Re: Volunteer needed to create screen saver for BSDCan

[Johan Beisser]

Leopard or Tiger?

On Sat, May 3, 2008 at 12:11 PM, Dan Langille [EMAIL PROTECTED] wrote:
 I need help.  I need someone to create a screen saver to run on my Mac.
  This screen saver will be used during the opening session of BSDCan.

  In short; I have about 20 emails I wish to have displayed.  I can give you
  the emails or a PDF of each email, whichever you want.

  I had tried using just the PDF and the Pictures Folder screen saver. This
  was a good start.  But each PDF contains large amounts of whitespace.
  Each email occupies very little of one PDF page.  Therefore, the screen
 save
  often shows this whitespace and nothing else.

  I'm not worried about how you achieve the result, but one suggestion I
 thought
  of was : convert the PDF to an image file and crop off the whitespace.

  Please contact me off-list and I will send you the PDFs/emails.  Those with
  suggestions as to how to do this work are free to suggest, but I do not
 want
  to do the work as other parts of BSDCan are higher priority right now.  :)

  Thanks.

  --
  Dan Langille -- http://www.langille.org/
  [EMAIL PROTECTED]




  ___
  freebsd-chat@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-chat
  To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Volunteer needed to create screen saver for BSDCan

[Johan Beisser]

Yeah, that's Tiger.

I don't know if leopard quartz composer constructs work in Tiger. It
might be worth a shot.

You might also just want to play with QuartzComposer.app.

On Sat, May 3, 2008 at 1:56 PM, Dan Langille [EMAIL PROTECTED] wrote:

  On May 3, 2008, at 4:20 PM, Johan Beisser wrote:


  Leopard or Tiger?
 

  Mac OS X 10.4.11 (8S2167), which I think is Tiger.




 
  On Sat, May 3, 2008 at 12:11 PM, Dan Langille [EMAIL PROTECTED] wrote:
 
   I need help.  I need someone to create a screen saver to run on my Mac.
This screen saver will be used during the opening session of BSDCan.
  
In short; I have about 20 emails I wish to have displayed.  I can give
 you
the emails or a PDF of each email, whichever you want.
  
I had tried using just the PDF and the Pictures Folder screen saver.
 This
was a good start.  But each PDF contains large amounts of whitespace.
Each email occupies very little of one PDF page.  Therefore, the screen
   save
often shows this whitespace and nothing else.
  
I'm not worried about how you achieve the result, but one suggestion I
   thought
of was : convert the PDF to an image file and crop off the whitespace.
  
Please contact me off-list and I will send you the PDFs/emails.  Those
 with
suggestions as to how to do this work are free to suggest, but I do not
   want
to do the work as other parts of BSDCan are higher priority right now.
 :)
  
Thanks.
  
--
Dan Langille -- http://www.langille.org/
[EMAIL PROTECTED]
  
  
  
  
___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]
  
  
 


  --

  Dan Langille -- http://www.langille.org/
  [EMAIL PROTECTED]





___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Setting up a HA server with limited resources

[johan beisser]

Hmm. Gotta review CARP again, it seems. When did this go in?

On Mar 23, 2008, at 2:29 AM, Ryan McBride wrote:


On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote:
I would like to reach a state, if possible, in which load  
balancing is
performed, but at the same time, if one machine fails, the other  
will
automatically take over. I believe this setup is also very useful  
when

deploying updates.


You're screwed on the load balancing without a 3rd system in the mix.
Preferably 4 systems, so you've got failover between the firewalls.


That's not the case anymore - see the IP BALANCING section in the
carp(4) manpage. (there are a few caveats, first and formost being  
that

your layer 2 network will have to cooperate)

Re: Setting up a HA server with limited resources

[johan beisser]

On Mar 22, 2008, at 5:44 AM, Rico Secada wrote:


Hi.

A customer with very limited resources needs to set up a high  
available
system running apache, mysql, postfix and dovecot and I have gotten  
the

task.


it's doable, but the unanswered question is what do each of these  
components have to do with one another? What exactly are you trying to  
do?



I have only two Pentium 4 machines at my disposal, and I have begun
researching how to make them work with load balancing and fail safe
operations at the same time. I have one public IP address available.


This would be a CARP component.


I would like to reach a state, if possible, in which load balancing is
performed, but at the same time, if one machine fails, the other will
automatically take over. I believe this setup is also very useful when
deploying updates.


You're screwed on the load balancing without a 3rd system in the mix.  
Preferably 4 systems, so you've got failover between the firewalls.



Any advice on how to implement such a setup?


First, figure out what they're asking for. Then separate the problem  
in to component issues.


- MySQL master-master replication
- HA Heartbeat (linux-HA is a good start on how to do this)
- Dovecot IMAP with MYSQL as a back end
-- this is usually just for AUTH. Where does dovecot keep its files?  
Last I looked, it couldn't shove them in to MySQL, or pull the email  
out.

Re: OT: fully interconnect switches: interesting problem

[johan beisser]

On Feb 25, 2008, at 6:39 AM, Douglas A. Tutty wrote:

But if the switches don't know how to handle this setup, then  
they'll go

crazy.  I don't know if these switches can be told how to handle this.


They can. The Dell Powerconnect 2700 are basically rebranded Cisco  
switches running CatOS.


Bang for buck, they're not bad.

Re: OT: fully interconnect switches: interesting problem

[johan beisser]

Did you configure STP, or are the switches figuring this out on their  
own?


On Feb 24, 2008, at 1:09 PM, John Nietzsche wrote:


Dear gentleman/madam,

i was given 4 2724 dell powerconnect switches and only 6 patch cords.
Besides that, i was given a challenge to connect them each other
having a full interconnection schema (thanks my classes on graph
theory, i could do it using only 6 patch cords). So, given any two
switches there is a direct path between them. Instead of cascading,
this approach avoid a single point of failure and allows, for
instance, a uplink of 3 Gb/s between any given two switches and
reduces patch cords usage (my graph edges in this scenario).

The problem raises when i turn them on: After some time (from seconds
to 1 or even 2 minutes) the switches go crazy. I cannot even ping the
ip assigned to the switch i am connected directly  not to mention a
desktop located on another switch.

Is there any configuration that could be done to allow such
interconnection shema ?

thanks in advance.

PS: please, forgive me my OT message, but i am really desperated.
Could some one point me a better list to place my message?

Re: upgrading to 4.3-beta

[johan beisser]

I
On Feb 23, 2008, at 1:26 PM, Chris wrote:


I have upgraded my 4.2-release to 4.3-beta. But I am a bit confused as
I cannot see snmpd.conf, relayd in /etc. However, I can see them in
/usr/src/etc/. When I login it says, 4.3-beta and uname -amp shows 4.3


I've been using mergemaster(8) to follow /etc. It works well.

One thing to remember is that /etc is not touched during a direct  
upgrade. Either manually update and add users, config files and  
devices, or go about it with a script akin to mergemaster(8).

Re: Updates for old releases

[johan beisser]

On Feb 23, 2008, at 5:44 PM, Antonio Lobato wrote:

I know it is better to use 4.2, but it does not depends only of my  
opnion,

I'm configuring the firewall for a customer, and now I can at most
make a advice.


Advise them to use 4.2. There are significant speed improvements to  
pf, among other things.

Re: changing bash prompt escape sequences

[johan beisser]

On Feb 23, 2008, at 6:29 PM, Jay Hart wrote:


I use bash as my shell.

I'm trying to set the bash prompt to display:

ttyC1 [EMAIL PROTECTED]

I've created a .bashrc in the users home directory (in this case  
root), and

used the following line:

PS1=\l [EMAIL PROTECTED] #


So, what happens when you can't log in to the system, delete the bash  
package or lose your /usr/local/ filesystem? I'd suggest not using  
that as your root login shell.


When I login as root, or any other user for that matter, the default  
prompt is:


-bash-3.2#


Try the system bashrc, or fire use .bash_profile.

the only way so far that I found to change the prompt is to type  
'bash' at the
prompt after login. This is ok, but I know that this should work the  
first

time I login, without having to issue a standalone command.


From the bash(1) 3.2 man page:

   When  bash is invoked as an interactive login shell, or as
   a non-interactive shell with the --login option, it  first
   reads and executes commands from the file /etc/profile, if
   that file exists.  After reading that file, it  looks  for
   ~/.bash_profile,  ~/.bash_login,  and  ~/.profile, in that
   order, and reads and executes commands from the first  one
   that  exists  and is readable.  The --noprofile option may
   be used when the shell is started to inhibit  this  behav-
   ior.



