Re: console xterm

[T. Ribbrock]

On Wed, Aug 13, 2008 at 07:26:52AM +0200, ropers wrote:
[...]
> Is there a way to have a colour ls and still be able to page through it?

With gls (which I use), there is. Example:

gls -lF --color=always|less -r

Suitable aliases should do the rest, I suppose. You'll have to use less
with '-r', otherwise the colour control codes are not interpreted. This
can have some downsides - see "man less".

Cheerio,

Thomas
-- 
 ** PLEASE: NO Cc's to me privately, I do read the list - thanks! **
-
  Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919
   "You have to live on the edge of reality - to make your dreams come true!"

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Marco Fretz]

Claudio Jeker wrote:

On Mon, Aug 11, 2008 at 01:14:53PM +0200, Marco Fretz wrote:

Johan Beisser wrote:

On Fri, Aug 8, 2008 at 2:59 PM, phoenixcomm <[EMAIL PROTECTED]> wrote:

Hi Gang,
well heres my 3 cents,
first why use a stupid PC (any os) for routing.. REALY BAD jue,jue 
brake
down and buy a old Cisco 7200,  7500, 3600 they are all very good 
routers, I

used a 7500 for a while and now use a 3640
i use pf as a transparent bridge behind my router.. and protects my 
servers

I have 3 nics, (world, dmz, ssh)

How odd. I know at least one site that runs all of their BGP off of
OpenBGP on OpenBSD boxes that are dedicated as routers. In all cases,
these systems outperform the equivalent Cisco hardware for a fraction
of the cost.
Forget this. Cisco does CEF (cisco express forwarding) that's stream 
forwarding in hardware. You don't have a chance to reach this PPS with a pc 
/ server based router (any os). And I don't think there is any equivalent 
hardware for Cisco and other router vendors. Because only routing decision 
is done in CPU / memory, packet forwarding is done on the "hardware 
layer"... so you can't compare Cisco CPU / memory against PC cpu / memory 
that's not fair :-)




On the 3600, 7200, 2800, 1800 and everything else that is not a L3
switching router that costs over 100k everything is done in SW. Cisco CEF
is nothing more then a fast path through the box that skips everything
that is time consuming. It is still a software feature and everything
runs over the CPU.
Systems like the 7600 platform are able to do forwarding on the switch
modules but unless you get the fucking expensive ones you have not enough
cam space for a full feed. But it is not honest to compare a Cisco 7600
or other high end super expensive near line speed routers with a openbsd
box that is surely inexpensive compared to those behemoths.


Ok, ok. What I said was what Cisco says :D And of course I meant the 
fucking expensive Routers.


Don't get me wrong. I'm also using OpenBSD as router / firewall on 
server hardware and embedded on Soekris / WRAP. The performance is 
great. I just don't want to use PCs / BSD Boxes as area border routers, 
core routers, etc... Cisco hardware is much more reliable than PCs and 
the configuration is quite easy and structured. Configuring OpenBSD as a 
router is easy and structured as well, unlike Linux which is actually 
not structured :-)


If you have the money buy Cisco Routers (or from similar vendors), if 
you have time and want to save some money use OpenBSD.


bests
 Marco



But software routers e.g. OpenBSD are cheap and work well. If you don't 
need more than about 800Mbit/s throughput and you want to save some money 
us software routers... but agree, with a good server hardware, intel nics, 
dual core cpu, etc. you can get good performance out off a server based 
router / firewall.

Installation OpenBsd under HP DL120

[Christophe Rioux]

Hi

I just try to install OpenBSD on a HP DL120 Server (big PC in Rack form).
But I have the following issues:

* version 3.9: can't boot: no compatible PCI ICU found

=> no problem, let's try with the new version (4.3)

* version 4.3: disk/disk controler non found => no installation possible

Can somebody help me to continue. I may have the drivers (I have a
diagnotics DVD from HP under Linux, so I may have the drivers), but I don't
know how to proceed.

Thanks for your help

Christophe

Re: HITACHI HTC426060G9AT00

[Richard Tsang]

Hello guys,

I was looking for HTC426060G9AT00 drive myself for months.
And yesterday, I came across a source in the ebay that is offering the drive
at USD 200.00
The source is from China, I'm a afraid to transact with them directly. 
So I'm asking my cousin living in China to transact with them, and check if it
is legit and if the units are brand new condition.  Then I will ask my cousin
to buy from them and send it to me.
If everything works out fine, I will keep you posted.

My laptop is a Sony Vaio vgn-t340p, not the same with yours.  But the harddisk
is the same.

Good luck!


Richard Fernandez
Philippines

Re: Hardware recommendation for firewalls (more than 4 NICs)

[saqmaster]

Sorry to hijack this thread slightly, but it's related I think:

I'm looking to create an OpenBSD firewall/router for home. It's going
to need to support two ADSL (UK, 8mbit) lines with PPPoA. And then a
bunch (4) of f/eth ports, which is simple enough.

Could anyone recommend any low-profile pci adsl models that'd work in
this configuration with obsd? Thanks!

Re: Installation OpenBsd under HP DL120

[Peter N. M. Hansteen]

"Christophe Rioux" <[EMAIL PROTECTED]> writes:

> * version 4.3: disk/disk controler non found => no installation possible
>
> Can somebody help me to continue. I may have the drivers (I have a
> diagnotics DVD from HP under Linux, so I may have the drivers), but I don't
> know how to proceed.

Linux drivers are unlikely to help much, unfortunately.  If you're
moderately adventurous, you could try fetching cd44.iso (or for that
matter install44.iso) from a snapshot and see if that gets you past
the controller not found stage.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Installation OpenBsd under HP DL120

[Stuart Henderson]

On 2008-08-13, Christophe Rioux <[EMAIL PROTECTED]> wrote:
> I just try to install OpenBSD on a HP DL120 Server (big PC in Rack form).
> But I have the following issues:
>
> * version 3.9: can't boot: no compatible PCI ICU found
>
>=> no problem, let's try with the new version (4.3)
>
> * version 4.3: disk/disk controler non found => no installation possible
>
> Can somebody help me to continue. I may have the drivers (I have a
> diagnotics DVD from HP under Linux, so I may have the drivers), but I don't
> know how to proceed.

