Re: NFS Protocol not supported when mounting from a Linux machine.

[Jochem Kossen]

On Wed, Jun 22, 2005 at 10:50:09PM -0500, Rene Rivera wrote:
> jared r r spiegel wrote:
> >  this probably doesn't matter, but what if you just change the
> >  options to be a simple (rw) or (ro)?  perhaps those options
> >  only apply on the server side and are therefore not communicated
> >  over to the 192.168.0.3 client, but .. ?
> 
> Tried it, doesn't help :-(
> 
> >  any chance of making the linux allow nfs v3 and trying that, 
> >  if only to see if you get the same error?
> 
> I don't know how. There's nothing in the man pages that mentions the nfs 
> version, so my guess would be v2 is all it can do.
> 
> Of course the most frustrating aspect of all this is that neither side 
> is very informative as to what is going on.

have you tried mounting it without the -2 argument?

Re: trouble compiling kernel with aac

[Brad Brad]

Well that's the official stance, but i'd hope the developers realise that 
many people have already purchased adaptec and will mainain the driver for 
breakages even if its not officially compiled in.


Brad.


From: Jason Crawford <[EMAIL PROTECTED]>
Reply-To: Jason Crawford <[EMAIL PROTECTED]>
To: O b s d <[EMAIL PROTECTED]>
CC: misc@openbsd.org
Subject: Re: trouble compiling kernel with aac
Date: Wed, 22 Jun 2005 10:21:33 -0400

The OP was trying to compile it on amd64, which it won't work on.
You're using it on i386, which it *sort of* works on. But it was
removed from the GENERIC kernel for i386 right before 3.7 was tagged,
and if there has been any work done to the kernel which might have
broken aac, no one would know (or care) since it's no longer
supported, and since Adaptec has made it quite clear they don't like
us.

On 6/22/05, O b s d <[EMAIL PROTECTED]> wrote:
> >Don't use Adaptec RAID (aac).  I does not work.
>
> Works fine for me in 3.5 using dell perc 3/Di (aac).  Has the driver
> regressed any in 3.7?
>
>
>
> Brad.
>
> _
> SEEK: Over 80,000 jobs across all industries at Australia's #1 job site.
> http://ninemsn.seek.com.au?hotmail

Re: Network Adapter couldnt UP

[Neta]

On 6/23/05, Nick Holland <[EMAIL PROTECTED]> wrote:
> 
> kinda hard to tell, since you didn't include the dmesg.  Or the ifconfig
> output.  Or the ping command you were using.
> 
> However, you are misinterpreting messages.  "host is down" means
> whatever you were trying to ping couldn't be reached, and nothing was
> returned indicating bad routing.
> 
> Usually, that means a simple network configuration issue.  Fix it, it
> will probably take off and run.
> 
> Nick.


Ya Nick, I am little bit frustating with this one finally i replace it
with intel 82557 and running well like a jet :)

This machine is a production server and i dont have much time to do
such normal troubleshoot. And I will try this card on other machine
perhaps any clue occur...


Thank You Everyone
Kind Regard

Neta

log watching

[Uwe Dippel]

Yes, I did 'make search' in /usr/ports.
And now I ask about your experiences: which one is recommended,
respectively not so suitable for a smaller server directly connected to
the Internet ?

Thanks for any comment,

Uwe

Re: NFS Protocol not supported when mounting from a Linux machine.

[Rene Rivera]

jared r r spiegel wrote:

  this probably doesn't matter, but what if you just change the
  options to be a simple (rw) or (ro)?  perhaps those options
  only apply on the server side and are therefore not communicated
  over to the 192.168.0.3 client, but .. ?


Tried it, doesn't help :-(

  any chance of making the linux allow nfs v3 and trying that, 
  if only to see if you get the same error?


I don't know how. There's nothing in the man pages that mentions the nfs 
version, so my guess would be v2 is all it can do.


Of course the most frustrating aspect of all this is that neither side 
is very informative as to what is going on.



--
-- Grafik - Don't Assume Anything
-- Redshift Software, Inc. - http://redshift-software.com
-- rrivera/acm.org - grafik/redshift-software.com
-- 102708583/icq - grafikrobot/aim - Grafik/jabber.org

Fwd: Re: Can't get through ftp-proxy/ftp-gateway :(

[Dunric]

 Thx for the reply but unfortunately it don't work.
In case of ftp-gateway, ftp client initiates with command "PASSERVE" our 
gateway don't know and breaks the connection.
In case of ftp-proxy, which works only in non-interactive mode(autofetch), 
attempt fails with "ftp: Error retrieving file". Unfortunately I can't get more 
debugging info then with -d and -v parameters.

