Re: (Solved) Chrooted Apache with PHP4 and MySQL
On sC!b, 2005-05-07 at 10:50 +0300, Kiraly Zoltan wrote: > Carlos Mantero wrote: > > >Hi everybody! > >I'm a spanish newbie user, I only use OpenBSD since two days ago. I'm > >trying to get work my server with the default installed Apache (which is > >in a jail), PHP4 and MySQL, all installed from packages of the servers > >of openbsd.org. I don't know the way of get that PHP&MySQL work fine > >into jail. > >In addition, I want to put phpMyAdmin too. I've searched for internet > >but I didn't find nothing :(. Thank you for all. > > > >Greetings, > >Carlos Mantero. > > > > > > > > > Read this thread : http://marc.theaimsgroup.com/?t=11075875893&r=1&w=2 > and read this tutorial : > http://www.bsdforums.org/forums/showthread.php?s=7e829186cf74babcd5b32d0ade7d0060&threadid=9986 Thank you for all. I followed the instructions of the post in bsdforums.org and all work fine ;). Greetings, Carlos Mantero.
PF RULES! But mine doesn't ...
Hello.
My ruleset is all twisted.
Unless I disable the default deny policy, this is what happens:
* My nameserver setup goes disfunctional.
* My web, mail and fileserver goes disfunctional.
* I cannot SSH and FTP into certain servers.
* I cannot ping my IP from the outside.
Can anyone tell what's wrong?
And maybe also how I can simplify my ruleset?
int_if="ep0"
ext_if="lnc0"
# *** Options
#
set block-policy drop
# *** Scrub incoming packets
#
scrub in all
# *** NAT
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any \
port 21 -> 127.0.0.1 port 8021
# *** Default deny policy
#
# block drop log all
# *** Pass loopback traffic
#
passquick on { lo0 $int_if }
# *** Outgoing
#
passout on $ext_if inet proto { tcp, udp, icmp } \
from ($ext_if) to any keep state
# *** Bootstrap
#
passout on $ext_if inet proto udp \
from any port 68 to any port 67 keep state
# *** DNS and NTP
#
passout on $ext_if inet proto udp \
from ($ext_if) to any port { 53, 123 } keep state
# *** SSH, HTTP and Ident
#
passin on $ext_if inet proto tcp \
from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state
# *** Active FTP
#
passin on $ext_if inet proto tcp \
from port 20 to ($ext_if) user proxy flags S/SA keep state
Thank you so much.
Keep in touch!
--
Fafa Hafiz Krantz
Research Designer @ http://www.bleed.no
--
___
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
WRAP 1E, sis0 with dhclient woes
Hello people
I've recently baught myself one of these small little WRAP boards
(http://www.pcengines.ch/wrap.htm), soekris-look-alike. After installing
-current on it, I noticed the following:
--
# dhclient sis0
DHCPDISCOVER on sis0 to 255.255.255.255 port 67 interval 6
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPOFFER from 10.0.0.1
DHCPREQUEST on sis0 to 255.255.255.255 port 67
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPACK from 10.0.0.1
bound to 10.0.0.23 -- renewal in 10800 seconds.
--
Looking though the archives I found these posts:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106059883119865
http://marc.theaimsgroup.com/?l=openbsd-tech&m=105760910331290
The patch in the last post seems to have been applied already. I remember
that nsphyter was added recently, could that have anything to do with
this?
Everything works, I just reacted on the "disagrees with bytes" part. IPv6
via rtsol works aswell, as I saw that Paul de Weerd in the last post had
problems with that. Just wanted to inform you, in case this is a driver
bug.
Full dmesg below.
/Johan
OpenBSD 3.7-current (GENERIC) #110: Mon May 2 20:07:58 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC"
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
cpu0: TSC disabled
real mem = 133804032 (130668K)
avail mem = 115552256 (112844K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
RTC BIOS diagnostic error 80
mainbus0 (root)
bios0 at mainbus0: AT/286+(ac) BIOS, date 07/13/04, BIOS32 rev. 0 @ 0xfc554
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
sis0 at pci0 dev 14 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, irq 10,
address 00:0d:b9:01:20:04
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 15 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, irq 9,
address 00:0d:b9:01:20:05
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 16 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, irq 11,
address 00:0d:b9:01:20:06
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00
gpio0 at gscpcib0: 64 pins
"NS SC1100 SMI/ACPI" rev 0x00 at pci0 dev 18 function 1 not configured
pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 1-sector PIO, LBA, 245MB, 501760 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
"NS SCx200 AUDIO" rev 0x00 at pci0 dev 18 function 3 not configured
geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6 revision 3
wdstatus 0
isa0 at gscpcib0
isadma0 at isa0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
sysbeep0 at pcppi0
gscsio0 at isa0 port 0x2e/2: SC1100 SIO rev 1: ACB1 ACB2
iic0 at gscsio0
iic1 at gscsio0
lmtemp0 at iic1 addr 0x48: LM77
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask f1e7 netmask ffe7 ttymask ffe7
pctr: no performance counters in CPU
nvram: invalid checksum
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
clock: unknown CMOS layout
WARNING: clock time much less than file system time
WARNING: using file system time
WARNING: CHECK AND RESET THE DATE!