If you boot from serial console, or with a USB stick connected,
then you can save the dmesg and show us what hardware is in the
machine.

Re: HITACHI HTC426060G9AT00

[Stuart Henderson]

On 2008-08-13, Richard Tsang <[EMAIL PROTECTED]> wrote:
> Hello guys,
>
> I was looking for HTC426060G9AT00 drive myself for months.
> And yesterday, I came across a source in the ebay that is offering the drive
> at USD 200.00
> The source is from China, I'm a afraid to transact with them directly. 
> So I'm asking my cousin living in China to transact with them, and check if it
> is legit and if the units are brand new condition.  Then I will ask my cousin
> to buy from them and send it to me.
> If everything works out fine, I will keep you posted.
>
> My laptop is a Sony Vaio vgn-t340p, not the same with yours.  But the harddisk
> is the same.

There is an alternative; IBM now supply ZIF drives in a converter.
Look for part numbers 42T4451 (40GB) and 42T4453 (60GB),

What fiber channel card to buy

[Khalid Schofield]

Hi,
after a very bad experience with the ISP driver and my QLogic ISP2200  
copper fiber channel card I'm decided to dump the idea of using this  
board with openbsd. The sun T3 works of a sort under linux (fairly  
slow). But it's full of 10k 73Gb FC disks so I want to use these  
arrays with OpenBSD. Has anyone had any luck with fiber channel cards  
under openbsd? I'm guessing some should be really well supported and  
very stable. Just want some help picking the right one.


As stated I'm currently trying to use a QLogic 2200 with a copper   
port to connect to my Sun T3 fiber channel raids. Does anyone use  
anything similar under OpenBSD?



cheers
Khalid

Re: console xterm

[ropers]

2008/8/13 T. Ribbrock <[EMAIL PROTECTED]>:
> On Wed, Aug 13, 2008 at 07:26:52AM +0200, ropers wrote:
> [...]
>> Is there a way to have a colour ls and still be able to page through it?
>
> With gls (which I use), there is. Example:

Ah! gls = gnuls I suppose. I see there's a 4.3 package for gnuls.

> gls -lF --color=always|less -r
>
> Suitable aliases should do the rest, I suppose. You'll have to use less
> with '-r', otherwise the colour control codes are not interpreted. This
> can have some downsides - see "man less".

Smashing! I'll look into that.

Thanks a bunch! :)
--ropers

libpcap aligned problem under amd64 box

[Dongsheng Song]

When I use pcap_next_ex like this:

   struct pcap_pkthdr *pkthdr;
   ...
   pcap_next_ex(p, &pkthdr, &pktp);

The returned pkthdr is invalid !  After do some trick like this:

   struct a4_pcap_pkthdr {
  u_int32_t   tv_sec;
  u_int32_t   tv_usec;
  u_int32_t caplen; /* length of portion present */
  u_int32_t len;/* length this packet (off wire) */
   } __attribute__ ((aligned (4)));

   ...
   struct pcap_pkthdr *pkthdr;
   struct a4_pcap_pkthdr *pkthdr2;
   ...
   pcap_next_ex(p, &pkthdr, &pktp);
   pkthdr2 = (struct a4_pcap_pkthdr *) pkthdr;

The returned pkthdr2 is OK. What's the correct usage ?

Thanks,

Dongsheng Song

Re: What fiber channel card to buy

[Stuart Henderson]

On 2008-08-13, Khalid Schofield <[EMAIL PROTECTED]> wrote:
> after a very bad experience with the ISP driver and my QLogic ISP2200  
> copper fiber channel card I'm decided to dump the idea of using this  
> board with openbsd. The sun T3 works of a sort under linux (fairly  
> slow). But it's full of 10k 73Gb FC disks so I want to use these  
> arrays with OpenBSD. Has anyone had any luck with fiber channel cards  
> under openbsd? I'm guessing some should be really well supported and  
> very stable. Just want some help picking the right one.

Generally, the LSI cards - there's a list in mpi(4) manual. If you
don't need to boot from them and want something cheap(ish), the Apple
cards using this driver are reasonably easy to find second-hand.

I have one (Fujitsu-Siemens) server they don't work in though,
an NMI when the driver tries to attach takes the machine to DDB.
Same happens with FreeBSD's driver for this card, I suspect
some hardware problem. isp(4) is working ok in that machine.

> As stated I'm currently trying to use a QLogic 2200 with a copper   
> port to connect to my Sun T3 fiber channel raids. Does anyone use  
> anything similar under OpenBSD?

Mostly using SFP-SFP copper cables here.

mpi0 at pci2 dev 1 function 0 "Symbios Logic FC929X" rev 0x00: apic 2 int 4 
(irq 9)
scsibus0 at mpi0: 32 targets, initiator 15
sd0 at scsibus0 targ 3 lun 0:  SCSI3 0/direct fixed
sd0: 176696MB, 22087 cyl, 128 head, 128 sec, 512 bytes/sec, 361873408 sec total
sd1 at scsibus0 targ 4 lun 0:  SCSI3 0/direct fixed
sd1: 176696MB, 22087 cyl, 128 head, 128 sec, 512 bytes/sec, 361873408 sec total
mpi1 at pci2 dev 1 function 1 "Symbios Logic FC929X" rev 0x00: apic 2 int 5 
(irq 5)
scsibus1 at mpi1: 32 targets, initiator 15

Re: Installation OpenBsd under HP DL120

[Christophe Rioux]

Same error with the install44.iso
=> No disk found.