> Od: [EMAIL PROTECTED]
> Komu: "L. V. Lammert" <[EMAIL PROTECTED]>, misc@openbsd.org
> CC: 
> Datum: 22.06.2005 18:48
> Pxedmlt: Re: Can't get through ftp-proxy/ftp-gateway :(
>
> --On 22 June 2005 10:13 -0500, L. V. Lammert wrote:
> 
> > At 01:08 PM 6/22/2005 +0200, Dunric wrote:
> >> Our LAN is connected to the Internet with Proxy gateway. Access is
> >> authorized and requires following communication scheme:
> >>
> >> USER 
> >> PASS 
> >> USER <[EMAIL PROTECTED]>
> >> PASS 
> >>
> >> Both proxy server and gateway are using this scheme, they just
> >> listen on different ports.
> >>
> >> How do I setup OpenBSD's ftp client to communicate with such proxy ?
> >
> > Why not use Lynx? It's a lot prettier than an ftp client, and I
> > expect it might be more capable of handling yoru proxies.
> 
> No good for pkg_add.
> 
> Looking at ftp manual, how about something like this in .netrc:
> 
> machine ftp.openbsd.org
> login proxy_user
> password proxy_password
> macdef init
> user ftp
> pass ftp@
> 

Re: Install on Multiple Disks

[Nick Holland]

Otto Moerbeek wrote:
> On Wed, 22 Jun 2005, L. V. Lammert wrote:
> 
>> At 02:04 PM 6/22/2005 -0500, Gabe Johanns wrote:
>> > Hello,
>> > 
>> > I have been running BSD on a desktop machine for 3 months and I would like
>> > to install OpenBSD on my test server. My test box is a P500 with 128MB of
>> > RAM and three disk drives.
>> > 
>> > I would like to use 100% of the storage space on all three drives while
>> > installing / on wd0, /swap on wd1, and all other partitions on wd2.
>> > 
>> > I have not found a way to use the installer to partition my drives in this
>> > manner using fdisk and disklabel. I have looked in the man files and in
>> > online FAQ's (although I have found how to move and resize the partitions 
>> > on
>> > an existing installation of the OS.)
>> 
>> The installer is not setup that way, .. but why complicate life? Install / &
>> /usr on your main drive (they don't need a lot of space, anyway), .. you can
>> always move /home and/or /var to the other drives after installation.
> 
> This is wrong info. It's perfectly possible to install with
> various filesystems on different disks.

correct.  Very straight forward, too.
Configure your first disk (fdisk, disklabel)
configure your second disk (fdisk, disklabel)
configure your third disk (fdisk, disklabel)

after adding each partition in disklabel, it will ask you what the mount
point is.  Answer.

The only "tricky" part is after configuring the first disk, it will
default to "done".  No, just specify the second, then the third.

> I'd have to check to know for sure, but I think having a swap
> partition on the root disk is mandatory. But you can always add extra
> swap partitions later. 

swap is no longer manditory at all.  You can set up swap wherever you
want.  IF you want.  Some things, like PF, only use kernel RAM anyway,
and they don't swap, so putting swap on a dedicated firewall is
questionable.

HOWEVER, if I recall properly, you will have to manually put an entry in
fstab for a non-boot drive-based swap.  No biggie.  May not even be an
accurate memory.


All that being said...
1) WHY do you feel the need to allocate all your storage space on three
drives?  If you don't have files to put in those partitions, and you
aren't likely to ever have files to put in them, allocating the space
will cause you many problems and solve none for you (i.e., longer fsck
times after tripping over the power cord, possible memory exhaustion if
you have really large drives to fsck on a small amount of RAM)
2) IF you are dedicating an entire drive to swap, I think you are in one
of a few situations:
  a) You have WAY too little RAM in the system.  128M RAM and 20G of
swap is not a good idea, at least if you really need 20G of RAM
  b) you are trying to use a very old disk, and you will discover that
very old disks are much slower than new disks (i.e., you will get much
better performance putting swap on a new, fast disk than on an old, slow
disk)
  c) Expecting magical performance gains out of swapping to a separate
drive.  Hint: If you are wanting performance gains out when swapping,
there is a much better, vastly superior way to get it.
3) If you have three IDE disks, you might be dissapointed by your
attempting to implement the "ideal" of different file systems on
different drives.

