Re: Volunteer needed to create screen saver for BSDCan
Leopard or Tiger? On Sat, May 3, 2008 at 12:11 PM, Dan Langille [EMAIL PROTECTED] wrote: I need help. I need someone to create a screen saver to run on my Mac. This screen saver will be used during the opening session of BSDCan. In short; I have about 20 emails I wish to have displayed. I can give you the emails or a PDF of each email, whichever you want. I had tried using just the PDF and the Pictures Folder screen saver. This was a good start. But each PDF contains large amounts of whitespace. Each email occupies very little of one PDF page. Therefore, the screen save often shows this whitespace and nothing else. I'm not worried about how you achieve the result, but one suggestion I thought of was : convert the PDF to an image file and crop off the whitespace. Please contact me off-list and I will send you the PDFs/emails. Those with suggestions as to how to do this work are free to suggest, but I do not want to do the work as other parts of BSDCan are higher priority right now. :) Thanks. -- Dan Langille -- http://www.langille.org/ [EMAIL PROTECTED] ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Volunteer needed to create screen saver for BSDCan
Yeah, that's Tiger. I don't know if leopard quartz composer constructs work in Tiger. It might be worth a shot. You might also just want to play with QuartzComposer.app. On Sat, May 3, 2008 at 1:56 PM, Dan Langille [EMAIL PROTECTED] wrote: On May 3, 2008, at 4:20 PM, Johan Beisser wrote: Leopard or Tiger? Mac OS X 10.4.11 (8S2167), which I think is Tiger. On Sat, May 3, 2008 at 12:11 PM, Dan Langille [EMAIL PROTECTED] wrote: I need help. I need someone to create a screen saver to run on my Mac. This screen saver will be used during the opening session of BSDCan. In short; I have about 20 emails I wish to have displayed. I can give you the emails or a PDF of each email, whichever you want. I had tried using just the PDF and the Pictures Folder screen saver. This was a good start. But each PDF contains large amounts of whitespace. Each email occupies very little of one PDF page. Therefore, the screen save often shows this whitespace and nothing else. I'm not worried about how you achieve the result, but one suggestion I thought of was : convert the PDF to an image file and crop off the whitespace. Please contact me off-list and I will send you the PDFs/emails. Those with suggestions as to how to do this work are free to suggest, but I do not want to do the work as other parts of BSDCan are higher priority right now. :) Thanks. -- Dan Langille -- http://www.langille.org/ [EMAIL PROTECTED] ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED] -- Dan Langille -- http://www.langille.org/ [EMAIL PROTECTED] ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting up a HA server with limited resources
Hmm. Gotta review CARP again, it seems. When did this go in? On Mar 23, 2008, at 2:29 AM, Ryan McBride wrote: On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote: I would like to reach a state, if possible, in which load balancing is performed, but at the same time, if one machine fails, the other will automatically take over. I believe this setup is also very useful when deploying updates. You're screwed on the load balancing without a 3rd system in the mix. Preferably 4 systems, so you've got failover between the firewalls. That's not the case anymore - see the IP BALANCING section in the carp(4) manpage. (there are a few caveats, first and formost being that your layer 2 network will have to cooperate)
Re: Setting up a HA server with limited resources
On Mar 22, 2008, at 5:44 AM, Rico Secada wrote: Hi. A customer with very limited resources needs to set up a high available system running apache, mysql, postfix and dovecot and I have gotten the task. it's doable, but the unanswered question is what do each of these components have to do with one another? What exactly are you trying to do? I have only two Pentium 4 machines at my disposal, and I have begun researching how to make them work with load balancing and fail safe operations at the same time. I have one public IP address available. This would be a CARP component. I would like to reach a state, if possible, in which load balancing is performed, but at the same time, if one machine fails, the other will automatically take over. I believe this setup is also very useful when deploying updates. You're screwed on the load balancing without a 3rd system in the mix. Preferably 4 systems, so you've got failover between the firewalls. Any advice on how to implement such a setup? First, figure out what they're asking for. Then separate the problem in to component issues. - MySQL master-master replication - HA Heartbeat (linux-HA is a good start on how to do this) - Dovecot IMAP with MYSQL as a back end -- this is usually just for AUTH. Where does dovecot keep its files? Last I looked, it couldn't shove them in to MySQL, or pull the email out.
Re: OT: fully interconnect switches: interesting problem
On Feb 25, 2008, at 6:39 AM, Douglas A. Tutty wrote: But if the switches don't know how to handle this setup, then they'll go crazy. I don't know if these switches can be told how to handle this. They can. The Dell Powerconnect 2700 are basically rebranded Cisco switches running CatOS. Bang for buck, they're not bad.
Re: OT: fully interconnect switches: interesting problem
Did you configure STP, or are the switches figuring this out on their own? On Feb 24, 2008, at 1:09 PM, John Nietzsche wrote: Dear gentleman/madam, i was given 4 2724 dell powerconnect switches and only 6 patch cords. Besides that, i was given a challenge to connect them each other having a full interconnection schema (thanks my classes on graph theory, i could do it using only 6 patch cords). So, given any two switches there is a direct path between them. Instead of cascading, this approach avoid a single point of failure and allows, for instance, a uplink of 3 Gb/s between any given two switches and reduces patch cords usage (my graph edges in this scenario). The problem raises when i turn them on: After some time (from seconds to 1 or even 2 minutes) the switches go crazy. I cannot even ping the ip assigned to the switch i am connected directly not to mention a desktop located on another switch. Is there any configuration that could be done to allow such interconnection shema ? thanks in advance. PS: please, forgive me my OT message, but i am really desperated. Could some one point me a better list to place my message?
Re: upgrading to 4.3-beta
I On Feb 23, 2008, at 1:26 PM, Chris wrote: I have upgraded my 4.2-release to 4.3-beta. But I am a bit confused as I cannot see snmpd.conf, relayd in /etc. However, I can see them in /usr/src/etc/. When I login it says, 4.3-beta and uname -amp shows 4.3 I've been using mergemaster(8) to follow /etc. It works well. One thing to remember is that /etc is not touched during a direct upgrade. Either manually update and add users, config files and devices, or go about it with a script akin to mergemaster(8).
Re: Updates for old releases
On Feb 23, 2008, at 5:44 PM, Antonio Lobato wrote: I know it is better to use 4.2, but it does not depends only of my opnion, I'm configuring the firewall for a customer, and now I can at most make a advice. Advise them to use 4.2. There are significant speed improvements to pf, among other things.
Re: changing bash prompt escape sequences
On Feb 23, 2008, at 6:29 PM, Jay Hart wrote: I use bash as my shell. I'm trying to set the bash prompt to display: ttyC1 [EMAIL PROTECTED] I've created a .bashrc in the users home directory (in this case root), and used the following line: PS1=\l [EMAIL PROTECTED] # So, what happens when you can't log in to the system, delete the bash package or lose your /usr/local/ filesystem? I'd suggest not using that as your root login shell. When I login as root, or any other user for that matter, the default prompt is: -bash-3.2# Try the system bashrc, or fire use .bash_profile. the only way so far that I found to change the prompt is to type 'bash' at the prompt after login. This is ok, but I know that this should work the first time I login, without having to issue a standalone command. From the bash(1) 3.2 man page: When bash is invoked as an interactive login shell, or as a non-interactive shell with the --login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable. The --noprofile option may be used when the shell is started to inhibit this behav- ior. I've come to the conclusion that I need to modify another file within the /etc directory, but what? So, what lead to that conclusion? Probably not the man page.