I've come to the conclusion that I need to modify another file  
within the /etc

directory, but what?


So, what lead to that conclusion? Probably not the man page.

Re: changing bash prompt escape sequences

[johan beisser]

On Feb 23, 2008, at 7:35 PM, Jay Hart wrote:


I've looked at or modified every file in roots and one users home  
directory
without having the prompt displayed upon initial login. Once I  
login, and run
'bash', the prompt will be displayed as I set it. This leads me to  
believe
that I have an initial file to set which is being read as part of  
the init of

the box.


It's likely bash(1) may avoid reading roots environment. Check /etc/ 
profile, and read the man page on bash. It's ugly, confusing, but it  
may clear up your issues.


If it helps, you may need to make sure that your shell is invoked  
properly:


   PS1 is set and $- includes i if bash is interactive,  allowing  a
   shell script or a startup file to test this state.


I rarely (never, actually) log in as root unless the system is in  
single user mode. Even then, I don't use bash, sh(1) and ksh(1) work  
just fine. As a user, sudo(8) works better.

Re: Cannot install 4.3-beta firefox from snapshots/packages/amd64

[johan beisser]

On Feb 23, 2008, at 2:54 PM, Mark Zimmerman wrote:

I just installed the latest amd64 snapshot and wanted to test some
packages. Firefox will not install due to a chain of dependencies
stretching back to glitz which requires libGL.6. The snapshot I
installed this morning has libGL.7. Since the snapshots/packages/amd64
directory is over two weeks old, I hope that I can get back to this as
soon as it gets rebuilt. Or is package testing not normally done
outside of i386?


It's more likely the building of snapshot packages wasn't a high  
priority for amd64 recently.

Re: DHCP client failure with cable modem

[johan beisser]

On Feb 22, 2008, at 5:32 PM, David Murphy wrote:


PS: another piece of info I left out is that my modem is a Motorola
Surfboard SB5120, and my cable ISP is Charter.


Does charter require PPPoE?

Re: DHCP client failure with cable modem

[johan beisser]

On Feb 22, 2008, at 8:19 PM, David Murphy wrote:


I'd be happy to provide any information requested. I'm quite new to  
*BSD,
but I'm pretty well-versed in Linux, so tell me what you need, and  
I'll
find it. If you need more information about the box than what I gave  
at the

end of my first post, let me know.


Ok.

When you initially plug in the modem side interface, what does it see?  
Do a basic tcpdump, and watch the traffic for the dhcp assignment.


Secondly, could you forward your pf.conf?

Re: blade servers

[johan beisser]

On Feb 6, 2008, at 5:45 PM, Need Coffee wrote:


Does anyone run OpenBSD on blade servers?  I don't mean
Sun Blade 150 kind of hardware, but rather blade chassis
with server blades (a la Sun Blade 8000, HP, Dell, etc.).


I've been running FreeBSD on an Intel blade chassis with varying  
amounts of success.


The biggest problem is that the interfaces, bge(4), bce(4), aren't all  
that well supported. Just unsupported enough that the Var I went  
through had to delay delivery by 3 weeks while a driver was written  
from the ground up. Even then, the only supported speed was  
1000baseSX, in full duplex. It's not that big of an issue, but under  
load I've got worries the interface will drop out.


The next issue is cost. Each blade runs around $4000, USD. A little  
more, actually. The chassis needs 208v in the cabinet, and draws a  
huge amount of power. It's expensive to run, basically.


So, on to the good.

If you fill out the entire chassis (14 blades, 2 switch units and one  
MM), you have a good farm of systems sitting in a small space. It  
really does shove a bunch of systems in to 5U. The units themselves  
are pretty powerful (2 AMD64 capable systems with twin cores, so 4  
available CPUs. 8 gb of RAM, RAID 1 on two 80gb SATA drives, etc).  
But, the best aspect is the MM. The MM gives you a fair amount of  
control over the chassis itself, and each system hosted on it. A java  
based KVM permits you to move a virtual keyboard around between  
machines easily. The catch is that you don't know if that will cause a  
kernel panic (it seems to happen ever 2 or 3 times on freebsd) or not.


The internal switches do full 802.1Q VLANs, manage through an IOS/ 
CatOS-like language and a web interface available from the MM. All in  
all, the system is very powerful, and you get an okay bang for the buck.


Expect to spend $12k or so, right away, since unless you at least fill  
the chassis 1/2 of the way you're taking up more space and power than  
you would with 7 1u systems. The blade chassis units themselves are  
expensive since the Switch Module and MM don't come standard.


Custom power requirements are expensive: $500/drop for the 208v  
install from a DC was the average quote, and we're paying around $300/ 
mo in power alone. But, we also have a normal 110v drop in to the same  
cabinet.


As for running OpenBSD on them, the first question you need to ask  
isn't even related to the OS.


Will this thing pay for itself, and save me money in the long run? If  
the answer is no. Don't buy the chassis.


Will you maximize your space usage (fill it out, to at least 7 units)?  
If the answer is no. Don' buy the chassis.


Are you so cramped in space, and will an extra cabinet (or rack in a  
cage) cost you MORE than putting 14 servers in to 6 or 7 U, as a one  
time cost? If the answer is yes, go for it.


If the decision were mine to have made when my client went with one  
(before I came aboard) they'd have saved themselves around $20k over  
the last 3 years.


When looking at the expense of colocation, I've found that adding a  
cabinet and adding power, running cable to the new cabinet, is cheaper  
than handling a blade system. For that $25k or so building out the  
chassis, i can add in a full cabinet and run it for a year or more.



I'd appreciate any details... I'm having a bit of trouble finding
anything conclusive about OpenBSD on blades.


Hope this helps.

Re: pf issues with a web-server

[johan beisser]

Your pass rule for the web server is screwed up, so it won't match.  
The rule after it matches and should permit it to pass.


On Feb 3, 2008, at 10:31 PM, Bales, Tracy wrote:


# macros
ext_if=dc0
int_if=dc1
web_server=192.168.0.4

# scrub
scrub in

# nat
nat on $ext_if from !($ext_if) to any - ($ext_if:0)

# redirection
rdr on $ext_if proto tcp from any to any port 80 - $web_server


This is slightly wrong, although it may not throw an error.

rdr on $ext_if proto tcp from any to ($ext_if) port 80 - $web_server  
port 80



# filter rules
block in
pass out keep state
antispoof for { lo $int_if }

## take care of lo traffic
pass quick on lo all

## block inet6 traffic
block in quick inet6

## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255

## take care of VPN
pass in quick proto gre all
pass out quick proto gre all

## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state

## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state

## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state

## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80  
flags

S/SA synproxy state


First, that would be to the external IP address of your firewall. This  
may work better for you:


pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80  
synproxy state



## pass everything else
pass in quick on $int_if


This should let it work as well, pf does a last match lookup. So,  
pass in quick is pointless here, and it also means your previous  
rule won't match, ever.


Minor changes, overall. let me know if these work.

Re: avoid logging useless ssh brute force attempts

[johan beisser]

On Feb 3, 2008, at 9:12 PM, Ted Unangst wrote:


you still don't gain anything.  what percentage of your traffic is
coming from unallocated space?


I'm not disagreeing with you in that it's wasted effort. It is. This  
is why I personally use overload tables.

Re: avoid logging useless ssh brute force attempts

[johan beisser]

On Feb 2, 2008, at 6:32 AM, Wijnand Wiersma wrote:


I don't think bogons are able to complete the TCP handshake since you
don't know how to route back. Filtering those will not make sure there
are less log messages about ssh logins


Not entirely true. Bogons are not supposed to be routed, or routable.  
It doesn't mean someone can't just throw up a BGP advert for a Bogon  
range and start using it, or intentionally spoof addresses from the  
route.

Re: Prolific USB-Serial Controller

[johan beisser]

A) don't bother initializing a modem. Forget minicom. It's nearly  
useless for what you're doing.


B) openbsd has a utility built in to do just these kinds of things:  
cu(1)


C) to use cu(1) with a USB serial: cu -l /dev/cuaU0




On Feb 2, 2008, at 1:57 PM, Chris wrote:


On Feb 2, 2008 10:29 PM, Marc Balmer [EMAIL PROTECTED] wrote:

/dev/ttyU0

you should use /dev/cuaU0 for dial-out.