-Message d'origine-
De : Peter N. M. Hansteen [mailto:[EMAIL PROTECTED]
Envoyi : mercredi 13 ao{t 2008 10:44
@ : [EMAIL PROTECTED]
Cc : [EMAIL PROTECTED]
Objet : Re: Installation OpenBsd under HP DL120

"Christophe Rioux" <[EMAIL PROTECTED]> writes:

> The RAID controler is: Intel. 82801IR Integrated Serial ATA Host
Controller
> (like I said, this is a big PC in rack form), so has a RAID controler from
A
> PC. This controler seems to be in the supported HW but not detected.

http://www.openbsd.org/i386.html lists Intel 82801 as supported but
does not mention the IR variety specifically, but I'm not sure how big
the differences are between the various subtypes.  If there are
relevant BIOS settings, you could try twiddling those and see what
happens.  Then again recent snapshots are apparently still quite close
to what will be 4.4 and likely worth checking.

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Henning Brauer]

* Marco Fretz <[EMAIL PROTECTED]> [2008-08-13 09:31]:
> Ok, ok. What I said was what Cisco says

as in, lies, lies, lies.
They call it "marketing".

> Cisco hardware is much more reliable than PCs

I can't second that. Cisco and good PC hardware are en par ime.
The whole system, Cisco + IOS vs PC-Server + OpenBSD - the latter is
ahead. Again, ymmv. I have had cisco routers crash upon typing "show
version".

> and the configuration is quite easy and structured.

what? that mess is nowhere near structured. It is not a config
language that was designed. It's an accident that happened.

> If you have the money buy Cisco Routers (or from similar vendors), if you 
> have time and want to save some money use OpenBSD.

no. If you have the money get somebody clueful to set your OpenBSD
routers up.

If you actually do route amny Gigabit/s worth of traffic things get a
bit complicated, you might have to go for juniper then.

But cisco... pah humbug.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: question about raidframe getting stuck

[Marcus Andree]

>
> Almost every RAID system out there handles the sudden removal
> of a disk from the system pretty well.  Why?  Because it's EASY
> to create that "failure mode".  Problem is, in 25 years in this
> business, I don't recall having seen a hard disk fall out of a
> computer as a mode of actual failure (I did see a SCSI HBA fall
> out of a machine once, but that's a different story).
>


I had seen that disk-suddenly-out-of-computer failure once. Coincidently
enough, it was an OpenBSD system configured only for NAT, about 6 years ago.

The IDE hard disk failed sometime at night. When we arrived on the
next day at office. Everything was working flawlessly until someone
ssh'ed to that machine. My guess is something has gone awry when
the syslog went to write that new connection and suddenly the OS
discovered that was no HD present.

Surprisingly enough, the onboard IDE controller survived, but after installing
the new disk, we found the parallel IDE cable faulty and it had to be replaced
also.

It was not a RAID system though...

Re: : : Purpose of spamd-setup in greylisting mode?

[Raimo Niskanen]

On Tue, Aug 12, 2008 at 01:25:15PM +0200, Raimo Niskanen wrote:
:
> I (and others) use variations on a slightly different approach...
> 
:
> 
> I can publish the scripts if anyone is interested.

http://www.erlang.org/~raimo/greytrap/

> 
> -- 
> 
> / Raimo Niskanen, Erlang/OTP, Ericsson AB

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: : Installation OpenBsd under HP DL120

[Raimo Niskanen]

On Wed, Aug 13, 2008 at 12:04:26PM +0200, Christophe Rioux wrote:
> Same error with the install44.iso
> => No disk found.

Check bios settings if there is some way to configure the disk
controller in legacy mode or something like that.

> 
> -Message d'origine-
> De : Peter N. M. Hansteen [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 13 ao{t 2008 10:44
> @ : [EMAIL PROTECTED]
> Cc : [EMAIL PROTECTED]
> Objet : Re: Installation OpenBsd under HP DL120
> 
> "Christophe Rioux" <[EMAIL PROTECTED]> writes:
> 
> > The RAID controler is: Intel. 82801IR Integrated Serial ATA Host
> Controller
> > (like I said, this is a big PC in rack form), so has a RAID controler from
> A
> > PC. This controler seems to be in the supported HW but not detected.
> 
> http://www.openbsd.org/i386.html lists Intel 82801 as supported but
> does not mention the IR variety specifically, but I'm not sure how big
> the differences are between the various subtypes.  If there are
> relevant BIOS settings, you could try twiddling those and see what
> happens.  Then again recent snapshots are apparently still quite close
> to what will be 4.4 and likely worth checking.
> 
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: : Installation OpenBsd under HP DL120

[Alexander Sabourenkov]

Raimo Niskanen wrote:

On Wed, Aug 13, 2008 at 12:04:26PM +0200, Christophe Rioux wrote:

Same error with the install44.iso
=> No disk found.


Check bios settings if there is some way to configure the disk
controller in legacy mode or something like that.


I just solved this very problem with the opposite actions: disable all 
"legacy" and "compatibility" stuff and enable AHCI instead.


--

./lxnt

Re: Hardware recommendation for firewalls (more than 4 NICs)

[ropers]

> * Marco Fretz <[EMAIL PROTECTED]> [2008-08-13 09:31]:
>> If you have the money buy Cisco Routers (or from similar vendors), if you
>> have time and want to save some money use OpenBSD.

2008/8/13 Henning Brauer <[EMAIL PROTECTED]>:
> no. If you have the money get somebody clueful to set your OpenBSD
> routers up.
>
> If you actually do route [many] Gigabit/s worth of traffic things get a
> bit complicated, you might have to go for juniper then.

NB: According to Wikipedia, Juniper's JUNOS OS is FreeBSD-derived. In
other words, it ultimately evolved from the same ancestor OpenBSD
evolved from.