Re: changing bash prompt escape sequences
On Feb 23, 2008, at 7:35 PM, Jay Hart wrote: I've looked at or modified every file in roots and one users home directory without having the prompt displayed upon initial login. Once I login, and run 'bash', the prompt will be displayed as I set it. This leads me to believe that I have an initial file to set which is being read as part of the init of the box. It's likely bash(1) may avoid reading roots environment. Check /etc/ profile, and read the man page on bash. It's ugly, confusing, but it may clear up your issues. If it helps, you may need to make sure that your shell is invoked properly: PS1 is set and $- includes i if bash is interactive, allowing a shell script or a startup file to test this state. I rarely (never, actually) log in as root unless the system is in single user mode. Even then, I don't use bash, sh(1) and ksh(1) work just fine. As a user, sudo(8) works better.
Re: Cannot install 4.3-beta firefox from snapshots/packages/amd64
On Feb 23, 2008, at 2:54 PM, Mark Zimmerman wrote: I just installed the latest amd64 snapshot and wanted to test some packages. Firefox will not install due to a chain of dependencies stretching back to glitz which requires libGL.6. The snapshot I installed this morning has libGL.7. Since the snapshots/packages/amd64 directory is over two weeks old, I hope that I can get back to this as soon as it gets rebuilt. Or is package testing not normally done outside of i386? It's more likely the building of snapshot packages wasn't a high priority for amd64 recently.
Re: DHCP client failure with cable modem
On Feb 22, 2008, at 5:32 PM, David Murphy wrote: PS: another piece of info I left out is that my modem is a Motorola Surfboard SB5120, and my cable ISP is Charter. Does charter require PPPoE?
Re: DHCP client failure with cable modem
On Feb 22, 2008, at 8:19 PM, David Murphy wrote: I'd be happy to provide any information requested. I'm quite new to *BSD, but I'm pretty well-versed in Linux, so tell me what you need, and I'll find it. If you need more information about the box than what I gave at the end of my first post, let me know. Ok. When you initially plug in the modem side interface, what does it see? Do a basic tcpdump, and watch the traffic for the dhcp assignment. Secondly, could you forward your pf.conf?
Re: blade servers
On Feb 6, 2008, at 5:45 PM, Need Coffee wrote: Does anyone run OpenBSD on blade servers? I don't mean Sun Blade 150 kind of hardware, but rather blade chassis with server blades (a la Sun Blade 8000, HP, Dell, etc.). I've been running FreeBSD on an Intel blade chassis with varying amounts of success. The biggest problem is that the interfaces, bge(4), bce(4), aren't all that well supported. Just unsupported enough that the Var I went through had to delay delivery by 3 weeks while a driver was written from the ground up. Even then, the only supported speed was 1000baseSX, in full duplex. It's not that big of an issue, but under load I've got worries the interface will drop out. The next issue is cost. Each blade runs around $4000, USD. A little more, actually. The chassis needs 208v in the cabinet, and draws a huge amount of power. It's expensive to run, basically. So, on to the good. If you fill out the entire chassis (14 blades, 2 switch units and one MM), you have a good farm of systems sitting in a small space. It really does shove a bunch of systems in to 5U. The units themselves are pretty powerful (2 AMD64 capable systems with twin cores, so 4 available CPUs. 8 gb of RAM, RAID 1 on two 80gb SATA drives, etc). But, the best aspect is the MM. The MM gives you a fair amount of control over the chassis itself, and each system hosted on it. A java based KVM permits you to move a virtual keyboard around between machines easily. The catch is that you don't know if that will cause a kernel panic (it seems to happen ever 2 or 3 times on freebsd) or not. The internal switches do full 802.1Q VLANs, manage through an IOS/ CatOS-like language and a web interface available from the MM. All in all, the system is very powerful, and you get an okay bang for the buck. Expect to spend $12k or so, right away, since unless you at least fill the chassis 1/2 of the way you're taking up more space and power than you would with 7 1u systems. The blade chassis units themselves are expensive since the Switch Module and MM don't come standard. Custom power requirements are expensive: $500/drop for the 208v install from a DC was the average quote, and we're paying around $300/ mo in power alone. But, we also have a normal 110v drop in to the same cabinet. As for running OpenBSD on them, the first question you need to ask isn't even related to the OS. Will this thing pay for itself, and save me money in the long run? If the answer is no. Don't buy the chassis. Will you maximize your space usage (fill it out, to at least 7 units)? If the answer is no. Don' buy the chassis. Are you so cramped in space, and will an extra cabinet (or rack in a cage) cost you MORE than putting 14 servers in to 6 or 7 U, as a one time cost? If the answer is yes, go for it. If the decision were mine to have made when my client went with one (before I came aboard) they'd have saved themselves around $20k over the last 3 years. When looking at the expense of colocation, I've found that adding a cabinet and adding power, running cable to the new cabinet, is cheaper than handling a blade system. For that $25k or so building out the chassis, i can add in a full cabinet and run it for a year or more. I'd appreciate any details... I'm having a bit of trouble finding anything conclusive about OpenBSD on blades. Hope this helps.
Re: pf issues with a web-server
Your pass rule for the web server is screwed up, so it won't match. The rule after it matches and should permit it to pass. On Feb 3, 2008, at 10:31 PM, Bales, Tracy wrote: # macros ext_if=dc0 int_if=dc1 web_server=192.168.0.4 # scrub scrub in # nat nat on $ext_if from !($ext_if) to any - ($ext_if:0) # redirection rdr on $ext_if proto tcp from any to any port 80 - $web_server This is slightly wrong, although it may not throw an error. rdr on $ext_if proto tcp from any to ($ext_if) port 80 - $web_server port 80 # filter rules block in pass out keep state antispoof for { lo $int_if } ## take care of lo traffic pass quick on lo all ## block inet6 traffic block in quick inet6 ## block broadcast noise block in quick on $ext_if from any to 255.255.255.255 ## take care of VPN pass in quick proto gre all pass out quick proto gre all ## pass out all UDP connections and keep state pass out on $ext_if proto udp from ($ext_if) to any keep state ## pass out all ICMP connections and keep state pass out on $ext_if inet proto icmp from ($ext_if) to any keep state ## pass SSH traffic to firewall pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SA keep state ## pass web traffic to web_server pass in on $ext_if inet proto tcp from any to $web_server port 80 flags S/SA synproxy state First, that would be to the external IP address of your firewall. This may work better for you: pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 synproxy state ## pass everything else pass in quick on $int_if This should let it work as well, pf does a last match lookup. So, pass in quick is pointless here, and it also means your previous rule won't match, ever. Minor changes, overall. let me know if these work.
Re: avoid logging useless ssh brute force attempts
On Feb 3, 2008, at 9:12 PM, Ted Unangst wrote: you still don't gain anything. what percentage of your traffic is coming from unallocated space? I'm not disagreeing with you in that it's wasted effort. It is. This is why I personally use overload tables.
Re: avoid logging useless ssh brute force attempts
On Feb 2, 2008, at 6:32 AM, Wijnand Wiersma wrote: I don't think bogons are able to complete the TCP handshake since you don't know how to route back. Filtering those will not make sure there are less log messages about ssh logins Not entirely true. Bogons are not supposed to be routed, or routable. It doesn't mean someone can't just throw up a BGP advert for a Bogon range and start using it, or intentionally spoof addresses from the route.