What you wish to do is trivial.  But examine carefully the WHY of doing
it.  A lot of "theoretically better" reasons for doing somethings don't
stand up to close examination in real life.  Three disks means at least
three times the failure points.

Nick.

Re: Network Adapter couldnt UP

[Nick Holland]

Neta wrote:
> Hello All,
> I have some strange with NIC Dlink DFE 528TX, dmesg recognize it as
> rl0 and ifconfig mark this interface ACTIVE, but if I ping on it
> replied with ping: send to : Host is down
> Anybody have a clue?
> Any incompatibility with this one?
> 
> Kind regards
> neta

kinda hard to tell, since you didn't include the dmesg.  Or the ifconfig
output.  Or the ping command you were using.

However, you are misinterpreting messages.  "host is down" means
whatever you were trying to ping couldn't be reached, and nothing was
returned indicating bad routing.

Usually, that means a simple network configuration issue.  Fix it, it
will probably take off and run.

Nick.

High pppoe0 Oerrs

[Melameth, Daniel D.]

During high utilization, the number of output errors on the pppoe
interface rises rapidly (several per second).  I put the interface in
debug mode and examined /var/logs/messages, but could not find anything
of apparent interest.  The following is relevant output of netstat -in:

NameMtu   Network Address  Ipkts IerrsOpkts
Oerrs Colls
...
fxp0150000:03:47:18:1f:5d 14418613 0 15120929
2 0
fxp01500  192.168.255 192.168.255.221   14418613 0 15120929
2 0
fxp01500  fe80::%fxp0 fe80::203:47ff:fe 14418613 0 15120929
2 0
pppoe0  1492  14371743 0 15076637
87148 0
pppoe0  1492  0.0.0.0/32  216.xxx.xxx.xxx   14371743 0 15076637
87148 0
pppoe0  1492  fe80::%pppo fe80::202:6fff:fe 14371743 0 15076637
87148 0

Any idea how to troubleshoot this?

Thanks,
Danny

Re: Audio

[Ted Unangst]

On Mon, 20 Jun 2005, Ray Percival wrote:

> I think the problem is that /dev/sound is
>  lrwx--  1 root  wheel  6 Jun 19 14:29 /dev/sound -> sound0 and for some
> reason wont let me change the perms on it.

it's a symlinks, permissions for it are irrelevant.  (that's why you can't 
change them)

> /dev/sound0 looks better with
>  crw-rw-rw-  1 root  wheel   42,   0 Jun 19 14:29 /dev/sound0
> 
> Of course the really odd thing is that it is not working as root either.
> 
> Any hints, please?

audio* is the device more likely to be used by an app, btw.  what's not 
working mean?  check mixerctl for mute.


-- 
And that's why they call me Cap'n Winky.

Re: Install on Multiple Disks

[Ted Unangst]

On Wed, 22 Jun 2005, L. V. Lammert wrote:

> > I have not found a way to use the installer to partition my drives in this
> > manner using fdisk and disklabel. I have looked in the man files and in
> > online FAQ's (although I have found how to move and resize the partitions on
> > an existing installation of the OS.)
> 
> The installer is not setup that way, .. but why complicate life? Install / &
> /usr on your main drive (they don't need a lot of space, anyway), .. you can
> always move /home and/or /var to the other drives after installation.

maybe if you just jam enter, you will only use one disk, but you can 
certainly use two or more.


-- 
And that's why we need security.

Re: NFS Protocol not supported when mounting from a Linux machine.

[Ted Unangst]

On Wed, 22 Jun 2005, jared r r spiegel wrote:

>   i checked /usr/src/sbin/mount{,_nfs} and /usr/src/sys/nfs
>   to see what part of the code is making the 'Protocol not supported',
>   but didn't find it.  :(  doing a global search in /usr/src
>   ( granted, if somewhere in the code it is like '%s not supported'
>   or crosses a terminal line, i would've missed it ):

> ./sys/sys/errno.h:#define   EPROTONOSUPPORT 43  /* Protocol 
> not supported */

that's the one.  find that in the nfs code.


-- 
And that's why Jackass is so popular.

Re: isakmpd only works if one side begins the communication

[Mark Uemura]

>   it is more productive to make the .conf simpler, and
>   not more complex.  more complex usually ends up in

Great advice.

>   the 'Address' line within an  is to be
>   interpreted as optional, so these seem to be two 

If I'm not mistaken, it's *optional* for 

Passive-connections=IPsec-clients,CONN-VPNPrueba2

but not

> > [Phase 2]
> > Connections=IPsec-clients,CONN-VPNPrueba2

...