--ropers

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Marco Fretz]

Henning Brauer wrote:

* Marco Fretz <[EMAIL PROTECTED]> [2008-08-13 09:31]:

Ok, ok. What I said was what Cisco says


as in, lies, lies, lies.
They call it "marketing".


Cisco hardware is much more reliable than PCs


I can't second that. Cisco and good PC hardware are en par ime.
The whole system, Cisco + IOS vs PC-Server + OpenBSD - the latter is
ahead. Again, ymmv. I have had cisco routers crash upon typing "show
version".


and the configuration is quite easy and structured.


what? that mess is nowhere near structured. It is not a config
language that was designed. It's an accident that happened.


rofl, if you think so... :) We should stop flaming about cisco vs 
opensource solutions... both have advantages and problems aswell. Its 
the common discussion about commercial vs opensource products, and this 
was not the idea when Martmn started this thread I think. My fault, 
sorry for that.


bests
 Marco



If you have the money buy Cisco Routers (or from similar vendors), if you 
have time and want to save some money use OpenBSD.


no. If you have the money get somebody clueful to set your OpenBSD
routers up.

If you actually do route amny Gigabit/s worth of traffic things get a
bit complicated, you might have to go for juniper then.

But cisco... pah humbug.

Re: What fiber channel card to buy

[Diana Eichert]

On Wed, 13 Aug 2008, Stuart Henderson wrote:


Generally, the LSI cards - there's a list in mpi(4) manual. If you
don't need to boot from them and want something cheap(ish), the Apple
cards using this driver are reasonably easy to find second-hand.


I'm using the "Apple" LSI Logic 2Gb FC cards in a couple systems.
There were some initial issues with my first installation, but with
some help from some of the mpi developers finally got it tracked down.
It turned out to be h/w issues on my part, one the BIOS had to be
upgraded on the Tyan motherboard in the system, two I had a bad SFP.

I'm about to get one of the newer 3.5Gb LSI cards to connect to a
Nexsan SATABeast.

diana

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Diana Eichert]

On Wed, 13 Aug 2008, ropers wrote:
SNIP

NB: According to Wikipedia, Juniper's JUNOS OS is FreeBSD-derived. In
other words, it ultimately evolved from the same ancestor OpenBSD
evolved from.

--ropers


So it runs some BSD derivative on it's management card, make no difference
on how well the hardware and firmware is designed.  Some Marconi ATM 
switches run Linux on their management cards, fortunately for us the

hardware and firmware is designed well and they work.

diana

Re: console xterm

[Etienne Robillard]

On Wed, 13 Aug 2008 10:56:35 +0200
ropers <[EMAIL PROTECTED]> wrote:

> 2008/8/13 T. Ribbrock <[EMAIL PROTECTED]>:
> > On Wed, Aug 13, 2008 at 07:26:52AM +0200, ropers wrote:
> > [...]
> >> Is there a way to have a colour ls and still be able to page through it?
> >
> > With gls (which I use), there is. Example:
> 
> Ah! gls = gnuls I suppose. I see there's a 4.3 package for gnuls.
> 
> > gls -lF --color=always|less -r
> >
> > Suitable aliases should do the rest, I suppose. You'll have to use less
> > with '-r', otherwise the colour control codes are not interpreted. This
> > can have some downsides - see "man less".
> 
> Smashing! I'll look into that.
> 
> Thanks a bunch! :)
> --ropers
> 

how about:

export TERM=cons25
alias ls='colorls -FG'

Sorry i confused freebsd console (cons25) with obsd console (vt220), but with 
cons25
and colorls the console looks pretty.. ;) 

Regards,

-Etienne

Re: : Installation OpenBsd under HP DL120

[Christophe Rioux]

Raimo Niskanen wrote:
>> On Wed, Aug 13, 2008 at 12:04:26PM +0200, Christophe Rioux wrote:
>>> Same error with the install44.iso
>>> => No disk found.
>> 
>> Check bios settings if there is some way to configure the disk
>> controller in legacy mode or something like that.

Alexander Sabourenkov wrote:
>I just solved this very problem with the opposite actions: disable all 
>"legacy" and "compatibility" stuff and enable AHCI instead.

If found something, but this is not the result I wanted:

BIOS: Phoenix cME Pro
- natural module: SATA (instead of AUTO)
- SATA RAID: disable
- Harddisk configuration: 32 bits I/O: DISABLE (instead of ENABLE)
-> IDE 32 Bits compatibility)

=> that means I could install the 4.3 (or 4.4-beta) on the server, but If I
try to reconnect the SATA RAID, the system boots and hang after the boot
with the message "Boot device:". With hang, I mean, the keyboard doesn't
work any more

I'll try to get the dmesg out of the server

Regards

Re: Hardware recommendation for firewalls (more than 4 NICs)

[James Records]

I just got some screenshots of the project up, if you care to take a look:

http://www.thewaffle.org/screenshots.html

There is also a working copy of the VMware image of the project availible
for download, see the following for brief instructions on how to setup the
image:

http://www.thewaffle.org/Forum/viewtopic.php?f=11&t=11&p=16#p16

pardon the site design, not my forte, hopefully getting someone else to
build me something better soon.

Over the next couple days I'll get an image made for the WG firebox X
series, I have one laying around that I can work on, hopefully by this
weekend.