Thanks. I tried both /dev/ttyU0 and /dev/cuaU0 in minicom. They both
seem to go to the initializing modem phase but when I turn on the
switch with /dev/cuaU0 configuration, minicom doesn't show anything
on the screen and minicom with /dev/ttyU0 configuration throws out
garbage characters on the screen -

..5%(.!3..=.3'=./A-#-.'!=7A/5'.5;!!. .-.9/.('5.
..5%((W/5(3!''!.-#1(9!%%=#7.(.-''(-#-.-='-53'=./(3-'5.
..5%(/=.(;55#(-#.5..57(.!.!(-#-.-='-.=..=..9..9.9.O%!75%(3-

Here's my minicom rc file -

pu port /dev/ttyU0
pu baudrate  9600
pu bits 8
pu parity   N
pu stopbits 1

The USB Serial converter is detected as Prolific Technology Inc.
USB-Serial Controller
rev 1.10/3.00, addr 2 in /var/log/messages.

Thanks for any further help on this issue.

Re: Prolific USB-Serial Controller

[johan beisser]

On Feb 2, 2008, at 3:17 PM, Chris wrote:


On Feb 3, 2008 9:27 AM, johan beisser [EMAIL PROTECTED] wrote:

C) to use cu(1) with a USB serial: cu -l /dev/cuaU0


I tried cu -l /dev/cuaU0, cu -l /dev/cuaU0 -s 9600 - it says
Connected after that nothing happens. Should I try changing the baud
rate? This Cisco 3950 switch is usually connected at 9600 baud rate
via serial console. Here's /var/log/aculog -


You may hit space or enter. Sometimes it just has to wake up. Cisco,  
by default, uses 9600 8,N,1 if i remember correctly.



/var/log/aculog -

chris (Sun Feb  3 10:05:04 2008) cu9600, , /dev/cuaU0 call completed
chris (Sun Feb  3 10:09:06 2008) cu9600, , /dev/cuaU0 call  
terminated

chris (Sun Feb  3 10:09:08 2008) cu9600, , /dev/cuaU0 call completed


Is there any dmesg output related to the USB serial controller?

Re: Microsoft buys Yahoo

[johan beisser]

On Feb 1, 2008, at 4:18 AM, Erich Dollansky wrote:
It could be anything from more support for FreeBSD to no support  
from Yahoo's side at all anymore.


I like to think that MS learned their lesson on pulling FreeBSD from  
production use when they bought Hotmail. Perhaps not.


Eat your own dogfood doesn't come pleasant when your dogfood is crap.
___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: avoid logging useless ssh brute force attempts

[johan beisser]

I've simply added in an overload rule to pf on my server. This has  
helped significantly.



On Jan 31, 2008, at 11:11 PM, Chris wrote:


my logs are filled with useless ssh bruteforce attempts - is there
anything i can do to avoid logging random brute force attacks? since i
disallow ssh root login and use the allowuser acl - i guess i could
just avoid logging all these random attacks in my logs.

Any suggestions would be much appreciated. Thanks.

Re: low-MHz server

[johan beisser]

On Jan 30, 2008, at 7:45 PM, scott wrote:

If MHz are the issue ... you can get SUN NETRA T1 machine off ebay  
from
50-300$ depending on its age and ingredients.  These used Netra's  
range

from 400M-1.2G Hz. These are 1U units.  They offer far greater
performance bang then x86's at at like MHz.


Just to keep people informed: Netra T1 is LOUD. I mean, shockingly so.  
I can hear mine through the house, easily. It's also, easily, one of  
the loudest systems in the colo right now.


They run openBSD well, but there were some chicken and egg  
installation

difficulty stories around (boot/install from CD not working) but all
seems prior to 4.x.  Not sure ... perhaps others can advise.  I've  
only

ever seen them running.


Lacking both cd and floppy in mine, I found that netbooting bsd.rd  
worked.  It's documented in diskless(8), and vaguely covered by  
INSTALL.sparc64. Note that you don't need to follow every single step,  
since you're mainly just looking to bootstrap the loader and the  
kernel from the tftp server.



Perhaps the Netra's will serve your cause.


Never know. I like them.

Re: separate processors

[johan beisser]

On Jan 27, 2008, at 9:24 PM, Lord Sporkton wrote:


I am setting up a duel core server, the server will be doing 2 things,
firewall/routing and user-services

since my needs are pretty small for this server and its a duel 2.0
64bit i was hoping to sort of partition the cpus such that
firewalling/kernel processes get one processor and user services like
webhosting, mail, fileserver, and all userland gets the other
processor, that way my firewall wont be bothered by anything else im
doing.


Multiple CPU systems don't work like that, generally.


is this possible and if so where should i start with this.


- Google.
- the misc@ archives.

Re: separate processors

[johan beisser]

On Jan 28, 2008, at 11:46 AM, Lord Sporkton wrote:


what keywords should be be searching for?
i have no idea what this would be called?


Parallel processing.

Massively Parallel-processing Systems can usually have assigned CPU  
usage.


I believe Solaris permits some level of CPU assignment, but most  
systems don't use thread/process isolation to a single assigned CPU,  
preferring symmetric allocation of resources (spread over all  
available CPU cores).


There is no reason to avoid SMP style assignment. Not at your scale of  
usage.

Re: Petition to VIA

[johan beisser]

On Jan 28, 2008, at 11:10 AM, Gilles Chehade wrote:


RELEASE DECENT LINUX DRIVERS!

I won't sign and I doubt it is a good idea to say to a vendor that  
we want decent drivers
when this will only encourage them into providing blobs instead of  
documentation.


The average user doesn't know the difference between a driver and  
firmware.


See the Stallman rants earlier this year.

Re: most secure graphical browser

[johan beisser]

On Jan 17, 2008, at 3:36 PM, Frank Bax wrote:

Have you considered running the browser in a virtual environment?


Outside of virtualization providing snapshots, it doesn't do anything  
to truly improve security.

Re: most secure graphical browser

[johan beisser]

On Jan 17, 2008, at 5:02 PM, ropers wrote:


It can be useful for (esp. junior) sysadmins who've hooked up a
monitor and keyboard to a server and are sitting in front of it to
administer it, and who may not be confident enough of their choices
without googling and reading through a number of pages on the web (and
this list of course -- brownie points please ;). Due to bad web design
decisions by others, googling for answers can be more comfortable from
a graphical browser than  from plain vanilla lynx(1).


Funny, I usually have them bring a laptop with them. Y'know, wireless,  
or even a port on the switch, is not entirely out of the question here.



Of course a point could be made that there is an inverse relationship
between the graphical sophistication of a website
(=lynx-incompatible bad design) and the quality of the site's content.
However, sometimes even horribly designed sites host quality content,
and being able to read that content can be useful.


I still don't want a browser, let alone X11, on most of my servers. I  
tolerate Lynx on OpenBSD, but I'd rather not have it there at all.

Re: modifying base system, need to recompile?

[johan beisser]

On Jan 17, 2008, at 5:37 PM, Douglas A. Tutty wrote:


However, there have been threads here detailing the recompilation
necessary for sendmail to handle SSL Auth (or whatever its called).   
If

you have to recompile sendmail (as opposed to changing a config),
presumably you'd have to make the same changes to the source and
recompile whenever the source is changed by an update/upgrade.  Is  
this

correct?


SASL authentication does require a recompile, the last time I checked.

Re: Why do clients running BitTorrent make my router's latency go through the roof?

[johan beisser]

Just a fast followup.

While pulling 133K down via BitTorrent I decided to run some tests  
through the 4.1 firewall with hping. Nothing serious, just different  
flags.