Re: Prolific USB-Serial Controller
A) don't bother initializing a modem. Forget minicom. It's nearly useless for what you're doing. B) openbsd has a utility built in to do just these kinds of things: cu(1) C) to use cu(1) with a USB serial: cu -l /dev/cuaU0 On Feb 2, 2008, at 1:57 PM, Chris wrote: On Feb 2, 2008 10:29 PM, Marc Balmer [EMAIL PROTECTED] wrote: /dev/ttyU0 you should use /dev/cuaU0 for dial-out. Thanks. I tried both /dev/ttyU0 and /dev/cuaU0 in minicom. They both seem to go to the initializing modem phase but when I turn on the switch with /dev/cuaU0 configuration, minicom doesn't show anything on the screen and minicom with /dev/ttyU0 configuration throws out garbage characters on the screen - ..5%(.!3..=.3'=./A-#-.'!=7A/5'.5;!!. .-.9/.('5. ..5%((W/5(3!''!.-#1(9!%%=#7.(.-''(-#-.-='-53'=./(3-'5. ..5%(/=.(;55#(-#.5..57(.!.!(-#-.-='-.=..=..9..9.9.O%!75%(3- Here's my minicom rc file - pu port /dev/ttyU0 pu baudrate 9600 pu bits 8 pu parity N pu stopbits 1 The USB Serial converter is detected as Prolific Technology Inc. USB-Serial Controller rev 1.10/3.00, addr 2 in /var/log/messages. Thanks for any further help on this issue.
Re: Prolific USB-Serial Controller
On Feb 2, 2008, at 3:17 PM, Chris wrote: On Feb 3, 2008 9:27 AM, johan beisser [EMAIL PROTECTED] wrote: C) to use cu(1) with a USB serial: cu -l /dev/cuaU0 I tried cu -l /dev/cuaU0, cu -l /dev/cuaU0 -s 9600 - it says Connected after that nothing happens. Should I try changing the baud rate? This Cisco 3950 switch is usually connected at 9600 baud rate via serial console. Here's /var/log/aculog - You may hit space or enter. Sometimes it just has to wake up. Cisco, by default, uses 9600 8,N,1 if i remember correctly. /var/log/aculog - chris (Sun Feb 3 10:05:04 2008) cu9600, , /dev/cuaU0 call completed chris (Sun Feb 3 10:09:06 2008) cu9600, , /dev/cuaU0 call terminated chris (Sun Feb 3 10:09:08 2008) cu9600, , /dev/cuaU0 call completed Is there any dmesg output related to the USB serial controller?
Re: Microsoft buys Yahoo
On Feb 1, 2008, at 4:18 AM, Erich Dollansky wrote: It could be anything from more support for FreeBSD to no support from Yahoo's side at all anymore. I like to think that MS learned their lesson on pulling FreeBSD from production use when they bought Hotmail. Perhaps not. Eat your own dogfood doesn't come pleasant when your dogfood is crap. ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: avoid logging useless ssh brute force attempts
I've simply added in an overload rule to pf on my server. This has helped significantly. On Jan 31, 2008, at 11:11 PM, Chris wrote: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. Any suggestions would be much appreciated. Thanks.
Re: low-MHz server
On Jan 30, 2008, at 7:45 PM, scott wrote: If MHz are the issue ... you can get SUN NETRA T1 machine off ebay from 50-300$ depending on its age and ingredients. These used Netra's range from 400M-1.2G Hz. These are 1U units. They offer far greater performance bang then x86's at at like MHz. Just to keep people informed: Netra T1 is LOUD. I mean, shockingly so. I can hear mine through the house, easily. It's also, easily, one of the loudest systems in the colo right now. They run openBSD well, but there were some chicken and egg installation difficulty stories around (boot/install from CD not working) but all seems prior to 4.x. Not sure ... perhaps others can advise. I've only ever seen them running. Lacking both cd and floppy in mine, I found that netbooting bsd.rd worked. It's documented in diskless(8), and vaguely covered by INSTALL.sparc64. Note that you don't need to follow every single step, since you're mainly just looking to bootstrap the loader and the kernel from the tftp server. Perhaps the Netra's will serve your cause. Never know. I like them.
Re: separate processors
On Jan 27, 2008, at 9:24 PM, Lord Sporkton wrote: I am setting up a duel core server, the server will be doing 2 things, firewall/routing and user-services since my needs are pretty small for this server and its a duel 2.0 64bit i was hoping to sort of partition the cpus such that firewalling/kernel processes get one processor and user services like webhosting, mail, fileserver, and all userland gets the other processor, that way my firewall wont be bothered by anything else im doing. Multiple CPU systems don't work like that, generally. is this possible and if so where should i start with this. - Google. - the misc@ archives.
Re: separate processors
On Jan 28, 2008, at 11:46 AM, Lord Sporkton wrote: what keywords should be be searching for? i have no idea what this would be called? Parallel processing. Massively Parallel-processing Systems can usually have assigned CPU usage. I believe Solaris permits some level of CPU assignment, but most systems don't use thread/process isolation to a single assigned CPU, preferring symmetric allocation of resources (spread over all available CPU cores). There is no reason to avoid SMP style assignment. Not at your scale of usage.
Re: Petition to VIA
On Jan 28, 2008, at 11:10 AM, Gilles Chehade wrote: RELEASE DECENT LINUX DRIVERS! I won't sign and I doubt it is a good idea to say to a vendor that we want decent drivers when this will only encourage them into providing blobs instead of documentation. The average user doesn't know the difference between a driver and firmware. See the Stallman rants earlier this year.
Re: most secure graphical browser
On Jan 17, 2008, at 3:36 PM, Frank Bax wrote: Have you considered running the browser in a virtual environment? Outside of virtualization providing snapshots, it doesn't do anything to truly improve security.
Re: most secure graphical browser
On Jan 17, 2008, at 5:02 PM, ropers wrote: It can be useful for (esp. junior) sysadmins who've hooked up a monitor and keyboard to a server and are sitting in front of it to administer it, and who may not be confident enough of their choices without googling and reading through a number of pages on the web (and this list of course -- brownie points please ;). Due to bad web design decisions by others, googling for answers can be more comfortable from a graphical browser than from plain vanilla lynx(1). Funny, I usually have them bring a laptop with them. Y'know, wireless, or even a port on the switch, is not entirely out of the question here. Of course a point could be made that there is an inverse relationship between the graphical sophistication of a website (=lynx-incompatible bad design) and the quality of the site's content. However, sometimes even horribly designed sites host quality content, and being able to read that content can be useful. I still don't want a browser, let alone X11, on most of my servers. I tolerate Lynx on OpenBSD, but I'd rather not have it there at all.
Re: modifying base system, need to recompile?
On Jan 17, 2008, at 5:37 PM, Douglas A. Tutty wrote: However, there have been threads here detailing the recompilation necessary for sendmail to handle SSL Auth (or whatever its called). If you have to recompile sendmail (as opposed to changing a config), presumably you'd have to make the same changes to the source and recompile whenever the source is changed by an update/upgrade. Is this correct? SASL authentication does require a recompile, the last time I checked.
Re: Why do clients running BitTorrent make my router's latency go through the roof?