J

On Fri, Aug 8, 2008 at 3:08 PM, James Records <[EMAIL PROTECTED]>wrote:

> Grab a Watchguard Firebox X off of ebay, they have 6 interfaces, and you
> can get them pretty cheap, some of the bigger ones have more, onboard
> crypto, perfect for building openbsd firewalls... you can run off a CF...
>
> I'm putting together a project that uses openbsd on these boxes.  If you
> have any questions about running openbsd on them let me know:
>
> www.thewaffle.org
>
>
> Thanks,
> Jim
>
>
>
>
> On Fri, Aug 8, 2008 at 2:59 PM, phoenixcomm <[EMAIL PROTECTED]> wrote:
>
>> MartC-n Coco wrote:
>> >
>> > Hi misc,
>> >
>> > I'm currently looking for hardware alternatives for firewalls that
>> > should have more than four NICs.
>> >
>> > Currently we are buying R200s from Dell, but we have the 4 NIC
>> > limitation. We could tell Dell to install a quad port NIC (in addition
>> > to the two-port onboard card), but I haven't read good things about the
>> > way they work.
>> >
>> > I've also looked into soekris, but they don't seem to have enough CPU
>> > for what we want (this is pure speculation) as we also have intense
>> > IPSec traffic on some of these firewalls (I've seen that some of them
>> > could have encryption boards added to increase performance, but I don't
>> > know if it works for any kind of protocol, or at what rate).
>> >
>> > In any case, what I would like to have is firewalls with multiple NICs
>> > (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at
>> > least at ~50Mbps (internal backbone firewalls). The multiple NICs are to
>> > use trunk, pfsync, real network interfaces, etc.
>> >
>> > Thanks,
>> > Martmn.
>> >
>> >
>> >
>> Hi Gang,
>> well heres my 3 cents,
>> first why use a stupid PC (any os) for routing.. REALY BAD jue,jue
>> brake
>> down and buy a old Cisco 7200,  7500, 3600 they are all very good routers,
>> I
>> used a 7500 for a while and now use a 3640
>> i use pf as a transparent bridge behind my router.. and protects my
>> servers
>> I have 3 nics, (world, dmz, ssh)
>>
>> you could put up a firewall before your router and put everything out one
>> vlan to the router.
>> and I have a cisco 2900-xl-en switch with 3 vlans on it... and no
>> bleeding..
>> enjoy
>> Crazy Cris
>> :working:
>> --
>> View this message in context:
>>
>> http://www.nabble.com/Hardware-recommendation-for-firewalls-%28more-than-4-NI
>> Cs%29-tp18413703p18899631.html
>> Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: : Installation OpenBsd under HP DL120

[Alexander Sabourenkov]

Christophe Rioux wrote:


If found something, but this is not the result I wanted:

BIOS: Phoenix cME Pro
- natural module: SATA (instead of AUTO)
- SATA RAID: disable
- Harddisk configuration: 32 bits I/O: DISABLE (instead of ENABLE)
-> IDE 32 Bits compatibility)

=> that means I could install the 4.3 (or 4.4-beta) on the server, but If I
try to reconnect the SATA RAID, the system boots and hang after the boot
with the message "Boot device:". With hang, I mean, the keyboard doesn't
work any more

I'll try to get the dmesg out of the server



I _suspect_ the RAID here is of the fakeraid variety, and there's no 
point in trying to enable it.


--

./lxnt

Re: : Installation OpenBsd under HP DL120

[Rajneesh N. Shetty]

i'am planning something similar to back up my client. could anyone pls tell
who in australia i could buy a 105 or 108 keys keyboard from.
thanks,
Rajneesh

tel : +61431 823 603

'Worry looks around, sorry looks back, faith looks up'.

--- On Thu, 14/8/08, Christophe Rioux <[EMAIL PROTECTED]> wrote:

From: Christophe Rioux <[EMAIL PROTECTED]>
Subject: Re: : Installation OpenBsd under HP DL120
To: "'Alexander Sabourenkov'" <[EMAIL PROTECTED]>, misc@openbsd.org
Received: Thursday, 14 August, 2008, 1:19 AM

Raimo Niskanen wrote:
>> On Wed, Aug 13, 2008 at 12:04:26PM +0200, Christophe Rioux wrote:
>>> Same error with the install44.iso
>>> => No disk found.
>>
>> Check bios settings if there is some way to configure the disk
>> controller in legacy mode or something like that.

Alexander Sabourenkov wrote:
>I just solved this very problem with the opposite actions: disable all
>"legacy" and "compatibility" stuff and enable AHCI
instead.

If found something, but this is not the result I wanted:

BIOS: Phoenix cME Pro
- natural module: SATA (instead of AUTO)
- SATA RAID: disable
- Harddisk configuration: 32 bits I/O: DISABLE (instead of ENABLE)
-> IDE 32 Bits compatibility)

=> that means I could install the 4.3 (or 4.4-beta) on the server, but If I
try to reconnect the SATA RAID, the system boots and hang after the boot
with the message "Boot device:". With hang, I mean, the keyboard
doesn't
work any more

I'll try to get the dmesg out of the server

Regards




  Win a MacBook Air or iPod touch with Yahoo!7.
http://au.docs.yahoo.com/homepageset

Re: console xterm

[Christian Weisgerber]

Etienne Robillard <[EMAIL PROTECTED]> wrote:

> export TERM=cons25

Bad.

> alias ls='colorls -FG'
> 
> Sorry i confused freebsd console (cons25) with obsd console (vt220), but
> with cons25 and colorls the console looks pretty.. ;) 

The proper terminal type would be TERM=wsvt25.  The colorls package
description actually says as much.

-- 
Christian "naddy" Weisgerber  [EMAIL PROTECTED]

Re: postfixadmin for testing

[Gabri Mate]

On 20:57 Tue 12 Aug , julien c wrote:
> Hi,
> I have tested this port
> Installation is ok on Openbsd 4.3 stable with empty FLAVOR
> I haven't tested all function but my postfix and my table is different ==>
> http://www.kernel-panic.it/openbsd/mail/mail4.html
>
> Regards
>
> Thanks,Newixz
>
> 2008/8/12 Gabri Mate <[EMAIL PROTECTED]>
>
> > Dear List,
> >
> > I've created a port for postfixadmin. Please test it and report back.
> >
> > Thank You!
> > --
> > Gabri Mate
> > [EMAIL PROTECTED]
> >
Thank You for your reply!
--
Gabri Mate
[EMAIL PROTECTED]

[demime 1.01d removed an attachment of type application/pgp-signature]

X freezes on snapshot install

[Mihai Popescu B. S.]