My queues, from pftop:
qo_tcp_ack priq  7  790K   49M  0  0 
0   163 9939
qo_dns priq  5  8585  649K  0  0 
0 00
qo_ssh_im  priq  4 82759 6853K  0  0 
0 00
qo_httppriq  2 37196   16M  0  0 
0 00
qo_def priq 419K   99M749 241139 
059  31K
qo_nullpriq  0 0 0  0  0 
0 00


first test, SYN against port 22:

# hping3 -p 22 -S hostname
--- hostname hping statistic ---
9 packets tramitted, 8 packets received, 12% packet loss
round-trip min/avg/max = 66.5/356.0/1243.1 ms

Second, SYN against port 80:

# hping3 -p 80 -S hostname
--- hostname hping statistic ---
110 packets tramitted, 98 packets received, 11% packet loss
round-trip min/avg/max = 19.3/540.5/9137.1 ms

Third, ACK against port 80:
# hping3 -p 80 -A hostname
--- hostname hping statistic ---
17 packets tramitted, 16 packets received, 6% packet loss
round-trip min/avg/max = 1.5/2.2/9.2 ms

I'm less concerned about dropped packets (most likely an issue with  
wireless) than with the huge delta between fastest and slowest  
connection.


I may followup with tests through 4.2 next week or so.

Re: Why do clients running BitTorrent make my router's latency go through the roof?

[johan beisser]

On Jan 16, 2008, at 3:58 PM, Unix Fan wrote:

I notice a lot of people forward several ports when using  
bittorrent


You know, It's not written in stone that you need to use more then  
a single port...


The standard bittorrent client usually only handles a single port at a  
time per instance or per torrent file. This may have changed, but I  
honestly don't think it has.


I never run into any speed problems... Even when nearly maxing up my  
20Mbit home cable line ;)


You must be doing something different, or not running 4.1...

Re: Suggested PF Setup when using BitTorrent?

[johan beisser]

On Jan 15, 2008, at 1:35 AM, Stuart Henderson wrote:


On 2008/01/14 19:40, johan beisser wrote:

The hardware is a slightly loaded Soekris net4501 with 64mb of RAM
running OpenBSD 4.1 (GENERIC).


This will handle much more traffic if you upgrade to 4.2.


I thought the performance improvement came from 4.1 with the removal  
of per packet interrupts.


The closest relevant information from plus42.html:
* Enable interrupt holdoff on DP83816 sis(4) chips. Significantly  
improves performance of such devices under load.


and from my dmesg:
sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00, DP83815D:  
irq 10, address 00:00:24:c0:31:c8


So, I'm not entirely sure what you mean.

Re: Suggested PF Setup when using BitTorrent?

[johan beisser]

On Jan 15, 2008, at 9:34 AM, Stuart Henderson wrote:
I thought the performance improvement came from 4.1 with the  
removal of per

packet interrupts.


http://www.openbsd.org/42.html
Huge performance improvements in the network stack, including:
# In pf, store routing table ID, queue ID etc directly in the packet
header mbuf instead of using mbuf tags (which use malloc'd memory).  
This

yields a 100% improvement in pf performance.
# Packet forwarding can skip IPSEC stack if no IPSEC flows are  
defined.

This yields a further 5% improvement in packet forwarding performance.
# Skip TCP/UDP/ICMP/ICMP6 checksumming when not necessary. This  
yields a

further 10% improvement in pf performance.


Hmm. I'll do a test upgrade later this week, and once again try to  
knock my latency up to something kind of insane.



The closest relevant information from plus42.html:
* Enable interrupt holdoff on DP83816 sis(4) chips. Significantly  
improves

performance of such devices under load.


that doesn't help your 83815D.


I know this.

Re: Why do clients running BitTorrent make my router's latency go through the roof?

[johan beisser]

On Jan 15, 2008, at 5:23 PM, Brian wrote:


How are you testing for latency, so I can duplicate on my side?


When I was doing my tests, I was running a simple ICMP echo through  
the default queue (what bittorrent runs in). Were I to test this  
again, I'd probably run a full test using hping2/hping3 to construct  
packets to hit specific ports/queues, and adjust packet sizes/payload  
as well.

Re: facts about OpenBSD

[johan beisser]

On Jan 14, 2008, at 12:09 PM, Nikns Siankin wrote:


If you get money from selling CDs/soft, its just clearly unfair to not
support it. Yes, I'm talking about stable ports.


Actually, the OpenBSD OS is supported. Your argument is pointless.  
Stable ports are NOT supported because, well, it's not really part of  
the OS.


If you want stable ports, build it all yourself, for the architectures  
you need. If you really think they're so important, donate hardware to  
OpenBSD, and create your own position in the ranks of various devs.


Bitching and whining get you nothing.


If you claim to produce the most secure OS, you have to prove that by
provaiding secure wifi encryption for masses (WPAx) and usable disk
encryption design for laptops and so on...


I fail to see where those features make you more secure. WPA is a  
clusterfuck. Wireless by its very nature is almost un-securable, even  
with cruft like WPA added in. If you want more secure you should  
look at alternate solutions (IPSec, OpenVPN, etc). And, even then, you  
may want to just review your code and implementation.


Full disk encryption also only provides so much benefit to code  
complexity increase. I like OpenBSD, but if I need full disk  
encryption I still use vnd(4), a passphrase that's different from my  
account password, and mount that locally. Manually. Every time you  
mount the image.


If you want FileVault style access, write your own login patch to  
handle mounting the image, and submit it.



...or let's just call it perfect wired firewall...


Does quite well for me.

Re: Suggested PF Setup when using BitTorrent?

[johan beisser]

On Jan 14, 2008, at 5:10 PM, Brian wrote:


--- Max Hayden Chiz [EMAIL PROTECTED] wrote:


Perhaps this problem is specific to my configuration (or specific to
DOCSIS cable modems).  But if it makes Brian (or someone else's
problem) go away, then it is likely that this problem is not unique.


It's not unique, I saw the same issue recently. I basically exceeded  
the number of states my CPU/RAM combo could handle easily (roughly  
2400, normal average is 200 state rules) while pushing major amounts  
of data.


If I reduced the number of connections through bittorrent, performance  
improved.  During the download, at 350 peers, regardless of the  
download rate, I had 2400 some odd state rules. I suddenly saw round  
trip ICMP echo taking 900+ ms to the first hop. At 325, times were  
merely 90ms to the first hop, and normal is around 10ms.


The hardware is a slightly loaded Soekris net4501 with 64mb of RAM  
running OpenBSD 4.1 (GENERIC). It does not have a crypto accelerator,  
and handles ssh and openvpn on the main CPU (both are fairly low in  
usage at this time).


My guess, so far, is an issue with my ruleset, the hardware, and the  
use of synproxy for some of the TCP states (almost all of the BT  
clients I had were over TCP). OpenBSD itself seems to be fine, up  
until I get close to the limits of the hardware.


Let me read through the documentation to figure out how to set this  
up.  I am

running a cable modem as well.

Here are my bittorrent settings:

--minport 13000 --maxport 14000 --max_initiate 15 --max_allow_in 15
--max_upload_rate 25 --max_uploads 5

Give me some time to figure out the altq and pf.  I have only used  
pf for a

week, so I'm still learning it.


Ask around if you have questions. There are excellent articles and  
examples available.

Re: FreeBSD's problems as seen by the BSDForen.de community

[johan beisser]

On Jan 12, 2008, at 4:37 PM, Daniel O'Connor wrote:
A usenet-forum bridge would be nice since news looks enough like  
email

for oldies to use :)

Pitty the few I have seen are basically unmaintained :(
(eg Papercut)

Hmm I wonder how hard it would be to write a forum scraper


Not too difficult. Quite a few forums provide RSS feeds.
___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD's problems as seen by the BSDForen.de community

[johan beisser]

On Jan 12, 2008, at 9:29 PM, Daniel O'Connor wrote:


On Sun, 13 Jan 2008, johan beisser wrote:

Pitty the few I have seen are basically unmaintained :(
(eg Papercut)

Hmm I wonder how hard it would be to write a forum scraper


Not too difficult. Quite a few forums provide RSS feeds.


That doesn't let you go both ways though, although just being able to
browse forums in a usenet like way would be much nicer..


it's doable with a little bit of work.
___
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Apache box behind Openbsd

[johan beisser]

On Jan 8, 2008, at 8:05 AM, Sewan wrote:


Hi,

I have an apache-php website running on windows server 2003 port 80,  
i have
correct rdr rules that pointing my web server, i can view website  
inside my
LAN, but i can't view page outside of my network. I've checked all  
dns- ip
settings, everything's fine but problem continues. I've read at some  
forums
that apache doesn't recognize rdr rules from openbsd, so how can i  
publish

my site ? Thanks...



You could give us more information. Perhaps a copy of your pf.conf.

I'd also, if I were you, look at your pflog output. either live on  
pflog0, or through the logs in /var/log.