Just a fast followup. While pulling 133K down via BitTorrent I decided to run some tests through the 4.1 firewall with hping. Nothing serious, just different flags. My queues, from pftop: qo_tcp_ack priq 7 790K 49M 0 0 0 163 9939 qo_dns priq 5 8585 649K 0 0 0 00 qo_ssh_im priq 4 82759 6853K 0 0 0 00 qo_httppriq 2 37196 16M 0 0 0 00 qo_def priq 419K 99M749 241139 059 31K qo_nullpriq 0 0 0 0 0 0 00 first test, SYN against port 22: # hping3 -p 22 -S hostname --- hostname hping statistic --- 9 packets tramitted, 8 packets received, 12% packet loss round-trip min/avg/max = 66.5/356.0/1243.1 ms Second, SYN against port 80: # hping3 -p 80 -S hostname --- hostname hping statistic --- 110 packets tramitted, 98 packets received, 11% packet loss round-trip min/avg/max = 19.3/540.5/9137.1 ms Third, ACK against port 80: # hping3 -p 80 -A hostname --- hostname hping statistic --- 17 packets tramitted, 16 packets received, 6% packet loss round-trip min/avg/max = 1.5/2.2/9.2 ms I'm less concerned about dropped packets (most likely an issue with wireless) than with the huge delta between fastest and slowest connection. I may followup with tests through 4.2 next week or so.
Re: Why do clients running BitTorrent make my router's latency go through the roof?
On Jan 16, 2008, at 3:58 PM, Unix Fan wrote: I notice a lot of people forward several ports when using bittorrent You know, It's not written in stone that you need to use more then a single port... The standard bittorrent client usually only handles a single port at a time per instance or per torrent file. This may have changed, but I honestly don't think it has. I never run into any speed problems... Even when nearly maxing up my 20Mbit home cable line ;) You must be doing something different, or not running 4.1...
Re: Suggested PF Setup when using BitTorrent?
On Jan 15, 2008, at 1:35 AM, Stuart Henderson wrote: On 2008/01/14 19:40, johan beisser wrote: The hardware is a slightly loaded Soekris net4501 with 64mb of RAM running OpenBSD 4.1 (GENERIC). This will handle much more traffic if you upgrade to 4.2. I thought the performance improvement came from 4.1 with the removal of per packet interrupts. The closest relevant information from plus42.html: * Enable interrupt holdoff on DP83816 sis(4) chips. Significantly improves performance of such devices under load. and from my dmesg: sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00, DP83815D: irq 10, address 00:00:24:c0:31:c8 So, I'm not entirely sure what you mean.
Re: Suggested PF Setup when using BitTorrent?
On Jan 15, 2008, at 9:34 AM, Stuart Henderson wrote: I thought the performance improvement came from 4.1 with the removal of per packet interrupts. http://www.openbsd.org/42.html Huge performance improvements in the network stack, including: # In pf, store routing table ID, queue ID etc directly in the packet header mbuf instead of using mbuf tags (which use malloc'd memory). This yields a 100% improvement in pf performance. # Packet forwarding can skip IPSEC stack if no IPSEC flows are defined. This yields a further 5% improvement in packet forwarding performance. # Skip TCP/UDP/ICMP/ICMP6 checksumming when not necessary. This yields a further 10% improvement in pf performance. Hmm. I'll do a test upgrade later this week, and once again try to knock my latency up to something kind of insane. The closest relevant information from plus42.html: * Enable interrupt holdoff on DP83816 sis(4) chips. Significantly improves performance of such devices under load. that doesn't help your 83815D. I know this.
Re: Why do clients running BitTorrent make my router's latency go through the roof?
On Jan 15, 2008, at 5:23 PM, Brian wrote: How are you testing for latency, so I can duplicate on my side? When I was doing my tests, I was running a simple ICMP echo through the default queue (what bittorrent runs in). Were I to test this again, I'd probably run a full test using hping2/hping3 to construct packets to hit specific ports/queues, and adjust packet sizes/payload as well.
Re: facts about OpenBSD
On Jan 14, 2008, at 12:09 PM, Nikns Siankin wrote: If you get money from selling CDs/soft, its just clearly unfair to not support it. Yes, I'm talking about stable ports. Actually, the OpenBSD OS is supported. Your argument is pointless. Stable ports are NOT supported because, well, it's not really part of the OS. If you want stable ports, build it all yourself, for the architectures you need. If you really think they're so important, donate hardware to OpenBSD, and create your own position in the ranks of various devs. Bitching and whining get you nothing. If you claim to produce the most secure OS, you have to prove that by provaiding secure wifi encryption for masses (WPAx) and usable disk encryption design for laptops and so on... I fail to see where those features make you more secure. WPA is a clusterfuck. Wireless by its very nature is almost un-securable, even with cruft like WPA added in. If you want more secure you should look at alternate solutions (IPSec, OpenVPN, etc). And, even then, you may want to just review your code and implementation. Full disk encryption also only provides so much benefit to code complexity increase. I like OpenBSD, but if I need full disk encryption I still use vnd(4), a passphrase that's different from my account password, and mount that locally. Manually. Every time you mount the image. If you want FileVault style access, write your own login patch to handle mounting the image, and submit it. ...or let's just call it perfect wired firewall... Does quite well for me.
Re: Suggested PF Setup when using BitTorrent?
On Jan 14, 2008, at 5:10 PM, Brian wrote: --- Max Hayden Chiz [EMAIL PROTECTED] wrote: Perhaps this problem is specific to my configuration (or specific to DOCSIS cable modems). But if it makes Brian (or someone else's problem) go away, then it is likely that this problem is not unique. It's not unique, I saw the same issue recently. I basically exceeded the number of states my CPU/RAM combo could handle easily (roughly 2400, normal average is 200 state rules) while pushing major amounts of data. If I reduced the number of connections through bittorrent, performance improved. During the download, at 350 peers, regardless of the download rate, I had 2400 some odd state rules. I suddenly saw round trip ICMP echo taking 900+ ms to the first hop. At 325, times were merely 90ms to the first hop, and normal is around 10ms. The hardware is a slightly loaded Soekris net4501 with 64mb of RAM running OpenBSD 4.1 (GENERIC). It does not have a crypto accelerator, and handles ssh and openvpn on the main CPU (both are fairly low in usage at this time). My guess, so far, is an issue with my ruleset, the hardware, and the use of synproxy for some of the TCP states (almost all of the BT clients I had were over TCP). OpenBSD itself seems to be fine, up until I get close to the limits of the hardware. Let me read through the documentation to figure out how to set this up. I am running a cable modem as well. Here are my bittorrent settings: --minport 13000 --maxport 14000 --max_initiate 15 --max_allow_in 15 --max_upload_rate 25 --max_uploads 5 Give me some time to figure out the altq and pf. I have only used pf for a week, so I'm still learning it. Ask around if you have questions. There are excellent articles and examples available.
Re: FreeBSD's problems as seen by the BSDForen.de community
On Jan 12, 2008, at 4:37 PM, Daniel O'Connor wrote: A usenet-forum bridge would be nice since news looks enough like email for oldies to use :) Pitty the few I have seen are basically unmaintained :( (eg Papercut) Hmm I wonder how hard it would be to write a forum scraper Not too difficult. Quite a few forums provide RSS feeds. ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD's problems as seen by the BSDForen.de community
On Jan 12, 2008, at 9:29 PM, Daniel O'Connor wrote: On Sun, 13 Jan 2008, johan beisser wrote: Pitty the few I have seen are basically unmaintained :( (eg Papercut) Hmm I wonder how hard it would be to write a forum scraper Not too difficult. Quite a few forums provide RSS feeds. That doesn't let you go both ways though, although just being able to browse forums in a usenet like way would be much nicer.. it's doable with a little bit of work. ___ freebsd-chat@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-chat To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache box behind Openbsd
On Jan 8, 2008, at 8:05 AM, Sewan wrote: Hi, I have an apache-php website running on windows server 2003 port 80, i have correct rdr rules that pointing my web server, i can view website inside my LAN, but i can't view page outside of my network. I've checked all dns- ip settings, everything's fine but problem continues. I've read at some forums that apache doesn't recognize rdr rules from openbsd, so how can i publish my site ? Thanks... You could give us more information. Perhaps a copy of your pf.conf. I'd also, if I were you, look at your pflog output. either live on pflog0, or through the logs in /var/log.