> > I can see the tunnels via: "netstat -rn | grep
> > encap" but the only way to begin the real communication is starting it by 
> > one
> > of the sides. If a try to begin with the other side it doesn't work until I
> > do a ping (or some kind of communication) from the other side.

Try using the "Passive-connections= ..." on one of the VPN-peers only.

>   to blame the .confs.  if i haven't been of much use so far, please

I think you've been very helpful here.

>   switch the more predictable/stable/static peer to using 
>   'Passive-connections=' for the CONN-VPNPrueba.

I would give this a shot as it is not going to hurt to try :)

Mark T. Uemura
OpenBSD Support Japan Inc.
www.openbsd-support.com

OT: Re: Install on Multiple Disks

[jared r r spiegel]

On Wed, Jun 22, 2005 at 11:33:07PM +0200, Otto Moerbeek wrote:
> 
> I'd have to check to know for sure, but I think having a swap
> partition on the root disk is mandatory. But you can always add extra
> swap partitions later. 

  i got away with installing a "full-disk" / when i was doing a 
  soekris install on a little CF.  everything worked fine (although
  i would anticipate badness if i ran out of RAM), but there
  is some complaining during boot (savecore)

  after the fact, i put a HD on the soekris as secondary, and
  put a swap on there, now swapctl finds it , but savecore
  still is looking on wd0

(bootup snippet):

swapctl: adding /dev/wd1b as swap device at priority 0
savecore: /dev/wd0b: Device not configured

  i remember checking savecore(8) and not finding anything
  that i thought i could pass it as a $savecore_flags to fix 
  that nit.

  jared

- 

[ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]

Re: Squid proxy.

[Adam]

On Wed, 22 Jun 2005 19:35:37 -0500
Gordon Grieder <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> We've been testing a squid proxy at my workplace (~300 machines
> locally) on a smaller group of 60 machines. (used the Windows'
> "autodetect proxy" thing with some javascript on a local webserver to
> get get our 'volunteers')
> 
> Our new machine arrived which will be replacing this test unit. P4,
> 3.4 GHz, 2 SATA drives, 1 GB RAM, Broadcom (bge) gigabit NIC. We
> connect via gig fiber to teh intarweb and CA*Net4 (research/education
> network much like Internet2 in the US) so the users expect pretty
> quick response time.
> 
> Like the test unit, I'll be tweaking until I find the sweet spot of
> cache hits and age with performance. I was wondering if anyone had any
> Squid on OpenBSD pointers and/or answers to these questions:

The only pointer I can think of off the top of my head is to make sure
you raise your maxfiles before you compile squid, the configure script
checks that and limits squid to that many fds.  Squid uses lots of fds
obviously.

> - is it any faster to use multiple cache partitions on the disks
> or should one on each drive be good enough? Remember these are SATA
> drives. SCSI could be picked up if it will make a huge difference.

One cache dir per drive is good.  SCSI does make a very big difference
with squid, its doing lots and lots of I/O operations all over the
drive.  But with only 300 users you shouldn't be too worried about
performance.

> - diskd sounds like it's a good performance booster and has worked
> fairly well on my limited testbed. Any caveats on an installation of
> the size I'm looking at?

Nope, diskd works fine.  For such a small setup, I wouldn't spend much
time playing with squid configuration besides letting it use all your
RAM.  There's tons of stuff you can tweak, but unless you have lots of
users, you really don't need to bother.

Adam

Squid proxy.

[Gordon Grieder]

Hi,

We've been testing a squid proxy at my workplace (~300 machines
locally) on a smaller group of 60 machines. (used the Windows'
"autodetect proxy" thing with some javascript on a local webserver to
get get our 'volunteers')

Our new machine arrived which will be replacing this test unit. P4, 3.4
GHz, 2 SATA drives, 1 GB RAM, Broadcom (bge) gigabit NIC. We connect
via gig fiber to teh intarweb and CA*Net4 (research/education network
much like Internet2 in the US) so the users expect pretty quick
response time.

Like the test unit, I'll be tweaking until I find the sweet spot of
cache hits and age with performance. I was wondering if anyone had any
Squid on OpenBSD pointers and/or answers to these questions:

- is it any faster to use multiple cache partitions on the disks
or should one on each drive be good enough? Remember these are SATA
drives. SCSI could be picked up if it will make a huge difference.