Re: my talks at fh wedel, decix technical meeting, and RIPE50
On Sunday 08 May 2005 00.04, you wrote: > I flew to Stockholm monday morning way before wakeup, and somewhen in > the early afternoon I was even alive. art@ stopped by, and in the > evening there was a meeting with local OpenBSD users, and hin@ was in > attendance as well. It was a very nice and funny evening. Oh and some pictures from that occasion... http://frink.mine.nu/beer/ Regards Johan M:son Lindman
Resync interfaces in pf.
Hi. Is there any way to resync network interfaces in pf (i used to ipf -y when i used IPF)? -- %cat ~/doc/personal.txt mailto: [EMAIL PROTECTED] JID: [EMAIL PROTECTED] ICQ: 162799204
Re: PF RULES! But mine doesn't ...
On Sun, 08 May 2005 05:21:54 -0500, Fafa Hafiz Krantz wrote: >Hello. Goodbye Troll. >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
PF aliases -- how can these be improved?
Hey! Here are some aliases I snagged of some dood on IRC: How can these PF aliases be improved? The last one doesn't really reload PF. I need to reboot for that. alias pfdump 'tcpdump -n -e -ttt -r /var/log/pflog' alias pfmon 'tcpdump -n -e -ttt -i pflog0' alias pfreload 'pfctl -f /etc/pf.conf' Thanks! -- Fafa Hafiz Krantz Research Designer @ http://www.bleed.no -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
F-Secure Computer Virus Information Pages: Googkle
For the OpenBSD experts on this list: Can the malware at Gookle.com described at the link crack OpenBSD and/or Konqueror? (I am far from an expert, so I practice 'better safe than sorry' when I see f-secure's explicit warnings). http://www.f-secure.com/v-descs/googkle.shtml Thanks, Dave Feustel
Re: [BSD-Misc] Re: dump to /dev/rst0 vs /dev/rst0n
Argh! So stupid Solaris reflex! :/ Shame on me! Xavier -- This space is for rent On Sat, 7 May 2005, Otto Moerbeek wrote: > > > > On Sat, 7 May 2005, Xavier wrote: > > > Hi, > > > > I'm busy to test a backup procedure on a DDS tape device (Sony, SDT-9000) > > connected to a BT-948 SCSI card > > > > I've different behavious depending on the device used: > > (My / uses 1002232 blocks): > > > > 'dump -0auf /dev/rst0' works but: > > 'dump -0auf /dev/rst0n' asks for a second tape!? > > Are you really dumping to /dev/rst0n? The no-rewind device is called > /dev/nrst0. If so, you just filled your / partition with a file called > /dev/rst0n. > > -Otto > > > Any idea why EOF is reached with a "norewind" device? > > > > Xavier > > -- > > The computer revolution is over. The computers won.
Re: F-Secure Computer Virus Information Pages: Googkle
* Dave Feustel ([EMAIL PROTECTED]) wrote: > Can the malware at Gookle.com described at the link > crack OpenBSD and/or Konqueror? > http://www.f-secure.com/v-descs/googkle.shtml Did you even read this? - Victor
Re: F-Secure Computer Virus Information Pages: Googkle
> For the OpenBSD experts on this list: > > Can the malware at Gookle.com described at the link crack > OpenBSD and/or Konqueror? > (I am far from an expert, so I practice 'better safe than > sorry' when I see f-secure's explicit warnings). > > http://www.f-secure.com/v-descs/googkle.shtml > > Thanks, > Dave Feustel I may not be an OpenBSD expert, but I do tech support at an anti-virus company and deal with viruses, disinfection and the like all day long. :) My initial reaction is that an OpenBSD machine isn't at risk from this at all. First reason is that the only way this will work is if you're using a web browser that has the vulnerabilities that it uses to run the executables. F-secure didn't give any details, but these problems are typically IE issues. While it *could* be present in other browsers, I'd be surprised. So even if you were running a browser on an OpenBSD machine that somehow had an exploit that allowed the code to run, the files that they're talking about are all Windows executables aside from the JAR file - which is still expecting to find a Windows environment for extraction. I'm very prone to go and poke around there with Firefox - though I wish F-secure was more explicit about the "exploits" that they're describing - as most of the really dangerous ones do have patches available for irresponsible Windows users. Just my $.02 -M
Re: F-Secure Computer Virus Information Pages: Googkle
Dave Feustel wrote: > For the OpenBSD experts on this list: > > Can the malware at Gookle.com described at the link > crack OpenBSD and/or Konqueror? > (I am far from an expert, so I practice 'better safe > than sorry' when I see f-secure's explicit warnings). > > http://www.f-secure.com/v-descs/googkle.shtml > > Thanks, > Dave Feustel > > get some brains dude.