Re: Improving disk reliability
On Jan 8, 2008, at 6:29 AM, Douglas A. Tutty wrote: I know that the FAQ says to just use dump to make backups but what if you want a tape of a specific group of files for archiving? When last did the dump format change? Since it reads the filesystem directly, I'd assume that its filesystem-specific. What if you want portablility across OSs and file system types? Is there any more-or-less universal format? tar(1) with gzip(1). Re Amanda: for me, its likely too complex since I only have two boxes and one is a desktop only. Right now it runs its own backup script to create a tarball then the main box rsyncs that over to it. see? works fine. Amanda basically does that, without using ssh and without some kind of security (this may have changed recently). It also keeps a reference database for which file is stored on which tape, and a index on each tape of the contents. All in all, pretty smart design. The best thing out of the features AMANDA provides is this tidbit: everything is in gtar to keep things as a standard.
Re: Improving disk reliability
On Jan 8, 2008, at 7:29 AM, Douglas A. Tutty wrote: However, if you have one directory you wish to put on tape, e.g. as an archive of old OS .iso's (in case the origionals get scratched), as far as I know, you can't use dump (which is only for entire filesystems). Or, is there any reason that you can spit an .iso to the tape directly (and just remember that it is the third file on the tape)? Perhaps using split(1) on the larger ISO files? Calculate the size of your tape. Figure out how many chunks you can fit on each tape, add in an index file at the beginning and end of the tar session, and tar(1) directly on to tape? lather, rinse, repeat.
Re: Improving disk reliability
On Jan 8, 2008, at 1:15 PM, Douglas A. Tutty wrote: Well, right now, I just do full backups. Incrementals get rather tedius. Especially since they find new files but they don't notice a file that has been deleted. So I don't need a list of what files are in which tarball but rather just what date it is. A simple log: this tape, this date, this tarball. For a little while, I've had a project on my plate to create a simple backup system that'd use rsync to mirror the directory for easy access, and then have versions going back X-months that can be archived to tape, etc, easily. A simple queryable DB to keep track of files in not only the archived files, but also the versions on the backup hardware, and the contents of the archival tape at the same time. Details are not well fleshed out beyond this, and I never really got started on coding it up. As long as the archive format that it tells tar to use is compatible with whatever version of tar you go to use in 20 years; but that's another topic. I don't think the tar(1) format has changed much in the last 20 years, and it seems unlikely that the IEEE will redefine it again anytime soon. For what it's worth, modern versions of tar(1) should handle previously defined versions of it. But, as you said, it's off topic.
Re: Real men don't attack straw men
On Jan 7, 2008, at 3:31 AM, Richard Stallman wrote: If I understand that correctly, it means that OpenBSD does distribute binary-only firmware, which isn't free. This would be a second reason why I should not endorse OpenBSD. The systems I endorse try to exclude such firmware. Then, sir, you're truly shit out of luck in endorsing any Linux kernel out there.
Re: Buy now get ISO images to OpenBSD 5.0???
On Jan 6, 2008, at 5:35 PM, Sevan / Venture37 wrote: Alright Theo, where have you stashed the code?? http://www.allard.nu/pfw/pics/buynow.png http://www.allard.nu/pfw/ Hmm. PHP5 based interface with the PF ruleset? Only thing it's really missing is some method to manage interfaces, dhcp, etc. And, BSD licensed. Nifty.
Re: Real men don't attack straw men
On Jan 7, 2008, at 9:14 AM, Richard Stallman wrote: The evidence of this discussion shows that's not a good description for what I am saying. Many of the people on this list were told that I want OpenBSD to erect barriers against installing non-free programs. And their words show that they think this means designing the system so that installing non-free programs is impossible. (I have not suggested such a thing.) My usage of the recommend fits in normal usage. If you include program FOO in a list of programs that could be installed, implicitly that recommends installing FOO as an option for people to consider. Not really. OpenBSD doesn't recommend any of the ports. What it does is makes things available for people to install. Anyone can submit and maintain a port for the project, if they so desire. The fact is, OpenBSD doesn't recommend any of the ports or packages, but makes the structure available for its users simply as a convenience. Oxford American Dictionary... recommend |KrekIKmend| verb [ trans. ] 1 put forward (someone or something) with approval as being suitablefor a particular purpose or role : George had recommended some local architects | a book I recommended to a friend of mine. b advise or suggest (something) as a course of action : some doctors recommend putting a board under the mattress | [with clause ] the report recommended that criminal charges be brought. b [ trans. ] advise (someone) to do something : you are strongly recommended to seek professional advice. b make (someone or something) appealing or desirable : the house had much to recommend it. 2 ( recommend someone/something to) archaic commend or entrust someone or something to (someone) : I devoutly recommended my spirit to its maker. If you'd bothered researching yourself, you may have read this: http://openbsd.org/faq/faq15.html#Intro Perhaps implicitly recommend would be a clearer description of this particular case. Not really, no. Many of the ports are not available as packages. As has been repeatedly explained.
Re: upgrading FVWM to 2.4
On Jan 7, 2008, at 9:55 AM, badeguruji wrote: Hello, I figure that i will need to give some runtime arguments to following commands for upgrading my fvwm installation. as per README from fvwm package... can someone tell me what is the right value for PREFIX and EPREFIX? Since they are not part of the base install with X, I'd keep them in / usr/local/bin. Or, better, build a package/port for it and submit it.
Re: Buy now get ISO images to OpenBSD 5.0???
On Jan 7, 2008, at 4:05 PM, Eduardo Alvarenga wrote: If you read here[1], you can notice that by paying $49, you can keep on downloading PFW updated iso images ** UNTIL ** OpenBSD 5.0. That's a lot of time IMHO :-) [1] http://www.allard.nu/pfw/iso (How much is it and what do I get?) It's his own image, not the official openbsd ones. as has been pointed out many times before, people are free to use that. I'm playing around with the software right now.
Re: Buy now get ISO images to OpenBSD 5.0???
On Jan 7, 2008, at 4:06 PM, Eduardo Alvarenga wrote: If you read here[1], you can notice that by paying $49, you can keep on downloading PFW updated iso images ** UNTIL ** OpenBSD 5.0. That's a lot of time IMHO :-) [1] http://www.allard.nu/pfw/iso (How much is it and what do I get?) Oddly, all of the php code is BSD licesened from 2004. I'm still going through it. The usability is somewhat iffy, at least the versions on the VMWare image are. Not bad otherwise.