- diskd sounds like it's a good performance booster and has worked
fairly well on my limited testbed. Any caveats on an installation of
the size I'm looking at?

Thanks in advance! 
 Gord

Re: Flash Plugin for Firefox

[David Cathcart]

If you for some reason need a working flash player in a browser, use 
opera and macromedia's Linux flash plug-in. 

get these packages from your neighborhood mirror 
redhat_base*
redhat_motif*

next install ports/www/opera (no package)


(this will build redhat_base itself but it has to source loads of shit
from everywhere and getting the package is quicker, also it won't
install motif which you need for flash)

Download Flash player 7 for mozilla 1.2 linux x86 from
http://www.macromedia.com/shockwave/download/alternates/

Untar and copy the .so and .xft to /usr/local/lib/opera/plugins (don't
untar in /usr/local/lib/opera this makes opera segfault)

Flash should work in opera now, go to about:plugins to be sure. 

Also when you first run opera it will ask if you want random graphical
ads or targeted text ads. I'd pick random graphical, don't particularly
like the URLs of what page I'm viewing being sent to google all the
time. 

David

On Wed, Jun 22, 2005 at 06:08:43PM -0600, Jim Beard wrote:
> Can anyone point me in the right direction to get flash working with
> firefox?  I notice there is a nsplugin.so in ports/graphics/flash. 
> Would this work for firefox or would it work with netscape?

Re: NFS Protocol not supported when mounting from a Linux machine.

[jared r r spiegel]

On Wed, Jun 22, 2005 at 03:49:39PM -0500, Rene Rivera wrote:
> 
> bash-3.00# mount_nfs -2 192.168.0.3:/export /mnt/export.3
> mount_nfs: /mnt/export.3: Protocol not supported
> bash-3.00# mount_nfs -2 -T 192.168.0.3:/export /mnt/export.3
> mount_nfs: /mnt/export.3: Protocol not supported
> bash-3.00# mount_nfs -2 -U 192.168.0.3:/export /mnt/export.3
> mount_nfs: /mnt/export.3: Protocol not supported

  i checked /usr/src/sbin/mount{,_nfs} and /usr/src/sys/nfs
  to see what part of the code is making the 'Protocol not supported',
  but didn't find it.  :(  doing a global search in /usr/src
  ( granted, if somewhere in the code it is like '%s not supported'
  or crosses a terminal line, i would've missed it ):


[/usr/src] $ find . -type f | xargs grep "Protocol not supported"
./gnu/lib/libiberty/src/strerror.c:  ENTRY(EPROTONOSUPPORT, "EPROTONOSUPPORT", 
"Protocol not supported"),
./gnu/usr.bin/cvs/lib/strerror.c:  ENTRY(EPROTONOSUPPORT, "EPROTONOSUPPORT", 
"Protocol not supported"),
./gnu/usr.bin/cvs/os2/porttcp.c:case SOCEPROTONOSUPPORT:return 
"Protocol not supported";
./gnu/usr.bin/cvs/windows-NT/sockerror.c:/* EPROTONOSUPPORT */ "Protocol 
not supported",
./gnu/usr.bin/perl/pod/perlfaq.pod:Why doesn't my sockets program work under 
System V (Solaris)?  What does the error message "Protocol not supported" mean?
./gnu/usr.bin/perl/pod/perlfaq8.pod:=head2 Why doesn't my sockets program work 
under System V (Solaris)?  What does the error message "Protocol not supported" 
mean?
./gnu/usr.bin/perl/pod/perltoc.pod:does the error message "Protocol not 
supported" mean?
./lib/libc/gen/errlist.c:   "Protocol not supported",   /* 43 - 
EPROTONOSUPPORT */
./lib/libc/nls/C.msg:43 Protocol not supported
./lib/libc/sys/intro.2:.It Er 43 EPROTONOSUPPORT Em "Protocol not supported" .
./libexec/ftp-proxy/ftp-proxy.c:"522 Protocol not 
supported, use (1)\r\n");
./libexec/ftp-proxy/ftp-proxy.c:"501 Protocol not 
supported\r\n");
./libexec/ftpd/ftpd.c:  epsv_protounsupp("Protocol not supported");
./libexec/ftpd/ftpd.c: * 522 Protocol not supported (proto,...)
./sys/sys/errno.h:#define   EPROTONOSUPPORT 43  /* Protocol not 
supported */
./usr.sbin/route6d/route6d.c:   /* Protocol not supported */
./usr.sbin/route6d/route6d.c:   /* Protocol not supported */

  
  so that is looking like nothing that has in specific to 
  to with NFS... 

  on a whim, i tried mounting a remote nfs partition onto 
  a local dir with a '.' in it, but that worked ok for v2/v3.