Re: F-Secure Computer Virus Information Pages: Googkle
On Sun, May 08, 2005 at 10:00:07AM -0500, Dave Feustel wrote: > For the OpenBSD experts on this list: > > Can the malware at Gookle.com described at the link > crack OpenBSD and/or Konqueror? > (I am far from an expert, so I practice 'better safe > than sorry' when I see f-secure's explicit warnings). > > http://www.f-secure.com/v-descs/googkle.shtml How many .exe files does your OpenBSD install run normally? How worried are you that your Windows Media Player is going to get replaced? -- 12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. --Peter Anspach's list of things to do as an Evil Overlord
Re: PF RULES! But mine doesn't ...
"Fafa Hafiz Krantz" <[EMAIL PROTECTED]> writes:
> Can anyone tell what's wrong?
Yes. Your rule set doesn't actually let anything pass *through* your
firewall. Some of traffic from the outside is able to communicate
with your ext_if, but as far as I can see traffic originating in
int_if:network is blocked.
> And maybe also how I can simplify my ruleset?
I would suggest creating lists of ports you want to pass, then
referencing the lists in your pass rules. Also, I would suggest you drop
the 'on interface' parts of the rules unless it's really necessary.
You can cover a lot of ground with rules like
pass from $int_if:network inet proto { tcp, udp } to ay port $wantedports
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
Re: 3.7CDs arrived today...
Ben Goren <[EMAIL PROTECTED]> writes: > Of course, this misses the fact that this has been a problem with *all* > jewel cases since time immemorial. I've got a stack of a dozen music > CDs in jewel cases on my desk right now. Some of them are mine; some > mine that I've lent out; some that I'm borrowing. At least a third have > broken jewel cases. Maybe more. > > If you look in your music collection, you'll almost certainly discover > the same thing. Horse puckey. The jewel cases OpenBSD uses are junk. If you look at the cases in your music collection (unless you are buying pirated stuff) you'll see there are 12 heavy duty prongs holding each CD. They are arranged in a fan with very long slits to provide flexibility. I've never seen them break. The prongs cover 80% of the CD ID. The cases can get cracked and broken, yes, but not the fingers. (If you've got 1/3 broken cases you must be brutal. In my collection, it's less than 2 percent.) The OpenBSD cases have 3 measly little prongs per CD. They secure less than 20% of the hole ID and they were not designed to be adequately flexible. The last OpenBSD CD I got (3.6) had 5 of 9 prongs sheared off and all three CDs were banging around and being scratched by the prong bits. I suspect that the prongs are being broken while the CDs are still in the bulk packaging from the manufacturer. If the box is slammed down with the CDs parallel to the acceleration, you can break all those prongs in one good slam, and T shirts won't help later. Further, I received my CDs from the Computer Shop of Calgary through their Montana outlet. Packaging was a tyvex envelope with one layer of 1/8 inch bubble wrap, with the ends not properly protected. Though the case wasn't cracked this time (it was last time), that's just not enough protection for a $45 product. The software is of the highest quality. You are putting a lot of work into the art and the songs, and everyone is obviously proud of the result. The OpenBSD distro has the best packaging of any I've seen. So it's like opening a long anticipated present and finding it scratched. I pass on my old CDs to other people so they can try OpenBSD. It makes a bad impression when all the CDs fall out when they open the jewel case. Hey, raise the price fifty cents and get a decent case and enough bubble wrap. Maybe even a small cardboard shipping box. Then we could avoid the semiannual aggressive-defensive discussion on this issue. -- KBK
Re: F-Secure Computer Virus Information Pages: Googkle
You must have unplugged your OpenBSD machine from the internet when you heard of the blaster virus... On Sun, 2005-05-08 at 10:00 -0500, Dave Feustel wrote: > For the OpenBSD experts on this list: > > Can the malware at Gookle.com described at the link > crack OpenBSD and/or Konqueror? > (I am far from an expert, so I practice 'better safe > than sorry' when I see f-secure's explicit warnings). > > http://www.f-secure.com/v-descs/googkle.shtml > > Thanks, > Dave Feustel > -- Gupni ^. Bjvrgvinsson - [EMAIL PROTECTED]
Re: PF aliases -- how can these be improved?
--On 08 May 2005 07:31 -0500, Fafa Hafiz Krantz wrote: Hey! Here are some aliases I snagged of some dood on IRC: How can these PF aliases be improved? The last one doesn't really reload PF. I need to reboot for that. alias pfdump 'tcpdump -n -e -ttt -r /var/log/pflog' alias pfmon 'tcpdump -n -e -ttt -i pflog0' alias pfreload 'pfctl -f /etc/pf.conf' Well, one improvement would be if you used them to debug the ruleset you posted...