Re: Real men don't attack straw men
On Jan 5, 2008, at 11:22 PM, Karthik Kumar wrote: Secure by default. Ship with nothing and call it secure. Wow! Maybe it shouldn't start the network by default, huh? Then that's secure, isn't it? Start no daemons, start no shells: ZOMG!!! it's secure :P Oddly, I find this more sensible than start with everything wide open and on, because a user doesn't know what he might need. OpenBSD got pwned a year ago with another remote hole. I hope they find enough so they can stop bragging about 'Secure by default'. Do you realize that many people just can not live with 'default'? Look: people do use OpenBSD for things other than plain old fvwm with xterm. And keeping security as a goal is not just for a stupid dubious marketing campaign. Default works pretty well for me: [EMAIL PROTECTED]'s password: Last login: Sat Jan 5 15:29:22 2008 from 10.10.13.22 OpenBSD 4.1-current (GENERIC) #328: Wed Jul 11 20:22:58 MDT 2007 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. $ pkg_info -ac Information for inst:lzo-1.08p1 Comment: portable speedy lossless data compression library Information for inst:openvpn-2.0.6p0 Comment: easy-to-use, robust, and highly configurable VPN Information for inst:pftop-0.6 Comment: curses-based real time state and rule display for pf $
Re: Real men don't attack straw men
On Jan 5, 2008, at 11:54 PM, Karthik Kumar wrote: openvpn 2.0.x is in the ports: not by default. PF is not enabled by default. Deliberately ignoring the point doesn't make it any less relevant.
Re: Real men don't attack straw men
On Jan 6, 2008, at 1:28 AM, Karthik Kumar wrote: Deliberately ignoring the point doesn't make it any less relevant. I am saying that the secure by default doesn't hold because lots of people use ports. Most people do. Extending your UNIX system to make it work as you want is a basic, and natural, extension of using it. I use ports for mplayer, xmms, xfce, fluxbox, firefox, evince, openvpn, dante, flex, bison, gmake, squid, thttpd and php. The issue here is flashplayer is in the ports; People are told how to use it and install it on their OpenBSD system. So people do turn an otherwise secure OpenBSD system into one that is not: It doesn't make it secure by use. I was not ignoring your point; No, the issue was non-free software is installed by default. You're now trying to backtrack on the point I was making: default install, by turning off most services, has had fewer remote exploits than any other OS out there. I run OpenVPN. Outside of it, LZO, and pftop, there is nothing else that's not default on the system. PF is installed by default, but not turned on. Big deal on it not being turned on, it's THERE. If you don't do some level of post install configuration, you have a useless hunk of hardware. Adding in a layer of complexity by installing a any non-default software is an admittedly hazardous choice. But, risk mitigation (via randomizing mmap, pro-police being standard, keeping sockets turned off, privsep daemons, etc), is a very valuable system, and not one used often in other BSDs, let alone other UNIXen. It's hard to do right, hard to implement, and costly to maintain.
Re: Richard Stallman...
On Jan 6, 2008, at 2:46 AM, Richard Stallman wrote: Absolutely. FSF staff checked the BSD versions and told me what found. I do not redo their work after they do it; I trust that they did it well. Their report about OpenBSD was accurate. Except, sir, at some point, someone made a mistake. And this mistake has blown up in to this thread with this ongoing argument. Their report was either not as accurate as you seem to think, or you're very badly expressing the contents of the report (which has not been made available to the OpenBSD community). Yes, the port system allows easy installation of non-free and non- opensource software. It does so no less easily than Debians Apt, Redhat's RPM, and other package repositories built for any Linux based distribution that distributes on the Internet. Packages ARE free for distribution, or they wouldn't be available on the FTP site, the CDROM, or distributed at all. If they are not, they're no included. Period. Someone on your staff is a lazy little punk and permitted their own bias to be reflected in your words. In the end, what you said is still what's on record.
Re: NAT IPV4 and bridge only IPV6
On Jan 6, 2008, at 11:09 AM, Good Good wrote: Hello, My ISP (free.fr) now proposes to me a native connectivity in IPV6. I wish to implement this functionality on my network, that here: SwitchFirewallISP BoxISP Network/ Internet __ ___ ___ |PC1|---| | vr0 | | vr1 | | | x|---| || |--O |PC2|---|__| |___||___| Here some information : - the ISP box is running as a bridge ; - the firewall is running Openbsd 4.1 GENERIC#1435 i386 (upgrade to 4.2 not yet done) ; - workstations are running Win XP ; - pf rules are quite simple (just filtering and NAT for IPV4) ; - my ISP provided to me an IPV6 address of the type 2a01:5d8:X:X::/64 The problem : The /64 provided by my ISP is made to fuel only one ethernet segment and no more. They're not willing to route a /64 to you? So, it is not possible to route a part of the /64 to another ethernet segment (the private segment). One solution : The firewall NAT IPV4 traffic and bridge IPV6 traffic, that here: SwitchFirewallISP BoxISP Network/ Internet __ ___ ___ |PC1|---| | vr0 | | vr1 | | | x|---| || |--O |PC2|---|__|| |___| | |___| | | | |bridge0 | | _|_ | | || | |_| |_ _| |__| IPV6 bridge only Some clues : I found some clues on the following web site where my need is summarized. An English translation - http://64.233.179.104/translate_c?hl=frie=UTF-8oe=UTF-8langpair=fr%7Cenu=http://www.ip6.fr/free-broute/prev=/language_tools The original French link - http://ip6.fr/free-broute/ Second problem : The author of the previously quoted web site is running under Linux. Here used commands : brctl addbr br0 ifconfig br0 up brctl addif br0 eth0 brctl addif br0 eth1 ebtables -t broute -A BROUTING -p ! ipv6 -j DROP The magic command is ebtables -t broute -A BROUTING -p ! ipv6 -j DROP. Questions : 1) Did you understand my problems ? :) Kind of. My understanding is you want to know if you can just accept the /64 traffic, and simply pass it through the firewall, while it's acting as a NAT for IPv4 traffic. My inclination is no, that's not possible. I suspect it can be done though. 2) Is it the right solution to bridge only IPV6 traffic (I hope for it) ? I think you could redirect v6 traffic from the external interface to the internal one. My concern is that you bypass the firewall. You may want to simply bridge, but I'd filter IPv6 just as much as IPv4. 3) The most important question, how to do this type of bridging under Openbsd (without ebtables) ? brconfig(8) would configure the bridges, but I believe you'd be pretty much screwed on the routing and NAT once you do that. You could bridge between the external interface, an internal tun/gif, and the internal interface, then route all v6 traffic to the tun/gif. it'd require some interesting work with route(8), though. According to the man page, brconfig can only perform layer 2 filtering. Just a thought, you could set up a non-bridging route label in pf, forwarding all IPv6 traffic to a bridged virtual interface with the internal interface. It's horribly complex, even in just thinking it out.
Re: Richard Stallman...
On Jan 6, 2008, at 8:18 PM, Richard Stallman wrote: By publishing it, and telling only me--not anyone who could fix it--you made sure a day would go by when others know about the problem but our sysadmins did not. It would have been better practice to tell our sysadmins privately first, and give them a couple of days to do something before educating the public. I hope that you have not arranged in effect to cause our web site to be attacked. Most likely, attacks are automated and already have scanned and compromised the systems vulnerable. In this case, prevention is a matter of using good cgi coding practices.
Re: Richard Stallman...
On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote: I doubt I would have looked at the AROS web site myself. To find out the status of the BSD systems, recently, I asked the FSF staff to check for me. Wait, you have someone else do the research, and this persons opinions get reflected in what you say? You don't have someone else factcheck, or double check these facts yourself?
Re: Richard Stallman...