> thought should be done. And just in case this is the exports on the 
> Linux machine:
> 
> /export 192.168.0.2(rw,no_wdelay,no_subtree_check,sync)

  this probably doesn't matter, but what if you just change the
  options to be a simple (rw) or (ro)?  perhaps those options
  only apply on the server side and are therefore not communicated
  over to the 192.168.0.3 client, but .. ?

  any chance of making the linux allow nfs v3 and trying that, 
  if only to see if you get the same error?

  jared

- 

[ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]

Re: How to set up a read-only CVS server?

[Jacob Meuser]

On Wed, Jun 22, 2005 at 11:33:15PM +0200, Frank Denis (Jedi/Sector One) wrote:
>   Hello,
>   
>   I'd like to offer a public OpenBSD CVS mirror, but I have no experience
> with setting up CVS servers, especially public ones.
> 
>   My question may sound obvious: how to set up a read-only CVS server, using
> the reference CVS or OpenCVS?
>   
>   I found various tutorials and scripts, but they all describe the insecure
> pserver way. I tried to have different uids for the files and for the
> anoncvs account, but the CVS server chokes when it comes to creating lock
> files. The only working way I found was a systrace policy (just in case it
> would be useful to anyone, you can find it here:
> ftp://ftp.00f.net/misc/systrace/usr_bin_cvs). But there must be a most
> obvious way to do it. How are you doing it, guys?

http://www.openbsd.org/anoncvs.html#MIRROR is probably a good starting
point.

-- 
<[EMAIL PROTECTED]>

Re: unusual behaviour mixerctl & audioctl

[Jacob Meuser]

On Wed, Jun 22, 2005 at 11:39:26PM +0100, Ed Wandasiewicz wrote:
> Following the faq, here is my output. Using /dev/audio and sox, I get
> scrambled noise. The bytes/sec dont match...

> # dd if=/dev/audio of=myvoice.raw
> 289+0 records in
> 289+0 records out
> 147968 bytes transferred in 4.636 secs (31917 bytes/sec)
> # dd if=myvoice.raw of=/dev/audio
> 289+0 records in
> 289+0 records out
> 147968 bytes transferred in 16.498 secs (8969 bytes/sec)

what is the full output of 'audioctl -a' right after running there
commands?

I'm guessing that something (sample_rate, precision, channels or
encoding) doesn't match between record and play.

also note, auich(4) says, "Some hardware implementations only
support 48kHz sampling rates."

did you try using /dev/sound as well?

-- 
<[EMAIL PROTECTED]>

Flash Plugin for Firefox

[Jim Beard]

Can anyone point me in the right direction to get flash working with
firefox?  I notice there is a nsplugin.so in ports/graphics/flash. 
Would this work for firefox or would it work with netscape?

Re: Update (was Re: Greylisting causes mail failure)

[jared r r spiegel]

On Wed, Jun 22, 2005 at 06:11:58PM +0200, Hannah Schroeter wrote:

> >Perhaps it'd be an improvement to spamd to report to the client on how
> >it got decided to block or greylist the IP, as that can come quite handy
> >if debugging is needed (i.e. legitimate mail doesn't get through even
> >after the usual greylist timeout).
> 
> That suggestion still stands in my eyes.

  i haven't used spamd for blocklist things, but is that what the 
  :msg="blahblah": in spamd.conf is supposed to do?  it would seem
  to me that if an IP matched blocklistA, then spamd would tell
  blocklistA's $msg to the other side.  spamd.conf(5) talks about
  it in the 2nd paragraph from the bottom, but as i haven't 
  used it for blocklists i won't personally assert that i'm 
  interpreting 'msg' correctly.

  jared

- 

[ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]

Re: isakmpd only works if one side begins the communication

[jared r r spiegel]

On Wed, Jun 22, 2005 at 04:15:19PM +0200, Abel Talaversn Estevez wrote:
> 
> [General]
> Exchange-max-time=  30
> Check-interval= 30
> DPD_check_interval= 30

  if you're certain those are what you need to use for
  one reason or another, then you need to use them :), but