Re: F-Secure Computer Virus Information Pages: Googkle
On Sunday 08 May 2005 17:00, Dave Feustel wrote: > For the OpenBSD experts on this list: > > Can the malware at Gookle.com described at the link > crack OpenBSD and/or Konqueror? > (I am far from an expert, so I practice 'better safe > than sorry' when I see f-secure's explicit warnings). > > http://www.f-secure.com/v-descs/googkle.shtml > > Thanks, > Dave Feustel First of all, I wanted to say that I'm no OpenBSD expert. I just tried it using VMWare as a Linux alternative. The advice I'll give applies for all Unix operating system, including Linux and *BSD. The short answer is simply "no". It's technically possible to exploit a security problem of Unix systems, typically a buffer overflow. But a malware like this could only affect the system with the user rights that the browser runs with. In short, it could at most destroy the personal data of the user running the browser. All system files and executable files are only modifiable as root and on Unix system, noone would have the idea to run a web browser with root privileges. On the other hand, it's quite typical for Windows users to run Internet Explorer (notoriously the least secure browser of the market) with Administrator privileges. And this is not the only limitation to malware spreading. Malware spreads very easily on Windows systems not only because of a way less secure system, but because of the monoculture that is typical. Almost everyone on Windows use the same security-deficient tools, like IE, Outlook Express, Office, and so on... On Unix, cultural diversity is typical. There are plenty of programs to do the same task and Unix users typically don't use the same tools neither the same versions of them. And lots of people have different configurations, services enabled, deamons, kernels and so on... That makes malware spreading on Unix systems very unlikely. Additionnally, Windows only runs on one architecture: PCs with Intel 8086 architecture or binary compatible processors. (There has been a port of NT 3.5 on Alpha, but that was cancelled, which effectively killed a very promising processor serie) On the other hand, Unix runs on widely different architectures with very different processors, memory organization and the like. A buffer overflow exploit developped for the PowerPC processor serie cannot work on the 8086, Alpha, MIPS, Sparc processor series. And last there is the way the operating system gets fixed and improved. Unix kernels, deamons, tools are constantly refined and improved. When a security problem is found, it's almost immediately corrected, leaving no time for virus writers to exploit the problem. In the Windows world, there are thousands of security problems that will never be fixed (else that would dramatically break existing executables) and Microsoft typically denies security problems and only dares to fix an issue when it already affected tens of thousands of people with existing malware. -- Patrick BURNAND <[EMAIL PROTECTED]>
Re: PF aliases -- how can these be improved?
Fafa Hafiz Krantz wrote: Hey! Hi, Can you please read the documentation before posting questions to this list? All your questions to date have been easily answered by referring to one of these documentation sources: - pf.conf(5): http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf (or "man pf.conf") - http://www.openbsd.org/faq/pf/ It's also a good idea to search the list archives for answers to commonly-asked questions: - http://marc.theaimsgroup.com/?l=openbsd-pf or - http://groups-beta.google.com/group/bit.listserv.openbsd-pf .joel
ISAKMPD + VNC
I have 2 Gateways and 2 Terminals: In the 2 Gateways, I have ISAKMPD and PF. Between the terminals, I obtain to carry through: ping, ftp, ssh, sharing of archives, now when I go to make connection for VNC or Remote Administrator, the image does not appear, the connection is established but the image nothing! Somebody already passed for this? |--| | Gateway A | | 200.247.X.X| -- Terminal 192.168.25.11 | 192.168.25.10 | |--| | | | | | || | Gateway B | | 201.2.X.X | -- Terminal 192.168.3.11 | 192.168.3.10| ||
Re: 3.7CDs arrived today...
On 5/8/05, Kurt B. Kaiser <[EMAIL PROTECTED]> wrote: > The OpenBSD cases have 3 measly little prongs per CD. They secure > less than 20% of the hole ID errata.html should be updated P.S. These long conversations about CD shippings are deserving their own mailing list :-X -- Gerardo Santana
Re: F-Secure Computer Virus Information Pages: Googkle
On Sunday 08 May 2005 10:27 am, [EMAIL PROTECTED] wrote: > On Sun, May 08, 2005 at 10:00:07AM -0500, Dave Feustel wrote: > > For the OpenBSD experts on this list: > > > > Can the malware at Gookle.com described at the link > > crack OpenBSD and/or Konqueror? > > (I am far from an expert, so I practice 'better safe > > than sorry' when I see f-secure's explicit warnings). > > > > http://www.f-secure.com/v-descs/googkle.shtml > > How many .exe files does your OpenBSD install run normally? How worried > are you that your Windows Media Player is going to get replaced? I don't worry at all about windows-directed malware. I believe that OpenBSD per se is for all intents and purposes invulnerable. I run KDE on top of OpenBSD and I have continuing concern for kde-directed malware.