Re: Improving disk reliability

[johan beisser]

On Jan 8, 2008, at 6:29 AM, Douglas A. Tutty wrote:


I know that the FAQ says to just use dump to make backups but what if
you want a tape of a specific group of files for archiving?  When last
did the dump format change?  Since it reads the filesystem directly,  
I'd

assume that its filesystem-specific.  What if you want portablility
across OSs and file system types?  Is there any more-or-less universal
format?


tar(1) with gzip(1).


Re Amanda:  for me, its likely too complex since I only have two boxes
and one is a desktop only.  Right now it runs its own backup script to
create a tarball then the main box rsyncs that over to it.


see? works fine.

Amanda basically does that, without using ssh and without some kind of  
security (this may have changed recently). It also keeps a reference  
database for which file is stored on which tape, and a index on each  
tape of the contents.


All in all, pretty smart design. The best thing out of the features  
AMANDA provides is this tidbit: everything is in gtar to keep things  
as a standard.

Re: Improving disk reliability

[johan beisser]

On Jan 8, 2008, at 7:29 AM, Douglas A. Tutty wrote:


However, if you have one directory you wish to put on tape, e.g. as an
archive of old OS .iso's (in case the origionals get scratched), as  
far

as I know, you can't use dump (which is only for entire filesystems).
Or, is there any reason that you can spit an .iso to the tape directly
(and just remember that it is the third file on the tape)?


Perhaps using split(1) on the larger ISO files?

Calculate the size of your tape. Figure out how many chunks you can  
fit on each tape, add in an index file at the beginning and end of the  
tar session, and tar(1) directly on to tape?


lather, rinse, repeat.

Re: Improving disk reliability

[johan beisser]

On Jan 8, 2008, at 1:15 PM, Douglas A. Tutty wrote:


Well, right now, I just do full backups.  Incrementals get rather
tedius.  Especially since they find new files but they don't notice a
file that has been deleted.  So I don't need a list of what files  
are in
which tarball but rather just what date it is.  A simple log: this  
tape,

this date, this tarball.


For a little while, I've had a project on my plate to create a simple  
backup system that'd use rsync to mirror the directory for easy  
access, and then have versions going back X-months that can be  
archived to tape, etc, easily.


A simple queryable DB to keep track of files in not only the archived  
files, but also the versions on the backup hardware, and the contents  
of the archival tape at the same time.


Details are not well fleshed out beyond this, and I never really got  
started on coding it up.



As long as the archive format that it tells tar to use is compatible
with whatever version of tar you go to use in 20 years; but that's
another topic.


I don't think the tar(1) format has changed much in the last 20 years,  
and it seems unlikely that the IEEE will redefine it again anytime  
soon. For what it's worth, modern versions of tar(1) should handle  
previously defined versions of it.


But, as you said, it's off topic.

Re: Real men don't attack straw men

[johan beisser]

On Jan 7, 2008, at 3:31 AM, Richard Stallman wrote:


If I understand that correctly, it means that OpenBSD does distribute
binary-only firmware, which isn't free.  This would be a second reason
why I should not endorse OpenBSD.  The systems I endorse try to
exclude such firmware.


Then, sir, you're truly shit out of luck in endorsing any Linux kernel  
out there.

Re: Buy now get ISO images to OpenBSD 5.0???

[johan beisser]

On Jan 6, 2008, at 5:35 PM, Sevan / Venture37 wrote:


Alright Theo, where have you stashed the code??
http://www.allard.nu/pfw/pics/buynow.png

http://www.allard.nu/pfw/


Hmm. PHP5 based interface with the PF ruleset? Only thing it's really  
missing is some method to manage interfaces, dhcp, etc.


And, BSD licensed. Nifty.

Re: Real men don't attack straw men

[johan beisser]

On Jan 7, 2008, at 9:14 AM, Richard Stallman wrote:
 The evidence of this discussion shows that's not a good description
 for what I am saying.  Many of the people on this list were told that
 I want OpenBSD to erect barriers against installing non-free
 programs.  And their words show that they think this means designing
 the system so that installing non-free programs is impossible.  (I
 have not suggested such a thing.)

 My usage of the recommend fits in normal usage.  If you include
 program FOO in a list of programs that could be installed, implicitly
 that recommends installing FOO as an option for people to consider.

Not really. OpenBSD doesn't recommend any of the ports. What it does
is makes things available for people to install. Anyone can submit and
maintain a port for the project, if they so desire. The fact is,
OpenBSD doesn't recommend any of the ports or packages, but makes
the structure available for its users simply as a convenience.

Oxford American Dictionary...

recommend |KrekIKmend|
verb [ trans. ]
1 put forward (someone or something) with approval as being
suitablefor a particular purpose or role : George had recommended some
local architects | a book I recommended to a friend of mine.
b advise or suggest (something) as a course of action : some doctors
recommend putting a board under the mattress | [with clause ] the
report recommended that criminal charges be brought.
b [ trans. ] advise (someone) to do something : you are strongly
recommended to seek professional advice.
b make (someone or something) appealing or desirable : the house had
much to recommend it.
2 ( recommend someone/something to) archaic commend or entrust someone
or something to (someone) : I devoutly recommended my spirit to its
maker.

If you'd bothered researching yourself, you may have read this:

http://openbsd.org/faq/faq15.html#Intro

 Perhaps implicitly recommend would be a clearer description of this
 particular case.

Not really, no. Many of the ports are not available as packages. As
has been repeatedly explained.

Re: upgrading FVWM to 2.4

[johan beisser]

On Jan 7, 2008, at 9:55 AM, badeguruji wrote:


Hello,

I figure that i will need to give some runtime arguments to  
following commands for upgrading my fvwm installation. as per README  
from fvwm package...


can someone tell me what is the right value for PREFIX and EPREFIX?


Since they are not part of the base install with X, I'd keep them in / 
usr/local/bin. Or, better, build a package/port for it and submit it.

Re: Buy now get ISO images to OpenBSD 5.0???

[johan beisser]

On Jan 7, 2008, at 4:05 PM, Eduardo Alvarenga wrote:


If you read here[1], you can notice that by paying $49, you can keep
on downloading PFW updated iso images ** UNTIL ** OpenBSD 5.0.

That's a lot of time IMHO :-)

[1] http://www.allard.nu/pfw/iso (How much is it and what do I get?)


It's his own image, not the official openbsd ones. as has been pointed  
out many times before, people are free to use that.


I'm playing around with the software right now.

Re: Buy now get ISO images to OpenBSD 5.0???

[johan beisser]

On Jan 7, 2008, at 4:06 PM, Eduardo Alvarenga wrote:


If you read here[1], you can notice that by paying $49, you can keep
on downloading PFW updated iso images ** UNTIL ** OpenBSD 5.0.

That's a lot of time IMHO :-)

[1] http://www.allard.nu/pfw/iso (How much is it and what do I get?)



Oddly, all of the php code is BSD licesened from 2004. I'm still going  
through it. The usability is somewhat iffy, at least the versions on  
the VMWare image are.


Not bad otherwise.

Re: Real men don't attack straw men

[johan beisser]

On Jan 5, 2008, at 11:22 PM, Karthik Kumar wrote:


Secure by default. Ship with nothing and call it secure. Wow! Maybe it
shouldn't start the network by default, huh? Then that's secure, isn't
it? Start no daemons, start no shells: ZOMG!!! it's secure :P


Oddly, I find this more sensible than start with everything wide open  
and on, because a user doesn't know what he might need.



OpenBSD got pwned a year ago with another remote hole. I hope they
find enough so they can stop bragging about 'Secure by default'.


Do you realize that many people just can not live with 'default'?
Look: people do use OpenBSD for things other than plain old fvwm
with xterm. And keeping security as a goal is not just for a stupid
dubious marketing campaign.


Default works pretty well for me:

[EMAIL PROTECTED]'s password:
Last login: Sat Jan  5 15:29:22 2008 from 10.10.13.22
OpenBSD 4.1-current (GENERIC) #328: Wed Jul 11 20:22:58 MDT 2007

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

$ pkg_info -ac
Information for inst:lzo-1.08p1

Comment:
portable speedy lossless data compression library


Information for inst:openvpn-2.0.6p0

Comment:
easy-to-use, robust, and highly configurable VPN


Information for inst:pftop-0.6

Comment:
curses-based real time state and rule display for pf


$

Re: Real men don't attack straw men

[johan beisser]

On Jan 5, 2008, at 11:54 PM, Karthik Kumar wrote:


openvpn 2.0.x is in the ports: not by default. PF is not enabled by  
default.