Hello,

I run OBSD from snapshot install (OpenBSD 4.4-beta (GENERIC) #976: Fri 
Jul 11 16:41:38 MDT 2008) and recently I've run in some troubles with X 
server. I think some clever eye can spot the problem and give me a hint.


One time after using gmplayer I've closed X session but the shell prompt 
refused to appear ( I run X from command line, so normally after X exit 
I get the shell prompt). After 10 or so second, I just pressed the 
Ctrl+Alt+Del for a clean shutdown with power down too.


After this incident, next times when I tried to start X a freeze was 
there, just some Xauth messages were visible. I did some research and I 
figured out that X was able to start after two Ctrl+C succesively. Then, 
at X exit I was able to get the shell promt after one Ctrl+C.


I tried to look in startx script and I identified xinit as a start 
command. When I tried this alone, the X was started instantly. The exit 
was also clean. I repeated this over and over, the behaviour was the 
same. Next day all this was gone, with X starting at startx normally. In 
all this time, from the install I never installed or removed packages 
nor updating or configuring something. Just using apps like firefox, 
gmplayer, pidgin, etc.


If you think you can see the issue, please give me a hint just to be 
able to solve an X file . Down here is my dmesg (remove it on reply, 
please):


OpenBSD 4.4-beta (GENERIC) #976: Fri Jul 11 16:41:38 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR

real mem  = 1071783936 (1022MB)
avail mem = 1028149248 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/07/06, BIOS32 rev. 0 @ 0xffe90, 
SMBIOS rev. 2.3 @ 0xf0450 (72 entries)

bios0: vendor Dell Inc. version "A08" date 07/07/2006
bios0: Dell Inc. Precision WorkStation 370
apm0 at bios0: Power Management spec V1.2
apm0: APM get power status: unknown error code? (83)
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeb00/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801FB LPC" rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0xb000 0xcb000/0x1800! 0xcc800/0x3800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82925X Host" rev 0x04
ppb0 at pci0 dev 1 function 0 "Intel 82925X PCIE" rev 0x04: irq 11
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI FireGL V3100" rev 0x80
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"ATI FireGL V3100 Sec" rev 0x80 at pci1 dev 0 function 1 not configured
ppb1 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03: irq 11
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1 
(0x4001): irq 11, address 00:11:11:e3:85:c4

brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb2 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03: irq 10
pci3 at ppb2 bus 3
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 9
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 5
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 3
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 10
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci4 at ppb3 bus 4
emu0 at pci4 dev 2 function 0 "Creative Labs SoundBlaster Live" rev 
0x07: irq 3

ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
audio0 at emu0
"Creative Labs PCI Gameport Joystick" rev 0x07 at pci4 dev 2 function 1 
not configured

ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 2 "Intel 82801FR SATA" rev 0x03: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 38146MB, 78125000 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom 
removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x03: SMI
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-3200CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3

Re: Hardware recommendation for firewalls (more than 4 NICs)

[ropers]

2008/8/13 James Records <[EMAIL PROTECTED]>:
> I just got some screenshots of the project up, if you care to take a look:
>
> http://www.thewaffle.org/screenshots.html



> pardon the site design, not my forte, hopefully getting someone else to
> build me something better soon.

It's nicer to look at this page: http://www.thewaffle.org/screenshots/

with this JavaScript bookmarklet:

javascript:(function(){function%20I(u){var%20t=u.split('.'),e=t[t.length-1].toLowerCase();return%20{gif:1,jpg:1,jpeg:1,png:1,mng:1}[e]}function%20hE(s){return%20s.replace(/&/g,'&').replace(/>/g,'>').replace(/Images%20linked%20to%20by%20'+hE(location.href)+':');for(i=0;q=document.links[i];++i){h=q.href;if(h&&I(h))z.write(''+q.innerHTML+'%20('+hE(h)+')');}z.close();})()

I didn't write the bookmarklet, it's from
https://www.squarefree.com/bookmarklets/ .

regards,
--ropers

Ahci PANIC

[Beto]

Hi,
I tried to install 4.3 on a HP COMPAQ DC5750.
The installation goes fine, but when the machine boot, I got a kernel panic.
The problem is the same described here:
http://www.nabble.com/ahci-panic-after-install-td18313206.html

To solve it, I configured BIOS to use Native SATA and I disabled the ahci in
my kernel using config(8).
After that, I changed my devices from /dev/sd0* to /dev/wd0* on /etc/fstab
and everything worked.

My question is: What could I loose whith this change?
Is there a better solution for my problem?
Thanks in advance.
[ ]'s Beto

Disklabel information

> p g
device: /dev/rwd0c
type: SCSI
disk: SCSI disk
label: ST380815AS
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 9729
total bytes: 74.5G
free bytes: 0.5G
rpm: 3600