Re: F-Secure Computer Virus Information Pages: Googkle
On Sunday 08 May 2005 17:15, Mike wrote: > I'm very prone to go and poke around there with Firefox - though I wish > F-secure was more explicit about the "exploits" that they're describing - > ... That's quite typical for these security organizations, not to speak any bad about Windows. It's a matter of fact in the security circles, that almost all problems are due to Windows. But the security companies who make their living on the bugs of Windows (Symantec, Norton and others) simply dno't want to loose their streams of revenue. They don't want the people to switch to other systems. When a problem affects Linux exclusively (there has been some especially with PHP and Apache), they almost trumpet it, clearly stating that it was Linux. When a problem affects a mix of platforms (some Apache versions had problems on Linux and Windows) they mention it to. But when a problem only affects Windows, they seem to suddenly forget to mention which systems are affected, specially in the non technical medias. Thus Microsoft can blatantly lie about the security of their systems and claim that security problems are as much numerous on other platforms. If you go to CNN.com, you'll see alerts like: "A virus spreads on the internet and infects thousands of PCs per hour !" But are these really any PC ?? No obviously not ! These only affects IBM compatible PC (not Macintoshes nor Amiga, nor Amstrad nor whatever) running only on Intel x86 and compatible processor serie, running a version of Windows or MS-DOS. These problems these days typically involve IE, Word documents and Outlook, which only run on Windows. You can read the whole article, you'll typically find no mention of Windows. The question is why is it so ? It's because Microsoft buys ad space in the major medias, incuding CNN. With this scheme, the IT deciders who typically don't read technical articles come to believe that virus and malwares spread regardless of the OS and so the intended effect is reached: they don't think about switching to an alternative platform to enhance security. That's why Microsoft continuously run advertising campaigns for Windows although there is no hope to expand the market share of Windows, because the market is almost saturated. -- Patrick BURNAND <[EMAIL PROTECTED]>
Re: WRAP 1E, sis0 with dhclient woes
Johan Fredin wrote:
> Hello people
>
> I've recently baught myself one of these small little WRAP boards
> (http://www.pcengines.ch/wrap.htm), soekris-look-alike. After
> installing -current on it, I noticed the following:
I've noticed this with OpenBSD 3.5 as well and probably it was there in
earlier versions...I'd ignore it.
>
> --
> # dhclient sis0
> DHCPDISCOVER on sis0 to 255.255.255.255 port 67 interval 6
> ip length 328 disagrees with bytes received 332.
> accepting packet with data after udp payload.
> DHCPOFFER from 10.0.0.1
>
> DHCPREQUEST on sis0 to 255.255.255.255 port 67
> ip length 328 disagrees with bytes received 332.
> accepting packet with data after udp payload.
> DHCPACK from 10.0.0.1
> bound to 10.0.0.23 -- renewal in 10800 seconds.
> --
>
> Looking though the archives I found these posts:
>
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=106059883119865
> http://marc.theaimsgroup.com/?l=openbsd-tech&m=105760910331290
>
> The patch in the last post seems to have been applied already. I
> remember that nsphyter was added recently, could that have anything to
> do with this?
>
> Everything works, I just reacted on the "disagrees with bytes" part.
> IPv6 via rtsol works aswell, as I saw that Paul de Weerd in the last
> post had problems with that. Just wanted to inform you, in case this
> is a driver bug.
>
> Full dmesg below.
>
> /Johan
>
> OpenBSD 3.7-current (GENERIC) #110: Mon May 2 20:07:58 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> RTC BIOS diagnostic error 80
> cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC"
> 586-class) 267 MHz
> cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
> cpu0: TSC disabled
> real mem = 133804032 (130668K)
> avail mem = 115552256 (112844K)
> using 1658 buffers containing 6791168 bytes (6632K) of memory
> RTC BIOS diagnostic error 80
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(ac) BIOS, date 07/13/04, BIOS32 rev. 0 @
> 0xfc554
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
> sis0 at pci0 dev 14 function 0 "NS DP83815 10/100" rev 0x00: DP83816A,
> irq 10, address 00:0d:b9:01:20:04
> nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
> sis1 at pci0 dev 15 function 0 "NS DP83815 10/100" rev 0x00: DP83816A,
> irq 9, address 00:0d:b9:01:20:05
> nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
> sis2 at pci0 dev 16 function 0 "NS DP83815 10/100" rev 0x00: DP83816A,
> irq 11, address 00:0d:b9:01:20:06
> nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
> gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00
> gpio0 at gscpcib0: 64 pins
> "NS SC1100 SMI/ACPI" rev 0x00 at pci0 dev 18 function 1 not configured
> pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" rev 0x01: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0:
> wd0: 1-sector PIO, LBA, 245MB, 501760 sectors
> wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
> "NS SCx200 AUDIO" rev 0x00 at pci0 dev 18 function 3 not configured
> geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6
> revision 3 wdstatus 0
> isa0 at gscpcib0
> isadma0 at isa0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0:
> sysbeep0 at pcppi0
> gscsio0 at isa0 port 0x2e/2: SC1100 SIO rev 1: ACB1 ACB2
> iic0 at gscsio0
> iic1 at gscsio0
> lmtemp0 at iic1 addr 0x48: LM77
> npx0 at isa0 port 0xf0/16: using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom0: console
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> biomask f1e7 netmask ffe7 ttymask ffe7
> pctr: no performance counters in CPU
> nvram: invalid checksum
> dkcsum: wd0 matched BIOS disk 80
> root on wd0a
> rootdev=0x0 rrootdev=0x300 rawdev=0x302
> clock: unknown CMOS layout
> WARNING: clock time much less than file system time
> WARNING: using file system time
> WARNING: CHECK AND RESET THE DATE!