Deliberately ignoring the point doesn't make it any less relevant.

Re: Real men don't attack straw men

[johan beisser]

On Jan 6, 2008, at 1:28 AM, Karthik Kumar wrote:



Deliberately ignoring the point doesn't make it any less relevant.



I am saying that the secure by default doesn't hold because lots of
people use ports.


Most people do. Extending your UNIX system to make it work as you want  
is a basic, and natural, extension of using it.



I use ports for mplayer, xmms, xfce, fluxbox, firefox, evince,
openvpn, dante, flex, bison, gmake, squid, thttpd and php.

The issue here is flashplayer is in the ports; People are told how to
use it and install it on their OpenBSD system. So people do turn an
otherwise secure OpenBSD system into one that is not: It doesn't make
it secure by use. I was not ignoring your point;


No, the issue was non-free software is installed by default. You're  
now trying to backtrack on the point I was making: default install, by  
turning off most services, has had fewer remote exploits than any  
other OS out there. I run OpenVPN. Outside of it, LZO, and pftop,  
there is nothing else that's not default on the system. PF is  
installed by default, but not turned on. Big deal on it not being  
turned on, it's THERE. If you don't do some level of post install  
configuration, you have a useless hunk of hardware.


Adding in a layer of complexity by installing a any non-default  
software is an admittedly hazardous choice. But, risk mitigation (via  
randomizing mmap, pro-police being standard, keeping sockets turned  
off, privsep daemons, etc), is a very valuable system, and not one  
used often in other BSDs, let alone other UNIXen. It's hard to do  
right, hard to implement, and costly to maintain.

Re: Richard Stallman...

[johan beisser]

On Jan 6, 2008, at 2:46 AM, Richard Stallman wrote:


Absolutely.  FSF staff checked the BSD versions and told me what
found.  I do not redo their work after they do it; I trust that they
did it well.

Their report about OpenBSD was accurate.


Except, sir, at some point, someone made a mistake. And this mistake  
has blown up in to this thread with this ongoing argument. Their  
report was either not as accurate as you seem to think, or you're very  
badly expressing the contents of the report (which has not been made  
available to the OpenBSD community).


Yes, the port system allows easy installation of non-free and non- 
opensource software. It does so no less easily than Debians Apt,  
Redhat's RPM, and other package repositories built for any Linux based  
distribution that distributes on the Internet.


Packages ARE free for distribution, or they wouldn't be available on  
the FTP site, the CDROM, or distributed at all. If they are not,  
they're no included. Period.


Someone on your staff is a lazy little punk and permitted their own  
bias to be reflected in your words. In the end, what you said is still  
what's on record.

Re: NAT IPV4 and bridge only IPV6

[johan beisser]

On Jan 6, 2008, at 11:09 AM, Good Good wrote:


Hello,

My ISP (free.fr) now proposes to me a native connectivity in IPV6.
I wish to implement this functionality on my network, that here:


   SwitchFirewallISP BoxISP Network/ 
Internet

  __ ___ ___
|PC1|---|   |  vr0 |  | vr1   | |
  | x|---|  || |--O
|PC2|---|__|   |___||___|


Here some information :
- the ISP box is running as a bridge ;
- the firewall is running Openbsd 4.1 GENERIC#1435 i386 (upgrade to  
4.2 not

yet done) ;
- workstations are running Win XP ;
- pf rules are quite simple (just filtering and NAT for IPV4) ;
- my ISP provided to me an IPV6 address of the type 2a01:5d8:X:X::/64

The problem :
The /64 provided by my ISP is made to fuel only one ethernet segment  
and no

more.


They're not willing to route a /64 to you?



So, it is not possible to route a part of the /64 to another ethernet
segment (the private segment).

One solution :
The firewall NAT IPV4 traffic and bridge IPV6 traffic, that here:

   SwitchFirewallISP BoxISP Network/ 
Internet

  __ ___ ___
|PC1|---|   |  vr0 | | vr1   | |
  | x|---| || |--O
|PC2|---|__||  |___|  | |___|
   |   |   |
   |bridge0 |
   |  _|_ |
   | || |
   |_|   |_ _|
 |__|
  IPV6 bridge only

Some clues :
I found some clues on the following web site where my need is  
summarized.

An English translation -
http://64.233.179.104/translate_c?hl=frie=UTF-8oe=UTF-8langpair=fr%7Cenu=http://www.ip6.fr/free-broute/prev=/language_tools
The original French link -
http://ip6.fr/free-broute/

Second problem :
The author of the previously quoted web site is running under Linux.
Here used commands :
brctl addbr br0
ifconfig br0 up
brctl addif br0 eth0
brctl addif br0 eth1
ebtables -t broute -A BROUTING -p ! ipv6 -j DROP

The magic command is ebtables -t broute -A BROUTING -p ! ipv6 -j  
DROP.


Questions :
1) Did you understand my problems ? :)


Kind of. My understanding is you want to know if you can just accept  
the /64 traffic, and simply pass it through the firewall, while it's  
acting as a NAT for IPv4 traffic. My inclination is no, that's not  
possible. I suspect it can be done though.


2) Is it the right solution to bridge only IPV6 traffic (I hope for  
it) ?


I think you could redirect v6 traffic from the external interface to  
the internal one. My concern is that you bypass the firewall. You may  
want to simply bridge, but I'd filter IPv6 just as much as IPv4.



3) The most important question, how to do this type of bridging under
Openbsd (without ebtables) ?


brconfig(8) would configure the bridges, but I believe you'd be pretty  
much screwed on the routing and NAT once you do that.


You could bridge between the external interface, an internal tun/gif,  
and the internal interface, then route all v6 traffic to the tun/gif.  
it'd require some interesting work with route(8), though.


According to the man page, brconfig can only perform layer 2  
filtering.


Just a thought, you could set up a non-bridging route label in pf,  
forwarding all IPv6 traffic to a bridged virtual interface with the  
internal interface. It's horribly complex, even in just thinking it out.

Re: Richard Stallman...

[johan beisser]

On Jan 6, 2008, at 8:18 PM, Richard Stallman wrote:

By publishing it, and telling only me--not anyone who could fix
it--you made sure a day would go by when others know about the problem
but our sysadmins did not.  It would have been better practice to tell
our sysadmins privately first, and give them a couple of days to do
something before educating the public.

I hope that you have not arranged in effect to cause our web site
to be attacked.



Most likely, attacks are automated and already have scanned and  
compromised the systems vulnerable. In this case, prevention is a  
matter of using good cgi coding practices.

Re: Richard Stallman...

[johan beisser]

On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote:

I doubt I would have looked at the AROS web site myself.  To find out
the status of the BSD systems, recently, I asked the FSF staff to
check for me.


Wait, you have someone else do the research, and this persons opinions  
get reflected in what you say? You don't have someone else factcheck,  
or double check these facts yourself?

Re: Richard Stallman...

[johan beisser]

[slight legibility edit]

On Jan 5, 2008, at 9:39 AM, Marco Peereboom wrote:


On Sat, Jan 05, 2008 at 07:30:36AM -0800, johan beisser wrote:

On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote:
I doubt I would have looked at the AROS web site myself.  To find  
out

the status of the BSD systems, recently, I asked the FSF staff to
check for me.


Wait, you have someone else do the research, and this persons  
opinions get
reflected in what you say? You don't have someone else factcheck,  
or double

check these facts yourself?



That's clearly a rhetorical question.


I've gathered that. I'm hoping for a proper answer.

Re: OT YAG Re: delete deleted data

[johan beisser]

On Jan 5, 2008, at 8:06 AM, Shane J Pearson wrote:


I think the first computers I witnessed in a work place, were  
actually analog computers (Navy).


Where a mix of humans, transistors, valves, gears and three-phase  
motors/sensors, got the job done.;-)


They're still in use as of the late 90s.

Re: Richard Stallman...

[johan beisser]

On Jan 5, 2008, at 4:56 PM, Rui Miguel Silva Seabra wrote:


Yes. But even if it's legally redistributable, the question remains
wether it's free software or not.

Fortunately OpenBSD is Free Software. Unfortunately it recommends and
distributes proprietary software on it's servers (and it wasn't  
because

some user wrote some text on a wiki page).