My dmesg after the configuration:

class miscellaneOus, rev 0x00) at pci1 dev 5 function 1 not configu2ed
ppb1 at pci0 dev 7 function 0 "ATI RX480 PCIE" rev 0x00
pci2 at ppb1 bus 63
bge0 at pci2 dev 0 function 0 "Broadcom BCM5755" reV 0x02( BCM5755 A2
(0xa002): irq 5, address 00:1b:78:a1\^Za0:15
brgphy0 at bge0 phy 1: BCM5755 10/100/1000baseT PHY, rev. 0
ahci0 at pc)0 dev 18 function 0 "ATI IXP600 SATA" rdv 0x00: irq 10, [EMAIL 
PROTECTED] 1.1
OpenBS@ 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arcH/i386/compile/GENERIC
cpu0: AMD Sempron(tm) Pro#essop 3600+ ("AudhenticAMD" 686-class, 256KB L2
cache) 2 GHz
bpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXCR,SSE,SSE2,SSE3,CX16\^Hreal
mem  = 467984384 (446MB)
avail mem = 444329984 (423MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/25/07, BIOS32 rev. 0 @ 0xea130,
SMBI\^OS rev. 2.4 @ 0xed7e0 (66 entries)
bios0: vendor Hewlett-Packard version "786E3 v02.10" date 01/25/2007
bios0: Hewlett-Packard HP Com`aa dc5750 Microtower
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC
acpi0: wakeup devices COM1(S4) COM2(S4) PCI0(S4) PEG1(S4) IGFX(S4) PCX1(S4)
PCX2(S4) HUB^(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB1(S3iprt0 at acpi0
[\\DCHM] 0xd107f844 cnt:02 stk:00 field: bitpos=19e8 bitlen=0120
ref1:d1070184 ref220 [FieldM
 [\\BIOS] 0xd1070184 cnt:8f stk:00 Opregion: 00,000e7640,1fcb
wronf setbufint type 5

1a1c Called: \\GDBF
  apg0:  0xd1060710 cnt:01 stk:00 objref: 0xd107f844 i.dex:
 [\\DCHM] 0xd107f844 cnt:02 stk:00 field: bitpos=19d8 bitlen=0\^Q20
ref18d10701(4 ref2:\^P [Field]
 [\\BIOS] 0xd1070184 cnt:8f stk:00 opregion: 00,000e7640,1fcb
  arg1:  0xd106073c cnt:01 stk:00 objref: 0xd109fc3c index:
 0xd109fc3c cnt:00 stk:61 integer: 0
1d34 Called: \\_SB_.PCI0._CRS
  local0:  0xd109fc00 cnt:00 stk:60 integer: b6
  local1:  0Xd109fc3c cnt:00 stk:61 integer: 0
paNic: !ml_die aml_setbufint:988
Stopped atbd0,0,d10a0e04) at aml_fieldio+0x5f
aml_derefvalue(d10a0e04,d10a0d84,0,d10a0c10,d10a0c50) at aml_derefvalue+0xcb
amlOevalterm(d10a0e04,d10a0c10,d10a0c50,d0643781,38) a4 aml\^_evalterm+0x20
aml_parseterm(d1\^Pa0e04,d10a0c50,d092c728,d05cedd5,d10a0e04) at
aml_parsetarm*0x37
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/I386/comPile/GENARIC
cpu0: AMD SemprkF(tm) Processor 3600+ ("A5thenticAMD" 686-class, 256KB L2
cache) 2 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,\^MCA,CMOV,PAT,PSE36,CFL
USH,MMX,FXSR,SSE,SSA2,QSE3,CX16
real mem  = 467984384 (446LB)
avail mem = 00432918$ (423MB)
User Kernel Config
UKC> disable acpi
417 acpi0 disabled
UKC>
UKC> quit
Continuing...
mainbus0 at root
bios0 at mainbus0: AT+286+ BIOS, date 01/25/07, BIOS32 rev. 0 @ 0xea130,
S\^MBIOS rev. 2.4 @ 0xed7e0 (66 entries)
bios0: vendor Hewlett-Packard version "786E3 v02.10" date 01/25/2007
bios0: Hewlett-Packard HP Compaq dc5750 Miarotower
acpi at bios0 function 0x0 not configured
pcibios0 aT bior0: rev 3.0 @ 0xea130'0x5ed0
pcibios0: PCI IRQ Routing T!ble rev 1.\^P @ 0xf5ba0/240 (13 entries)
Pcibios0: ng compatible PCI ICU found: ICU vendor 0x1002 product 0x438d
pcibios0: Warning, unable to fix up PCI interrupt routing
pc)bios0: PCI bus #63 is the last "us
bios0: ROM list: 0xc/0xf000 0xcf000/081000 0xd/0x1c00
0xe7600/0x8a00!
cpu0 at mainbus0
0ci0 at ma)nbus0 bus 0: confi'uration mOde1 (no bios)
pchb0 at pci0 def 0 function 0 "ATI RS480 Host" rev 0x10
ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI R`deon XPRESS 200" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt000 emulation)
vendor "ATI", unknown product 0x5874 (class display subclass miscellaneous,
rev 0x00) at pci! dev 5 function 1 not configured
ppb1 at pCi0 dev 7 function 0 "ATI RX480 PCIE" rev 0x00
pci2 at ppb1 bus 63
Bge0 at pci2 dev 0 function 0 "Broadcom BCM5755" rev 0x02, BCM5755 A2
(0xa002)\^Z irq 5, addvess 00:1b:78:a1:a4:15
brgphy0 at bge0 phy 1: BCM5755 10/100/100 bas%T PHY, rev. 0\^Bahci0 at pci0
dev 18 function 0 "ATI IXP

Using PF to NAT internal addresses over an IPSec link

[Toby Burress]

I have an IPSec connection set up to an external site, over which
I have no control and whose topololgy I know nothign about (i.e. I
don't know what subnets they use, etc.)  Using ipsecctl, I have one
flow set up, from my external IP A.B.C.D to an internal IP on their
side, 172.25.0.1.

I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine.

What I want to do is allow any machine from my internal networks
to reach 172.25.0.1.

What I would like to do is set up NAT, so that packets headed to
the OpenBSD box from anywhere on my network get translated to
A.B.C.D, which is then sent over the VPN connection.  Unfortunately
it looks like PF only applies NAT transforms when packets leave
interfaces, not when they enter them, so packets come into the
OpenBSD box with their private IPs, get routed out the interface
associated with the default route, and only then get rewritten.

Is there a better way to do this?  I would like to be able to change
which hosts on my side can go over the IPSec connection without
having to coordinate with the other company, and without having to
expose internal IP information.