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
apachectl -> "Too many open files"
Hi there, when using the "apachectl" command I get the following: /usr/sbin/apachectl: /etc/rc.conf.local[90]: .: /etc/rc.conf.local: Too many open files why is that? Thanks
Re: apachectl -> "Too many open files"
On 2005-05-08 at 20:40:53 GV wrote:
> /usr/sbin/apachectl: /etc/rc.conf.local[90]: .: /etc/rc.conf.local: Too
many
> open files
Maybe you copied /etc/rc.conf to /etc/rc.conf.local, edited some
stuff, but forgot to remove these last few lines:
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line
In this case, just remove them. :)
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: apachectl -> "Too many open files"
On Sun, 8 May 2005, GV wrote: > Hi there, > > when using the "apachectl" command I get the following: > > /usr/sbin/apachectl: /etc/rc.conf.local[90]: .: /etc/rc.conf.local: Too many > open files > > why is that? > > Thanks > You may have two limits: one from your shell: type ulimit -a (sh/bash/ksh) and check it. The other is the limit from the kernel, check by typing "sysctl kern.maxfiles". You may also know how many files are currently opened by using this command: "syctl kern.nfiles". In general, the first thing to do is to increase your limit from the shell. Check in man login.conf(5) for more details. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. ==
Re: F-Secure Computer Virus Information Pages: Googkle
Mike wrote: [] get some brains dude. Watch out for those spongiform-inducing prions though, or you may turn into a Windows user, or worse yet, a Macintosh True Believer (tm).
Boot from USB stick - Summary
Dear All, I received a lot of helpful replies, some of them offline, so I thought it might be useful to summarize here for the sake of others looking for this information: - There used to be a bug that prevented booting from a USB stick. This is now fixed and booting should be possible, depending on wether the BIOS supports it or not. - [EMAIL PROTECTED] sent me (and posted to the list, so I will not repeat it here) startup messages from 3.7-current that show the startup sequence booting from a USB stick and correctly mounting the root filesystem. - I also received pointers to two companies/projects that sell ready made boxes of the type that I have in mind and who have a good track record for OpenBSD support: http://www.openbrick.org/ and http://www.soekris.com/. Many thanks to all who replied. As soon as I have received the boxes (and after I get the OpenBSD 3.7 CDs) I can post how things went, if there is interest here. -- Joerg Lenneis email: [EMAIL PROTECTED]
pf.conf troubles
Hi there,
I just created the following:
-
ext_if="vr0"
int_if="rl0"
tcp_services = "{ 80, 20, 21, 22, 25, 110, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $int_if:network to any -> $ext_if
block all
block in log all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
---
Now, the above should normally block all the traffic to my server - but it
doesn't! Am I missing something here?
Also, I followed the section "Packet Logging Through Syslog" in
"http://www.openbsd.org/faq/pf/logging.html"; and created the so-called
"pflog.txt" file but this remains empty! Is that correct?
Thanks
Re: apachectl -> "Too many open files"
Hello GV, Btw, there is the feature in apache - compile it w/ MAXOPENFILES=value. It helps me then i setuped virtual hosting for 2K users :) login.conf/ulimit doesen't helps :( just after recompiling apache w/ MAXOPENFILES - all works good :] Hope it helps. Monday, May 9, 2005, 12:40:53 AM, you wrote: > Hi there, > when using the "apachectl" command I get the following: > /usr/sbin/apachectl: /etc/rc.conf.local[90]: .: /etc/rc.conf.local: Too many > open files > why is that? > Thanks 4 -- Dennis Nasarov http://pheonix.sysattack.com/
pptpd and GRE support
In the past when using pptpd I used a kernel with GRE disabled because I read that was the thing to do. When installing pptp-1.6.0 on a new i386 system the other day (May 1st snapshot) I saw a note saying to enable GRE so I added this to sysctl.conf: net.inet.gre.allow=1 Everything was working fine for a few days. Then starting today I can no longer establish a connection and GRE-related errors are logged: pptpd[9651]: CTRL: Client X.X.X.X control connection started pptpd[9651]: CTRL: Starting call (launching pppd, opening GRE) ppp[31649]: Phase: Using interface: tun0 ppp[31649]: Phase: deflink: Created in closed state ppp[31649]: Phase: PPP Started (direct mode). ppp[31649]: Phase: bundle: Establish ppp[31649]: Phase: deflink: closed -> opening ppp[31649]: Phase: deflink: Connected! ppp[31649]: Phase: deflink: opening -> carrier ppp[31649]: Phase: deflink: carrier -> lcp ppp[31649]: Phase: deflink: Disconnected! pptpd[9651]: GRE: read(fd=6,buffer=3c004ac0,len=8196) from PTY failed: status = 0 error = No error ppp[31649]: Phase: deflink: Connect time: 17 secs: 0 octets in, 295 octets out ppp[31649]: Phase: deflink: 0 packets in, 5 packets out ppp[31649]: Phase: total 17 bytes/sec, peak 23 bytes/sec on Sun May 8 13:32:39 2005 ppp[31649]: Phase: deflink: lcp -> closed ppp[31649]: Phase: bundle: Dead ppp[31649]: Phase: PPP Terminated (normal). pptpd[9651]: CTRL: PTY read or GRE write failed (pty,gre)=(6,5) pptpd[9651]: CTRL: Client X.X.X.X control connection finished Now I'm not sure if I'm doing the right thing. Should I be using a kernel with GRE disabled? Or is this not even the issue here? Thanks for any advice.