Recommends? Where does it recommend? Please, show me a single URL  
where OpenBSD recommends software that's not in the base system.


If you said makes available I'd probably not bothered having  
responded to your ongoing drivel.




Only if they were using it like those sissy pseudo-fans of Free  
Software

which changed to Apple MacOS X just because it's unix (erms...) and
pretty, and works and has the apps.

That is: they'd use it without any soul.


Actually, I like OS X just fine. non-free and all. As a workstation,  
it's hard to beat. Especially since fighting to make KDE or GNOME  
just work for me in all aspects I need has proven tiresome and  
annoying.


Darwin, for what it's worth, is just as 'free' as Linux or gNewsense.  
Due to some licensing by Apple, parts of it are not as free as  
OpenBSD.


Then again, I know I don't have a soul. I like stuff that just works  
with out having to fight to make it work.



There needs to be soul into the decision, or else it's just like
choosing clothing. Does she use OpenBSD because she wants to use a  
Free
Software operating system? If so, what have you done to help her get  
rid

of her dependency on proprietary software?


Explain soul. As in be a 'soul' into the decision.  I see you whip  
another four letter word out, and I suspect it may have a different  
meaning, much like your odd definition of free. For what it's worth,  
I've always interpreted OpenBSD's usage of free as Free as in  
Liberty. You're free to take it, change it, make it your own, and  
do what you want. You're also free to not return your contributions  
to a derivative to OpenBSD.


So far, nothing you've said that I've read has related to this  
definition of free. It's always Free as in Costs Nothing, Free as  
in Comes Without Warranty, and Free, except not really free.


All I can speak for, is for myself: if I use OpenBSD because I like  
its
feature set, and if I deploy it as I can... that's the kind of user  
you
want to go away? I'd say you're better off cancelling the project,  
if it

depended on you.


Actually, I think the Go Away was more of a shut up you silly  
little wanker. That doesn't stop you from being in the userbase, it's  
just a nice way to ask you to keep your trap shut until you have  
something really useful to say.

Re: Advice requested on security issues

[johan beisser]

On Jan 5, 2008, at 7:48 PM, Ted Unangst wrote:


On 1/5/08, Douglas A. Tutty [EMAIL PROTECTED] wrote:

Is there anything that, bug-wise, could go wrong with that remote
browser that would be able to read or alter anything on the local
machine?  I'm talking about using ssh's X forwarding features, not  
using

X's native forwarding.


a lot more can go wrong than can go right.  in theory, yes, you are
insulated from the client acting up.  in practice, the isolation is
often too complete.  i have never had an app actually work via an ssh
-X connection.


Haven't used it in ages, but I've yet to have one not work. Back in  
the day I used to forward my Netscape session over it to keep my  
browsing private from my then boss' bad habits of sniffing. It  
wouldn't stop someone from watching the Xsession, but it would keep  
them off of my browser itself.


But, pretty much everything worked, outside of audio.

Re: Using PF to QoS on tun interface

[johan beisser]

On Jan 2, 2008, at 10:17 AM, Nick Golder wrote:


I inherited a system that is attempting (poorly) to QoS traffic going
across a tun interface (which is being used by OpenVPN).  Examples,
books, and ML suggest to tag on the internal interface ingress traffic
and QoS on the external interface egress traffic.


Treat the tun interface as a normal one. I recently had the same  
issue, and simply adapted TCP ACK priority to the interface, and found  
that worked fine. I'm currently testing a smaller MTU to help with  
fragmentation.


Scrub, by the way, also seems to work quite well.


Since the traffic that I want to QoS doesn't really have an egress
interface to QoS on, I am trying to figure out a way to properly QoS
the traffic.

Here is a quick map on the traffic:

rl0 -- tun0 -- OpenVPN -- rl1 -- Internet


i think you're missing a tunneling interface somewhere.


The traffic I want to QoS on is ingress on rl0 which in turn is also
ingress on tun0.  By the time it hits rl1, it is OpenVPN traffic.


Could you explain this again?

I've been doing foolish interface setup for a while now. My own  
privacy VPN I have running to a co-located box looks a bit like this:


[internet] -- [external interface] -- [tun0] -- [openvpn] --  
[external interface]


I also have a LAN to colo box setup, using openvpn on a different port.


Any recommendations on how to handle this?


Treat tun0 as a normal altq interface. So far, there's not been any  
real issues with it co-existing with my normal altq rules for non- 
VPN traffic on the router. The one thing I've not had is a interface  
speed conflict, since I arbitrarily reduced the bandwidth to somewhat  
less than my external interface.


For my soekris LAN gateway:

altq on tun0 priq bandwidth 400Kb queue { vpn_tcp_ack, vpn_def,  
vpn_null }

queue vpn_tcp_ack priority 7
queue vpn_def priority 1 priq(default)
queue vpn_null priority 0

pass out quick on tun0 proto tcp from ($int_if:network) to any \
queue (vpn_def, vpn_tcp_ack)
pass out quick on tun0 proto { udp icmp } from ($int_if:network) to  
any \

queue vpn_def

Re: Improving disk reliability

[johan beisser]

On Jan 2, 2008, at 4:29 PM, Erik Wikstrvm wrote:


The preferable way to solve this would probably be to use two disks
but
that is not an option for me. So I was wondering if it is possible to
instead split the disk in two parts, the first is used to install
OpenBSD on, and the rest is split in two and setup in a mirror
configuration using RAIDframe or something similar. If this is
possible,
will it buy me any additional protection against dataloss, or is it
more
likely that my disk crashes all together?


If the disk develops errors, no amount of replication on the same hard
disk device will prevent potential dataloss.

You'd be better off mirroring on two completely separate devices.
Perhaps copying the same data to another system or service may work.

Re: Ethernet jumbo frames?

[johan beisser]

On Dec 29, 2007, at 10:41 PM, Girish Venkatachalam wrote:


What on earth is this?

http://www.cyberciti.biz/faq/rhel-centos-debian-ubuntu-jumbo-frames-configuration/


Jumbo frames.  Ethernet frames with more than 1500 bytes of payload/ 
larger MTU than 1500..



I was under the impression that Ethernet frames can never be more than
1500 bytes.


Unless they're jumbo frames, yes.


Or is it some kind of stupid linux hack? Or does it have any meaning?


It's permitted in IEEE 802.3, if not encouraged.


Is there real value in this?


Fewer frames get corrupted, means less processing overhead per frame.  
Outside of that, the remaining advantage is fewer frames going over  
the line. It's not recommended on the same LAN as systems not using  
jumbo frames.

Re: Postfix(chroot) and Postgresql

[johan beisser]

On Dec 25, 2007, at 12:57 PM, badeguruji wrote:

I want to setup postfix and dovecot. i want to authenticate my users  
thru ldap.

for that i have installed openldap server package.
Is there a place where i can find some 'ponited' help on how to  
build such an 'email users' database? i do not want to have unix  
logins for them.


i am searching on google and have not found anything yet. i am  
therefore looking into generic ldap manuals. (i do not want to be a  
ldap guru)


http://wiki.dovecot.org/VirtualUsers
http://wiki.dovecot.org/AuthDatabase/SQL

I think everything you asked about is documented right there.

Re: pf + wii

[johan beisser]

On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote:


i could be wrong but here is my 2 cents:

ive seen something like this related to upnp, i would venture to guess
your 2 friends have routers which support upnp and so far as i know
openbsd does not support upnp.

I would suggest either consulting the guitar hero manual or a tcpdump
for the required ports for this game and try a static pat translation
to your public ip.

upnp allows the wii to request certain ports from the nat device be
opened for it, in this case it sounds like you wii needs certain ports
open to allow the server to connect to it, normally upnp would take
care of it dynamically, but you dont have upnp, so you have to static
assign the pat.



UPnPd for OpenBSD..

http://www.tateoka.org/~tate/doc/openbsd-upnp.html
http://miniupnp.free.fr/

Personally, I've yet to need anything like this. 

Re: Is there a L2TP daemon port?

[johan beisser]

On Dec 23, 2007, at 1:42 AM, scott wrote:


RE: tunnelblick

you should look at

ssh -w tun0:tun0 ...

option; it's comparatively new and a tad under documented but works
nicely, albeit on tcp.