[slight legibility edit] On Jan 5, 2008, at 9:39 AM, Marco Peereboom wrote: On Sat, Jan 05, 2008 at 07:30:36AM -0800, johan beisser wrote: On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote: I doubt I would have looked at the AROS web site myself. To find out the status of the BSD systems, recently, I asked the FSF staff to check for me. Wait, you have someone else do the research, and this persons opinions get reflected in what you say? You don't have someone else factcheck, or double check these facts yourself? That's clearly a rhetorical question. I've gathered that. I'm hoping for a proper answer.
Re: OT YAG Re: delete deleted data
On Jan 5, 2008, at 8:06 AM, Shane J Pearson wrote: I think the first computers I witnessed in a work place, were actually analog computers (Navy). Where a mix of humans, transistors, valves, gears and three-phase motors/sensors, got the job done.;-) They're still in use as of the late 90s.
Re: Richard Stallman...
On Jan 5, 2008, at 4:56 PM, Rui Miguel Silva Seabra wrote: Yes. But even if it's legally redistributable, the question remains wether it's free software or not. Fortunately OpenBSD is Free Software. Unfortunately it recommends and distributes proprietary software on it's servers (and it wasn't because some user wrote some text on a wiki page). Recommends? Where does it recommend? Please, show me a single URL where OpenBSD recommends software that's not in the base system. If you said makes available I'd probably not bothered having responded to your ongoing drivel. Only if they were using it like those sissy pseudo-fans of Free Software which changed to Apple MacOS X just because it's unix (erms...) and pretty, and works and has the apps. That is: they'd use it without any soul. Actually, I like OS X just fine. non-free and all. As a workstation, it's hard to beat. Especially since fighting to make KDE or GNOME just work for me in all aspects I need has proven tiresome and annoying. Darwin, for what it's worth, is just as 'free' as Linux or gNewsense. Due to some licensing by Apple, parts of it are not as free as OpenBSD. Then again, I know I don't have a soul. I like stuff that just works with out having to fight to make it work. There needs to be soul into the decision, or else it's just like choosing clothing. Does she use OpenBSD because she wants to use a Free Software operating system? If so, what have you done to help her get rid of her dependency on proprietary software? Explain soul. As in be a 'soul' into the decision. I see you whip another four letter word out, and I suspect it may have a different meaning, much like your odd definition of free. For what it's worth, I've always interpreted OpenBSD's usage of free as Free as in Liberty. You're free to take it, change it, make it your own, and do what you want. You're also free to not return your contributions to a derivative to OpenBSD. So far, nothing you've said that I've read has related to this definition of free. It's always Free as in Costs Nothing, Free as in Comes Without Warranty, and Free, except not really free. All I can speak for, is for myself: if I use OpenBSD because I like its feature set, and if I deploy it as I can... that's the kind of user you want to go away? I'd say you're better off cancelling the project, if it depended on you. Actually, I think the Go Away was more of a shut up you silly little wanker. That doesn't stop you from being in the userbase, it's just a nice way to ask you to keep your trap shut until you have something really useful to say.
Re: Advice requested on security issues
On Jan 5, 2008, at 7:48 PM, Ted Unangst wrote: On 1/5/08, Douglas A. Tutty [EMAIL PROTECTED] wrote: Is there anything that, bug-wise, could go wrong with that remote browser that would be able to read or alter anything on the local machine? I'm talking about using ssh's X forwarding features, not using X's native forwarding. a lot more can go wrong than can go right. in theory, yes, you are insulated from the client acting up. in practice, the isolation is often too complete. i have never had an app actually work via an ssh -X connection. Haven't used it in ages, but I've yet to have one not work. Back in the day I used to forward my Netscape session over it to keep my browsing private from my then boss' bad habits of sniffing. It wouldn't stop someone from watching the Xsession, but it would keep them off of my browser itself. But, pretty much everything worked, outside of audio.
Re: Using PF to QoS on tun interface
On Jan 2, 2008, at 10:17 AM, Nick Golder wrote: I inherited a system that is attempting (poorly) to QoS traffic going across a tun interface (which is being used by OpenVPN). Examples, books, and ML suggest to tag on the internal interface ingress traffic and QoS on the external interface egress traffic. Treat the tun interface as a normal one. I recently had the same issue, and simply adapted TCP ACK priority to the interface, and found that worked fine. I'm currently testing a smaller MTU to help with fragmentation. Scrub, by the way, also seems to work quite well. Since the traffic that I want to QoS doesn't really have an egress interface to QoS on, I am trying to figure out a way to properly QoS the traffic. Here is a quick map on the traffic: rl0 -- tun0 -- OpenVPN -- rl1 -- Internet i think you're missing a tunneling interface somewhere. The traffic I want to QoS on is ingress on rl0 which in turn is also ingress on tun0. By the time it hits rl1, it is OpenVPN traffic. Could you explain this again? I've been doing foolish interface setup for a while now. My own privacy VPN I have running to a co-located box looks a bit like this: [internet] -- [external interface] -- [tun0] -- [openvpn] -- [external interface] I also have a LAN to colo box setup, using openvpn on a different port. Any recommendations on how to handle this? Treat tun0 as a normal altq interface. So far, there's not been any real issues with it co-existing with my normal altq rules for non- VPN traffic on the router. The one thing I've not had is a interface speed conflict, since I arbitrarily reduced the bandwidth to somewhat less than my external interface. For my soekris LAN gateway: altq on tun0 priq bandwidth 400Kb queue { vpn_tcp_ack, vpn_def, vpn_null } queue vpn_tcp_ack priority 7 queue vpn_def priority 1 priq(default) queue vpn_null priority 0 pass out quick on tun0 proto tcp from ($int_if:network) to any \ queue (vpn_def, vpn_tcp_ack) pass out quick on tun0 proto { udp icmp } from ($int_if:network) to any \ queue vpn_def
Re: Improving disk reliability
On Jan 2, 2008, at 4:29 PM, Erik Wikstrvm wrote: The preferable way to solve this would probably be to use two disks but that is not an option for me. So I was wondering if it is possible to instead split the disk in two parts, the first is used to install OpenBSD on, and the rest is split in two and setup in a mirror configuration using RAIDframe or something similar. If this is possible, will it buy me any additional protection against dataloss, or is it more likely that my disk crashes all together? If the disk develops errors, no amount of replication on the same hard disk device will prevent potential dataloss. You'd be better off mirroring on two completely separate devices. Perhaps copying the same data to another system or service may work.
Re: Ethernet jumbo frames?
On Dec 29, 2007, at 10:41 PM, Girish Venkatachalam wrote: What on earth is this? http://www.cyberciti.biz/faq/rhel-centos-debian-ubuntu-jumbo-frames-configuration/ Jumbo frames. Ethernet frames with more than 1500 bytes of payload/ larger MTU than 1500.. I was under the impression that Ethernet frames can never be more than 1500 bytes. Unless they're jumbo frames, yes. Or is it some kind of stupid linux hack? Or does it have any meaning? It's permitted in IEEE 802.3, if not encouraged. Is there real value in this? Fewer frames get corrupted, means less processing overhead per frame. Outside of that, the remaining advantage is fewer frames going over the line. It's not recommended on the same LAN as systems not using jumbo frames.