If you reply to the list please cc me as I am not subscribed.

[OOT] Can't browse http://www.xs4all.nl/~wpd/symon/ and http://www.benzedrine.cx/pfstat.html

[Insan Praja SW]

Hi Misc@,
Did anyone had difficulities accessing/browsing this sites? I'm trying to  
get a hold on symon, syweb dan pfstat, but I can't seem to access/browse  
from my network (20x.x0.1x4.0/23).

Sorry for the noise,
Thanks,


Insan
--
insandotpraja(at)gmaildotcom

Re: [OOT] Can't browse http://www.xs4all.nl/~wpd/symon/ and http://www.benzedrine.cx/pfstat.html

[Denny White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Quoted from Insan Praja SW on Thu, Aug 14, 2008 at 08:21:28AM +0700,:
> Hi Misc@,
> Did anyone had difficulities accessing/browsing this sites? I'm trying to 
> get a hold on symon, syweb dan pfstat, but I can't seem to access/browse 
> from my network (20x.x0.1x4.0/23).
> Sorry for the noise,
> Thanks,
>
>
> Insan
> -- 
> insandotpraja(at)gmaildotcom
>

No problem here. Accessed all menu links including downloads fine.


Denny White

- -- 

Words without actions are the assassins of idealism.

===
GnuPG key  : 0x1644E79A  |  http://wwwkeys.nl.pgp.net
Fingerprint: D0A9 AD44 1F10 E09E 0E67  EC25 CB44 F2E5 1644 E79A
===
iEYEARECAAYFAkijkhcACgkQy0Ty5RZE55oGmQCgu1bOm7FuYyOHLQkgsfMHrA4a
GvQAn1RnMoZxNwMYtMn+Gb56orkxlfyy
=JqaG
-END PGP SIGNATURE-

Does this look like SSP to you? (Vista)

[Sunnz]

Hi,

I am just curious, have Vista implemented something similar to
Stack-Smashing Protector as in OpenBSD's GCC?

http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html

I don't really know that much, so I am just asking here... if those
things can be bypassed, would a same type of attack be threatening to
OpenBSD systems?

Regards,
Sunnz.

-- 
This e-mail may be confidential. You may not copy, forward,
distribute, or, use any part of it. Note, this text has no effective
legal binding on your part, there is no obligation to abide any or all
parts of this. Treat it with the same level of care as any other
pretending-to-be-law-speaking-but-not-really texts attached to e-mail
messages you normally find on any other e-mails. For more information
about disclaimers, please see:
http://www.goldmark.org/jeff/stupid-disclaimers/

Re: Does this look like SSP to you? (Vista)

[Tomas Bodzar]

Eheh,nice PR story -> Use Java and .NET and you will be safe :-)



Just reaction on part of topic,not whole.



-Original Message-

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sunnz

Sent: Thursday, August 14, 2008 3:49 AM

To: misc >> OpenBSD Misc

Subject: Does this look like SSP to you? (Vista)



Hi,



I am just curious, have Vista implemented something similar to Stack-Smashing 
Protector as in OpenBSD's GCC?



http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html



I don't really know that much, so I am just asking here... if those things can 
be bypassed, would a same type of attack be threatening to OpenBSD systems?



Regards,

Sunnz.



--

This e-mail may be confidential. You may not copy, forward, distribute, or, use 
any part of it. Note, this text has no effective legal binding on your part, 
there is no obligation to abide any or all parts of this. Treat it with the 
same level of care as any other pretending-to-be-law-speaking-but-not-really 
texts attached to e-mail messages you normally find on any other e-mails. For 
more information about disclaimers, please see:

http://www.goldmark.org/jeff/stupid-disclaimers/

Re: Does this look like SSP to you? (Vista)

[Otto Moerbeek]

On Thu, Aug 14, 2008 at 11:48:49AM +1000, Sunnz wrote:

> Hi,
> 
> I am just curious, have Vista implemented something similar to
> Stack-Smashing Protector as in OpenBSD's GCC?
> 
> http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html
> 
> I don't really know that much, so I am just asking here... if those
> things can be bypassed, would a same type of attack be threatening to
> OpenBSD systems?

Yes, stack protection can be circumvented in particular cases. But in
general it is pretty good at catching the accidental overwrite and
thus preventing the potential following attack.

ProPolice, like some many techniques does not provide 100% safety. If
that was the case, why would we bother doing all we do? We could have
stopped after finishing ProPolice and have some rest.

-Otto

Re: Does this look like SSP to you? (Vista)

[Damien Miller]

On Thu, 14 Aug 2008, Sunnz wrote:

> Hi,
> 
> I am just curious, have Vista implemented something similar to
> Stack-Smashing Protector as in OpenBSD's GCC?
> 
> http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html
> 
> I don't really know that much, so I am just asking here... if those
> things can be bypassed, would a same type of attack be threatening to
> OpenBSD systems?

The actual paper is here and it is very good - well
worth reading for anyone interested in this stuff:
http://taossa.com/archive/bh08sotirovdowd.pdf

The described stack protection is quite Propolice-like and I think that
a similar attack would work on OpenBSD: corrupt a value in the stack,
use it to gain control in the executing function and its antecedents but
never return as that would activate the stack canary checks.

For this to work, an attacker would need to find 1) a function with a
stack-based overflow that 2) has a stack-allocated variable that is
amenable to their purpose. I'm sure these exist, but I have no idea how
common they are. Note that the attacks in the paper make use of the
stack layout used by C++ method calls which makes things quite a bit for
the attacker.

The thing that struck me most from the paper was how close Microsoft has
come to implementing a good set of protections and how they have managed
to screw them up by failing to turn them on everywhere. What use if DEP
or DLL load address randomisation if it isn't turned on everywhere? What
is the point of those (really good) heap consistency checks if you don't
abort() when they fail?

-d