My complaint with the -w option is not a lack of it working (works  
great), but lack of support through every OS out there; you need to  
have a tun driver, also be able to configure the remote side  
interface, not to mention the local one.


Then there are the additional protocol resend problems due to it using  
tcp for a transport layer. For short, non-lossy, hops, this isn't a  
big deal. For lossy environments (wireless, long distances, satellite,  
asymmetrical routes, etc), the resending of tcp packets due to packet  
loss and fragmentation makes it a non-viable solution. At least, for  
anything that's going to be constant or continually used.


I'd also not use that with clients who're less technically adept.

Re: Is there a L2TP daemon port?

[johan beisser]

No.

After searching around, playing with PoPToP, and trying various other  
solutions, I settled on OpenVPN.


The advantages are pretty well spelled out. OpenVPN supports just  
about ever OS out there. My only complaint is a lack of privsep.



 Hi,

 I have been thinking to set up a VPN on my OpenBSD server using L2TP
 over IPsec... the IPsec stuff seem to be built-in and good... but  
what
 about L2TP? Is there a L2TP daemon or LNS in the ports tree  
somewhere?

 Or am I missing something?

No.

After searching around, playing with PoPToP, and trying various other  
solutions, I settled on OpenVPN.


The advantages are pretty well spelled out. OpenVPN supports just  
about ever OS out there. My only complaint is a lack of privsep.


 I like to set it up so less-technical users on a Win or Mac laptop  
and

 come and connect to my VPN.

There are a multitude of guides and tutorials on how to have a simple  
install package for OpenVPN for less technical users.


Good luck.

Re: Is there a L2TP daemon port?

[johan beisser]

On Dec 22, 2007, at 6:57 PM, Sunnz wrote:


Yes I have tried an OpenVPN client on a Mac before... it feels kind of
hackish to be honest... haven't tried the Windows one yet... but if
that's the only thing that works then I don't have a choice I guess.


I can understand that. What's worked really well, for me on 10.4 and  
10.5, has been tunnelblick. Pop your config in to ~/Library/openvpn,  
provide a path to your keys, and it just works. Even has a handy  
little icon on upper bar.


On the back end, OpenBSD supports it beautifully. I have a system  
supporting two different VPN tunnels extremely well.



Thanks for the advice!


Not a problem.

I recently went through a hunt for an L2TP daemon that would work with  
OpenBSD, and after a week of fruitless searching started hacking with  
IPsec for other routing/tunneling needs.


Even with ipsecctl/ipsec.conf, I found things lacking. One of the  
biggest problems was a lack of fine tuned control between routers and  
clients. OpenVPN suffered none of these difficulties.


Quick examples:

- I could have the tunnel and the route through the tunnel, as  
separate and not related.

- Another issue with NAT traversal was immediately solved.
- The PF firewall could now be applied to a specific tun interface,  
and not tied to the enc0 interface (when running 2 or 3 tunnels each  
having different access needs, this counts for a fair amount).

- complexity of setting up clients and server was reduced.

I have to say I started in the same boat as yourself. I wanted simple  
L2TP tunneling to an OpenBSD server.

Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle

[johan beisser]

On Nov 11, 2007, at 1:26 PM, Duncan Simpson wrote:

The signal-to-noise logic probably does work, but I am not sure the  
legal

angle does. If you were *deliberately* ran the software that acidently
downloaded that kiddie porn the suggested angle might not work.


That's been an ongoing question for me with regards to things like  
TOR gateways.


As has been recently posted on Risky Business[1] and The Age[2], TOR  
doesn't prevent sniffing of the traffic leaving its gateway. If a  
running gateway connects to a server with information of interest -  
child porn, bomb making information, a known criminal forum - that  
brings authorities investigating to your house, it isn't a very good  
way to cover ones own tracks with noise. On a similar note, randomly  
connecting and pushing network data may create noise that obscures  
important data, but it may be easily filtered out from the logs  
during analysis.




A law requiring log data to be retained for 6 momths should be a  
major problem

to enforce. Last time I think the UK mooted this it did not happen
(disclaimer: this might have been a trial balloon designed to  
generate flak).

My reaction at the ISP end was OK, will you buy us the extra hardware
required? with the intention the answer would be no and the plan  
quietly
killed. (Thinking that plain daft things will not be enacted is not  
always

reliable, unfortunately).


That's been my first question as well. Storage, at least for  
compliance purposes, has gotten cheaper. 6 months of log data for  
most ISPs will still be under the 500GB range of disk. The harder  
part of the stored logs is making it easily analyzed and relevant.  
There are, of course, several companies in the data retention  
compliance arena already, most have offerings for PCI, SOx and HIPAA.  
It's not a stretch to think there are smaller offerings to handle  
this German laws lighter retention requirement for logs.


[1] http://www.itradio.com.au/security/?p=48
[2] http://www.theage.com.au/news/security/the-hack-of-the-year/ 
2007/11/12/1194766589522.html

Re: Standing Up Against German Laws - Project HayNeedle

[johan beisser]

On Nov 13, 2007, at 12:39 PM, Paul Wouters wrote:



Instead of creating noise, one should fix the problem of sending out
plaintext email, and encourage people to use email encryption such as
Enigma for Thunderbird. Encrypt IM conversations with OTR, and via
other ways pro-actively protect ones own privacy. That is a real
structural solution. Don't blame others for not using an envelope  
around

your own communication.


Actually, that's not really part of the issue. The logs don't contain  
context, just who/where/when. While encryption will prevent (one  
hopes) the capability of recovering context, who you talked to is not  
kept private or otherwise secret.

Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle

[johan beisser]

On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote:

 The mechanism is quite easy: It searches Google for random words and
 picks random pages among the results, then spiders from there (well it
 is spidering except that it only follows one URL at a time within a
 session thus simulating a user).

There's a few things wrong with this approach. Most of them were  
outlined by Bruce Schneier when he reviewed TrackMeNot[1] last year.

The same issues with TrackMeNot apply to Hayneedle, including  
potential false positives, and list of word combinations that can be  
filtered out easily, and well, the list goes on.



[1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Standing Up Against German Laws - Project HayNeedle

[johan beisser]

On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote:


The mechanism is quite easy: It searches Google for random words and
picks random pages among the results, then spiders from there (well it
is spidering except that it only follows one URL at a time within a
session thus simulating a user).


There's a few things wrong with this approach. Most of them were  
outlined by Bruce Schneier when he reviewed TrackMeNot[1] last year.


The same issues with TrackMeNot apply to Hayneedle, including  
potential false positives, and list of word combinations that can be  
filtered out easily, and well, the list goes on.




[1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html

Re: Standing Up Against German Laws - Project HayNeedle

[johan beisser]

On Nov 12, 2007, at 11:27 AM, Matt D. Harris wrote:

However some of these issues can be mitigated without too much  
trouble.  For example, one could have a dynamically growing  
dictionary of words to search for based on random words in random  
results pages that it grabs.  At the very least, this would kill  
any attempts to filter it out of the data mining system.


That'd be a significantly different approach. Even grabbing data from  
the previously browsed cache would also work, as far as seeding  
dictionary goes.


If the point of the system is primarily to create plausible  
deniability for the end-user, that is, to allow them to say  
hayneedle hit the site, not me, so I am innocent, then I'd say it  
could be effective in that regard barring some proviso in the law  
that allow them to persecute someone who did not actually even  
visit a site of their own volition. Beyond that, it's also  
effective in terms of turning up the noise to signal ratio and  
making this law that much less effective, while placing a greater  
burden of ISPs who are then more likely to lobby against it ever  
more vigorously all while remaining entirely 'white area' in  
terms of functionality.


If I read the law correctly, it requires retention of what IP  
connected to another IP and which phone number called where. It  
doesn't bother retaining the URL called (my German is rusty, so I may  
be a little off in my interpretation). Connecting to a random IP on a  
random open port (80 and 443, for example) would be a good start to  
accomplish the goal creating chatter. The issue is that the search  
terms to find those ports could lead to connecting to a site that  
increases your profile against general background chatter, even as it  
is raised with random connection traffic.


In that light, I'd regard use of something akin to TOR a slightly  
better solution for protecting privacy and filling up logs.


I understand your post, but I don't think Mr. Ziegler was over- 
selling his product's effectiveness beyond what it is really  
capable of.


I wasn't saying there was overselling the effectiveness. I do think  
the approach is innately flawed from a privacy standpoint.