> I've been trying some values in check-interval and exchange-max-time with no 
> success

  if you tried them to see if it would contribute to 
  solving the trouble/issue you're seeing, i would
  suggest getting rid of them.  i am not an expert on
  isakmpd, by any means, but in my experience, if i am
  trying to diagnose an unexpected behaviour, i find
  it is more productive to make the .conf simpler, and
  not more complex.  more complex usually ends up in
  a period of frustration where you go in and twiddle
  a bunch of knobs at one time and try again, and then
  twiddle more knobs, etcetc.. i found i would not 
  use Scientific Method and only change 1 thing at a time
  because there were so many damn things to try changing
  ( which is because i would make the .conf so complex )

  naturally, twiddle after you are achieving expected
  results, but in the meantime, comment out the knobs :P

> [Phase 1]
> 10.0.0.57=  PEER-VPNPrueba2
> Default=ISAKMP-clients
.
> [Phase 2]
> Connections=IPsec-clients,CONN-VPNPrueba2

  on both sides, the "IPsec-clients" 
  doesn't reference an .  you do have
  a 'Default' in the [Phase 1] sections on each, 
  referencing the "ISAKMP-clients" peer, but from
  my understanding, 'Default' is only used for 
  reference on _incoming_ connections not otherwise
  referenced by an  on another [Phase 1]
  line - since both sides' "IPsec-clients" are the
  same, and both only specify an  
  via the 'Default' line, it would seem that in effect,
  both the "IPsec-clients" connection is acting passive
  on both sides.

  in my isakmpd.conf, i have nothing in the [Phase 1]
  section, and all my [Phase 2] connections reference
   who have IPs in them.  this may be
  setting me up for an unexpected result, but i have
  not seen any thus far.  to be fair, it seems like
  the 'Address' line within an  is to be
  interpreted as optional, so these seem to be two 
  different ways to accomplish the same goal in one
  scenario, and then also each of them could have a 
  use that changes the scope of the  in
  a way that the other doesn't.

  for the :

> [local-subnet]
> ID-type=IPV4_ADDR_SUBNET
> Network=0.0.0.0
> Netmask=0.0.0.0
> 
> [remote-client]
> ID-type=IPV4_ADDR
> Address=0.0.0.0

  sections, are those sanitized/obfuscated IPs, or
  are the IPs in the configs really all 0s?  i'll
  assume that in the configs on the firewalls they're
  not all 0s.  if 10.0.0.67 proposed those addresses
  to 10.0.0.57, and 10.0.0.57 accepted them, the flow
  would (i believe) look like this in 'netstat -rnf encap':

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
0.0.0.0/32 0 0/00 0 10.0.0.67/50/use/in
0/00 0.0.0.0/32 0 0 10.0.0.67/50/require/out

  which probably won't do anything unless you really
  are sending traffic to 0.0.0.0/32

  so, if they're actually IPs other than 0.0.0.0 for
  the "remote-client" section, and you did have an 
   referenced in the "IPsec-clients" part,
  the results would probably be unpredictable if that
  isakmpd tried to make a connection to more than one
  other, as then it would be trying to establish two
  flows with the same Encap Source and Destination
  ( which i believe doesn't jive even if the SA address
  is different.  i know i've tried to do something like 
  this before, and it ended up either constantly over-
  writing the encap flow with the most-newly-acquired
  one, or it refused to make a new one by virtue of there
  already being one.  perhaps the former is true for
  with both flows are from isakmpd, and the latter when
  there is an initial flow created by ipsecadm.. )

  given that the "IPsec-clients" gets an 
  by virtue of not having one (and therefore matching 
  'Default', which is only for incoming (afaik), it would
  seem that that connection is meant to be of a passive
  nature, and then usually geared towards having more than
  one possible person come in at a time, but i might be
  wrong about the intended use of the "IPsec-clients"
  connection.

  anyway, moving to the "CONN-VPNPrueba2" section. 
  in [Phase 1] you say that 10.0.0.57 is to be 
  interpreted as the  PEER-VPNPrueba2
  who is configured with a psk an an expected address.

  once 10.0.0.67 and 10.0.0.57 have established their
  flow, it would look like this on .57's side:

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
10.0.40/24 0 10.0.10/24 0 0 10.0.0.67/50/use/in
10.0.10/24 0 10.0.40/24 0 0 10.0.0.67/50/requi

Re: unusual behaviour mixerctl & audioctl

[Ed Wandasiewicz]

Following the faq, here is my output. Using /dev/audio and sox, I get
scrambled noise. The bytes/sec dont match...