Re: Rant: how stupid does java look
Hello Hannah, Adam, Joel, et al, On 7 May 2005, at 17:23, Hannah Schroeter wrote: Hello! On Fri, May 06, 2005 at 11:03:04PM -0700, Ben Goren wrote: On 2005 May 6, at 5:55 PM, Henry Lenzi wrote: P.S. It'll be a cold day in Hell before anything in OpenBSD gets compiled with Mono. I suppose there's a very off chance that Java code could make it in if it compiles cleanly with gcj... gcj... That thing where whenever I tried (ok, the last try is quite some time ago), not even a hello world kind of program worked? gcj is now capable of compiling Eclipse, if that is a reasonable metric for you. but I'd be really, really surprised. You'd have to convince Theo that Java is a necessary language for whatever it is that you're doing, and I just simply don't see that happening anytime soon. b& Ok, frankly, there *are* some tasks where manual memory management is tedius and GC could be faster than reference counted pointers in C++. Who cares about *faster* when it isn't *safe*? We are discussing this on [EMAIL PROTECTED], after all. But I don't see anything worth including into base that would require a programming language not already supported in base. I see this word "base" mentioned on occasion. Is the official definition of base "not (ports || packages)"? In other words, are the only languages supported in the base those provided by gcc 2.x and 3.x and Perl? Can I write core OpenBSD code in Objective-C? Why not Java, now that gcj support is so good? P.P.S. Ports is, of course, another story. No reason why Java and Mono shouldn't have their place there--particular licenses, code quality, etc., permitting. b& *nods* And then a mostly GPL'ed Mono is even easier than (even more) encumbered Sun JDK. Sun has fewer patents on Java than Microsoft does on C#/CLR/.Net, so I would watch those comparisons. gcj + classpath + etc. are all GPL. On 7 May 2005, at 20:02, Adam wrote: On Fri, 6 May 2005 23:03:04 -0700 Ben Goren <[EMAIL PROTECTED]> wrote: And, truthfully, I just don't see the point behind it, either. It's not like C# or Java is *that* much better than C or C++ or Perl or Lisp or any of a dozen other languages that *aren't* encumbered. I mean, sure, you could probably pick something to which Java is well suited, and I certainly don't want to start a language flame war. Actually, C# really is much better than other languages for what it does. Is there some other safe, garbage collected, high level language with performance anywhere close to C#? You mean, besides Java, Modula-III, OCaml, Haskell, Eiffel, Ada, Oberon, Lisp, and Python? (Before you respond, do a little research on language features and performance.) And what exactly is encumbering C#? Its an ECMA standard, and you are free to write a BSD licensed implimentation if you don't like the existing options. That's like saying C++ is encumbered because gcc is GPL and MS video studio is proprietary. No, it is like saying C++ is encumbered because Bell Labs has two dozen software patents on it, which they do not. Of course, I don't think mono or java should be part of openbsd, I am just pointing out that C# is an open standard. Wrt "open standard", to quote a famous thinker: I do not think that means what you think it means. On 8 May 2005, at 00:46, Joel Rees wrote: counter-trolling, Good for you! On 2005.5.8, at 04:02 AM, Adam wrote: On Fri, 6 May 2005 23:03:04 -0700 Ben Goren <[EMAIL PROTECTED]> wrote: And, truthfully, I just don't see the point behind it, either. It's not like C# or Java is *that* much better than C or C++ or Perl or Lisp or any of a dozen other languages that *aren't* encumbered. I mean, sure, you could probably pick something to which Java is well suited, and I certainly don't want to start a language flame war. Actually, C# really is much better than other languages for what it does. Is there some other safe, garbage collected, high level language with performance anywhere close to C#? I've heard the honeymoon is over and people are discovering C# is much like the marriage of Java, Borland Delphi, and MFC/MSVB/MSV(C) xxx that one would expect. I suppose I should try it sometime. I'm not very motivated, however. My rule is to not criticize, admonish, or praise until I actually know what I am talking about. But after I do, then the guns blaze. C#'s semantics are 98% the same as Java. Take that as you will. Joe --- Joseph Kiniry Department of Computer Science University College Dublin http://secure.ucd.ie/
misc@openbsd.org Your Computer Can Create Sales Leads For You.
mailto:[EMAIL PROTECTED] Please Send Me More Information.&body= I would like to learn more about your offer. I look forward to hearing from you. Thank You! (Please type below your full name, company name, website address, phone number and best time to reach you. I will contact you shortly.)
Re: PF aliases -- how can these be improved?
Fafa Hafiz Krantz wrote:
Hey!
Here are some aliases I snagged of some dood on IRC:
How can these PF aliases be improved?
The last one doesn't really reload PF. I need to reboot for that.
alias pfdump 'tcpdump -n -e -ttt -r /var/log/pflog'
alias pfmon 'tcpdump -n -e -ttt -i pflog0'
alias pfreload 'pfctl -f /etc/pf.conf'
Thanks!