Re: Postfix(chroot) and Postgresql
On Dec 25, 2007, at 12:57 PM, badeguruji wrote: I want to setup postfix and dovecot. i want to authenticate my users thru ldap. for that i have installed openldap server package. Is there a place where i can find some 'ponited' help on how to build such an 'email users' database? i do not want to have unix logins for them. i am searching on google and have not found anything yet. i am therefore looking into generic ldap manuals. (i do not want to be a ldap guru) http://wiki.dovecot.org/VirtualUsers http://wiki.dovecot.org/AuthDatabase/SQL I think everything you asked about is documented right there.
Re: pf + wii
On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote: i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. UPnPd for OpenBSD.. http://www.tateoka.org/~tate/doc/openbsd-upnp.html http://miniupnp.free.fr/ Personally, I've yet to need anything like this.
Re: Is there a L2TP daemon port?
On Dec 23, 2007, at 1:42 AM, scott wrote: RE: tunnelblick you should look at ssh -w tun0:tun0 ... option; it's comparatively new and a tad under documented but works nicely, albeit on tcp. My complaint with the -w option is not a lack of it working (works great), but lack of support through every OS out there; you need to have a tun driver, also be able to configure the remote side interface, not to mention the local one. Then there are the additional protocol resend problems due to it using tcp for a transport layer. For short, non-lossy, hops, this isn't a big deal. For lossy environments (wireless, long distances, satellite, asymmetrical routes, etc), the resending of tcp packets due to packet loss and fragmentation makes it a non-viable solution. At least, for anything that's going to be constant or continually used. I'd also not use that with clients who're less technically adept.
Re: Is there a L2TP daemon port?
No. After searching around, playing with PoPToP, and trying various other solutions, I settled on OpenVPN. The advantages are pretty well spelled out. OpenVPN supports just about ever OS out there. My only complaint is a lack of privsep. Hi, I have been thinking to set up a VPN on my OpenBSD server using L2TP over IPsec... the IPsec stuff seem to be built-in and good... but what about L2TP? Is there a L2TP daemon or LNS in the ports tree somewhere? Or am I missing something? No. After searching around, playing with PoPToP, and trying various other solutions, I settled on OpenVPN. The advantages are pretty well spelled out. OpenVPN supports just about ever OS out there. My only complaint is a lack of privsep. I like to set it up so less-technical users on a Win or Mac laptop and come and connect to my VPN. There are a multitude of guides and tutorials on how to have a simple install package for OpenVPN for less technical users. Good luck.
Re: Is there a L2TP daemon port?
On Dec 22, 2007, at 6:57 PM, Sunnz wrote: Yes I have tried an OpenVPN client on a Mac before... it feels kind of hackish to be honest... haven't tried the Windows one yet... but if that's the only thing that works then I don't have a choice I guess. I can understand that. What's worked really well, for me on 10.4 and 10.5, has been tunnelblick. Pop your config in to ~/Library/openvpn, provide a path to your keys, and it just works. Even has a handy little icon on upper bar. On the back end, OpenBSD supports it beautifully. I have a system supporting two different VPN tunnels extremely well. Thanks for the advice! Not a problem. I recently went through a hunt for an L2TP daemon that would work with OpenBSD, and after a week of fruitless searching started hacking with IPsec for other routing/tunneling needs. Even with ipsecctl/ipsec.conf, I found things lacking. One of the biggest problems was a lack of fine tuned control between routers and clients. OpenVPN suffered none of these difficulties. Quick examples: - I could have the tunnel and the route through the tunnel, as separate and not related. - Another issue with NAT traversal was immediately solved. - The PF firewall could now be applied to a specific tun interface, and not tied to the enc0 interface (when running 2 or 3 tunnels each having different access needs, this counts for a fair amount). - complexity of setting up clients and server was reduced. I have to say I started in the same boat as yourself. I wanted simple L2TP tunneling to an OpenBSD server.
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
On Nov 11, 2007, at 1:26 PM, Duncan Simpson wrote: The signal-to-noise logic probably does work, but I am not sure the legal angle does. If you were *deliberately* ran the software that acidently downloaded that kiddie porn the suggested angle might not work. That's been an ongoing question for me with regards to things like TOR gateways. As has been recently posted on Risky Business[1] and The Age[2], TOR doesn't prevent sniffing of the traffic leaving its gateway. If a running gateway connects to a server with information of interest - child porn, bomb making information, a known criminal forum - that brings authorities investigating to your house, it isn't a very good way to cover ones own tracks with noise. On a similar note, randomly connecting and pushing network data may create noise that obscures important data, but it may be easily filtered out from the logs during analysis. A law requiring log data to be retained for 6 momths should be a major problem to enforce. Last time I think the UK mooted this it did not happen (disclaimer: this might have been a trial balloon designed to generate flak). My reaction at the ISP end was OK, will you buy us the extra hardware required? with the intention the answer would be no and the plan quietly killed. (Thinking that plain daft things will not be enacted is not always reliable, unfortunately). That's been my first question as well. Storage, at least for compliance purposes, has gotten cheaper. 6 months of log data for most ISPs will still be under the 500GB range of disk. The harder part of the stored logs is making it easily analyzed and relevant. There are, of course, several companies in the data retention compliance arena already, most have offerings for PCI, SOx and HIPAA. It's not a stretch to think there are smaller offerings to handle this German laws lighter retention requirement for logs. [1] http://www.itradio.com.au/security/?p=48 [2] http://www.theage.com.au/news/security/the-hack-of-the-year/ 2007/11/12/1194766589522.html
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 13, 2007, at 12:39 PM, Paul Wouters wrote: Instead of creating noise, one should fix the problem of sending out plaintext email, and encourage people to use email encryption such as Enigma for Thunderbird. Encrypt IM conversations with OTR, and via other ways pro-actively protect ones own privacy. That is a real structural solution. Don't blame others for not using an envelope around your own communication. Actually, that's not really part of the issue. The logs don't contain context, just who/where/when. While encryption will prevent (one hopes) the capability of recovering context, who you talked to is not kept private or otherwise secret.
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed TrackMeNot[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed TrackMeNot[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 12, 2007, at 11:27 AM, Matt D. Harris wrote: However some of these issues can be mitigated without too much trouble. For example, one could have a dynamically growing dictionary of words to search for based on random words in random results pages that it grabs. At the very least, this would kill any attempts to filter it out of the data mining system. That'd be a significantly different approach. Even grabbing data from the previously browsed cache would also work, as far as seeding dictionary goes. If the point of the system is primarily to create plausible deniability for the end-user, that is, to allow them to say hayneedle hit the site, not me, so I am innocent, then I'd say it could be effective in that regard barring some proviso in the law that allow them to persecute someone who did not actually even visit a site of their own volition. Beyond that, it's also effective in terms of turning up the noise to signal ratio and making this law that much less effective, while placing a greater burden of ISPs who are then more likely to lobby against it ever more vigorously all while remaining entirely 'white area' in terms of functionality. If I read the law correctly, it requires retention of what IP connected to another IP and which phone number called where. It doesn't bother retaining the URL called (my German is rusty, so I may be a little off in my interpretation). Connecting to a random IP on a random open port (80 and 443, for example) would be a good start to accomplish the goal creating chatter. The issue is that the search terms to find those ports could lead to connecting to a site that increases your profile against general background chatter, even as it is raised with random connection traffic. In that light, I'd regard use of something akin to TOR a slightly better solution for protecting privacy and filling up logs. I understand your post, but I don't think Mr. Ziegler was over- selling his product's effectiveness beyond what it is really capable of. I wasn't saying there was overselling the effectiveness. I do think the approach is innately flawed from a privacy standpoint.