http://www.realtimelinuxfoundation.org/events/rtlws-2006/ Important dates August28: Abstract submission September 15: Notification of acceptance September 29: Final paper Pannel Participants: o Roberto Bucher - Scuola Universitaria Professionale della Svizzera Italiana, Switzerland, RTAI/ADEOS/RTAI-Lab. o Alfons Crespo Lorente - University of Valenica, Spain,Departament d'Informtica de Sistemes i Computadors, XtratuM. o Herman Haertig - Technical University Dresden, Germany,Institute for System Architecture, L4/Fiasco/L4Linux. o Nicholas Mc Guire - Lanzhou University, P.R. China, Distributed and Embedded Systems Lab, RTLinux/GPL. o Douglas Niehaus - University of Kansas, USA, Information and Telecommunication Technology Center, RT-preempt. Organization committee: * Prof. Li LIAN (Co-Chair), (SISE, Lanzhou University, CHINA) * Xiaoping ZHANG, LZU, CHINA * Jimi
Re: scrub reassemble tcp and nat causes problems with some sites
Hi Walter, I've seen this behavior also. When I 'set debug loud' I got more information recorded via syslog. Some stuff about RFC1323 and bad-timestamp errors. Below is a section of a pf.conf file. It would be interesting to know if you get similar results with set debug loud when trying to access problem sites. # NORMALIZATION: reduce/resolve ambiguities. # scrub on $admif all random-id reassemble tcp #scrub on $lanif all random-id reassemble tcp #scrub on $wanif all random-id reassemble tcp # # Problem using "reassemble tcp" on $lanif and/or $wanif # Mac OS X "software update" fails. # bad-timestamp counter increments, RFC1323 errors in syslog with debug loud # All else works fine including other http on OS X. TBD: investigate further. # scrub on $lanif all random-id fragment reassemble scrub on $wanif all random-id fragment reassemble -Dan Walter Haidinger wrote: Hi! I'm running OpenBSD 3.9 GENERIC as a NAT router. If I add the "reassemble tcp" option to my scrub rule in pf.conf, I have trouble connecting to some sites, particulary ebay (ebay.de, ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and some other few sites, from a machine behind the NAT router. Connects time out or have long delays if the site responds at all. If connecting directly from OpenBSD, using lynx or squid running on the router, there is no problem. If I omit "reassemble tcp" everything works fine, i.e. with: scrub all no-df fragment reassemble random-id I've never noticed the problem before because I was running the squid proxy on the router. Now I've moved it to a different machine which is NATted too. Please note that it is not a squid issue as timeouts occur regardless of proxy use if on a NATted machine. Unfortunately I cannot determine why only some sites have troubles and that's why I seeking advice here on howto further diagnose the problem. Any hints are appreciated! Regards, Walter -- _ _ _ __| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __ / _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__| | (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ | \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_| [EMAIL PROTECTED]
Re: Web mail
On Thursday 20 July 2006 03:32, Whyzzi wrote: > Requires MySQL And the rational reason for a webmail system to require a RDBMS backend is? --- Lars Hansson
Re: Web mail
On 2006/07/19 14:21, Freddy Moya wrote: > In packages is horde, you can too search in the net about neomail. horde needs an update for a security problem. someone with spare time should try updating it and send the maintainer a diff...it's unlikely to be difficult. roundcube is nice but ajax-only, which is a problem for some users. hastymail is reasonably nice and the docs tell you about chroot'ed install. this comes up fairly often, the list archives will find some more. there's different software for different users and without more information about what's needed, nobody can make a good suggestion, just try some...
Re: scrub reassemble tcp and nat causes problems with some sites
More info - I ran a test scenario. Here is a sample of the messages I get via syslog with set debug loud and scrub with reassemble tcp trying to run OS X's "Software Update". Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive expected RFC1323 timestamp Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A -Dan Daniel E. Hassler wrote: Hi Walter, I've seen this behavior also. When I 'set debug loud' I got more information recorded via syslog. Some stuff about RFC1323 and bad-timestamp errors. Below is a section of a pf.conf file. It would be interesting to know if you get similar results with set debug loud when trying to access problem sites. # NORMALIZATION: reduce/resolve ambiguities. # scrub on $admif all random-id reassemble tcp #scrub on $lanif all random-id reassemble tcp #scrub on $wanif all random-id reassemble tcp # # Problem using "reassemble tcp" on $lanif and/or $wanif # Mac OS X "software update" fails. # bad-timestamp counter increments, RFC1323 errors in syslog with debug loud # All else works fine including other http on OS X. TBD: investigate further. # scrub on $lanif all random-id fragment reassemble scrub on $wanif all random-id fragment reassemble -Dan Walter Haidinger wrote: Hi! I'm running OpenBSD 3.9 GENERIC as a NAT router. If I add the "reassemble tcp" option to my scrub rule in pf.conf, I have trouble connecting to some sites, particulary ebay (ebay.de, ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and some other few sites, from a machine behind the NAT router. Connects time out or have long delays if the site responds at all. If connecting directly from OpenBSD, using lynx or squid running on the router, there is no problem. If I omit "reassemble tcp" everything works fine, i.e. with: scrub all no-df fragment reassemble random-id I've never noticed the problem before because I was running the squid proxy on the router. Now I've moved it to a different machine which is NATted too. Please note that it is not a squid issue as timeouts occur regardless of proxy use if on a NATted machine. Unfortunately I cannot determine why only some sites have troubles and that's why I seeking advice here on howto further diagnose the problem. Any hints are appreciated! Regards, Walter -- _ _ _ __| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __ / _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__| | (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ | \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_| [EMAIL PROTECTED]
Re: Web mail
Lars Hansson wrote: On Thursday 20 July 2006 03:32, Whyzzi wrote: Requires MySQL And the rational reason for a webmail system to require a RDBMS backend is? Preferences and address books at least. Once you've got more than a handful of users, it gets a little silly keeping all that in flat files. You could use something like BDB or whatever, but then you're likely to hit more versioning and platform issues. Some systems will also use a DB for other things. The H3 versions of IMP can do things like send a automagically-created link to a file instead of an attachment, and it keeps the authentication and expiration information for that in the DB from what I understand. It would be nice if the software didn't *require* a DB, but I can see how requiring one makes things simpler for the developers. --Todd
Re: wikipedia amd64 Intel EM64T W^X OpenBSD
On 7/19/06, Nick Holland <[EMAIL PROTECTED]> wrote: Siju George wrote: ... > so does this mean that W^X support was available on EM64T > processorseven before XD bit was added if you use OpenBSD? Sure it was...IF you ran OpenBSD/i386 on it. If you ran OpenBSD/amd64, no. Thankyou so much Jeff and Nick for your clarifications :-) --Siju