--
Fafa Hafiz Krantz
Research Designer @ http://www.bleed.no
add -l to tcpdump, check the man page; sometimes -X is good too but it
tends to disturb for general use
i like the `pfmon' alias (mine is called fw_log) you can use it like
tcpdump:
pfmon port 53 and ! arp
I use this little script too (especially as 'pf test' and 'pf reload'):
#!/bin/ksh
#
test -z "$1" && \
echo \
"syntax: $0 [test|reload|vi|block|bshow|bflush|show|flush]" && \
exit 1
table=badhosts
case "$1" in
test) pfctl -nf /etc/pf.conf
;;
reload) pfctl -f /etc/pf.conf
;;
vi) vi /etc/pf.conf
;;
block) test -z "$2" && exit 1
remote=$2
pfctl -t $table -T add $remote
pfctl -ss | grep $remote | \
awk '{ print "pfctl -k " $2 " -k " $4 }' | \
sed -e 's/:[0-9]*//g' | while read cmd
do
logger -it`basename $0` -- "killing session: $cmd"
eval $cmd
done
;;
bshow) pfctl -t $table -T show
;;
bflush) pfctl -t $table -T flush
;;
show) pfctl -sr
;;
flush) pfctl -F a
;;
*)
echo "wtf: '$1'?"
esac
exit $?
it uses this table at the very begining of /etc/pf.conf:
##
# blackhole
table persist
block quick log from to any
Re: Rant: how stupid does java look
On Sun, 8 May 2005 22:25:54 +0100 Joseph Kiniry <[EMAIL PROTECTED]> wrote: > > Actually, C# really is much better than other languages for what it > > does. Is there some other safe, garbage collected, high level > > language with performance anywhere close to C#? > > You mean, besides Java, Modula-III, OCaml, Haskell, Eiffel, Ada, > Oberon, Lisp, and Python? (Before you respond, do a little research > on language features and performance.) While I guess I should have been a little more specific to only include languages that have enough libraries to be useful, and obviously purely functional languages aren't comparable, you ignoring the requirements I listed doesn't help things either. I mean seriously, on what planet exactly does python or java have performance close to C#? > > And what exactly is encumbering C#? Its an ECMA standard, and you > > are free to write a BSD > > licensed implimentation if you don't like the existing options. > > That's > > like saying C++ is encumbered because gcc is GPL and MS video > > studio is > > proprietary. > > No, it is like saying C++ is encumbered because Bell Labs has two > dozen software patents on it, which they do not. Guess what, EVERYTHING is patented. Start digging through US patents and you'll find out that your options are to not use computers in any fashion, or infringe on bogus patents. Adam
clothing wholesale
Attn: Marketing Department Ref.: Clothing wholesale information We are a serious clothing wholesale store in China,this year we started our business on-line and extended our service to all over the world. We sincerely invite you to visit our business web www.wbytx.com and wish to carry out business with you.If you are interested,please don't hesitate to contact us! Best Regard, Tony Wong Tel:86-755-82620130 E-mail:[EMAIL PROTECTED] http://www.wbytx.com WBYTX Clothing Wholesale Store This is a world-wide promotion campaign. The selected E-mail addresses are extracted only from the commercial websites of the targeted markets. To exclude your E-mail address from the present contact lists just do not reply to this message and we will never bother you again. If you receive this message by mistake and/or you are not interested in the following brief presentation, please accept our apologies. Thanks!
Re: Rant: how stupid does java look
Hi Adam et al, On 9 May 2005, at 02:57, Adam wrote: On Sun, 8 May 2005 22:25:54 +0100 Joseph Kiniry <[EMAIL PROTECTED]> wrote: Actually, C# really is much better than other languages for what it does. Is there some other safe, garbage collected, high level language with performance anywhere close to C#? You mean, besides Java, Modula-III, OCaml, Haskell, Eiffel, Ada, Oberon, Lisp, and Python? (Before you respond, do a little research on language features and performance.) While I guess I should have been a little more specific to only include languages that have enough libraries to be useful, and obviously purely functional languages aren't comparable, you ignoring the requirements I listed doesn't help things either. I mean seriously, on what planet exactly does python or java have performance close to C#? Whoops, there you go not following my advice. All of the aforementioned languages are safe, garbage collected, high- level languages with "performance anywhere close to" (but usually superior to) C#. Also I think you will find all have libraries of sufficient breadth and quality to write any application you are likely to write for OpenBSD. BTW, why are functional languages "not comparable"? And what exactly is encumbering C#? Its an ECMA standard, and you are free to write a BSD licensed implimentation if you don't like the existing options. That's like saying C++ is encumbered because gcc is GPL and MS video studio is proprietary. No, it is like saying C++ is encumbered because Bell Labs has two dozen software patents on it, which they do not. Guess what, EVERYTHING is patented. Start digging through US patents and you'll find out that your options are to not use computers in any fashion, or infringe on bogus patents. I encourage you to search the US patent database for patents issued to Bell Labs for C++-related technologies. See http://www.uspto.gov/ patft/. Here is an advanced search query to get you started: "APD/ 1/1/1980->12/25/1985 and Stroustrup". It is just an example, of course. Joe --- Joseph Kiniry Department of Computer Science University College Dublin http://secure.ucd.ie/