# audioctl record.encoding=mulaw
audioctl: set failed: Invalid argument
# audioctl record.rate=8000
audioctl: set failed: Invalid argument
# audioctl record.channels=1
audioctl: set failed: Invalid argument
# audioctl record.precision=8
audioctl: set failed: Invalid argument

# mixerctl -w inputs.mic.mute=on
inputs.mic.mute: on -> on
# mixerctl inputs.mic.preamp=on
inputs.mic.preamp: off -> on
# mixerctl inputs.mic.source=mic0
inputs.mic.source: mic0 -> mic0
# mixerctl record.source=mic
record.source: mic -> mic
# mixerctl -w record.volume=255,255
record.volume: 255,255 -> 255,255
# mixerctl -w record.volume.mute=off
record.volume.mute: off -> off
# mixerctl -w record.mic=0
record.mic: 0 -> 0
# mixerctl record.mic.mute=off
record.mic.mute: off -> off
# dd if=/dev/audio of=myvoice.raw
289+0 records in
289+0 records out
147968 bytes transferred in 4.636 secs (31917 bytes/sec)
# dd if=myvoice.raw of=/dev/audio
289+0 records in
289+0 records out
147968 bytes transferred in 16.498 secs (8969 bytes/sec)

# sox -U -c 1 -r 8000 -b myvoice.raw myvoice.wav 
# play myvoice.wav


On Wed, Jun 22, 2005 at 11:50:27AM -0700, Jacob Meuser wrote:
> On Wed, Jun 22, 2005 at 12:59:35AM +0100, Ed Wandasiewicz wrote:
> > Running 3.7-current, I get the following behaviour with audioctl &
> > mixerctl.
> > 
> > % audioctl play.sample_rate=11025
> > audioctl: set failed: Invalid argument
> > 
> > % mixerctl -w record.mic=100
> > record.mic: 0 -> 0
> 
> I see the same thing with emu/SBLive!
> 
> > Also, if I try to record through a mic or line in, I get scrambled
> > noise. My sound card is driven by the auich driver. Any suggestions?
> 
> but it does actually work for me.  are you sure you're playing with
> the same parameters you are recording with?  how are you recording
> and playing?  have you read
> http://www.openbsd.org/faq/faq13.html#recordaudio ?
> 
> -- 
> <[EMAIL PROTECTED]>

Re: How to set up a read-only CVS server?

[Hugo Villeneuve]

On Wed, Jun 22, 2005 at 11:33:15PM +0200, Frank Denis (Jedi/Sector One) wrote:
>   Hello,
>   
>   I'd like to offer a public OpenBSD CVS mirror, but I have no experience
> with setting up CVS servers, especially public ones.
> 
>   My question may sound obvious: how to set up a read-only CVS server, using
> the reference CVS or OpenCVS?

You need this which contains both the instructions and the anoncvs
shell needed:
http://openbsd.org/anoncvs.shar

Replace reference to "sup" with cvsync and the information available
at http://openbsd.org/cvsync.html

>   
>   I found various tutorials and scripts, but they all describe the insecure
> pserver way. I tried to have different uids for the files and for the
> anoncvs account, but the CVS server chokes when it comes to creating lock
> files. The only working way I found was a systrace policy (just in case it
> would be useful to anyone, you can find it here:
> ftp://ftp.00f.net/misc/systrace/usr_bin_cvs). But there must be a most
> obvious way to do it. How are you doing it, guys?

OpenBSD's cvs has special code to make it work under an unwritable
directory tree. That code gets trigged by the environment variable
CVSREADONLYFS=1.

I don't beleive that code ever made it to the gnu version in the
decade that functionnality has been available. The Net and Free
supports this, I beleive.


> 
>   TIA,
>   
>  -Frank.

-- 
Hugo Villeneuve <[EMAIL PROTECTED]>
http://EINTR.net/ 

Re: How to set up a read-only CVS server?

[Matthias Kilian]

On Wed, Jun 22, 2005 at 11:33:15PM +0200, Frank Denis (Jedi/Sector One) wrote:
>   I'd like to offer a public OpenBSD CVS mirror, [...]

http://www.openbsd.org/anoncvs.html#MIRROR
http://www.openbsd.org/anoncvs.shar

Re: isakmpd only works if one side begins the communication

[Mark Uemura]

> isakmpd.conf on one side:

...
 
[Phase 2]
-Connections=   IPsec-clients,CONN-VPNPrueba2
+Passive-connections=   IPsec-clients,CONN-VPNPrueba2 

Try making this one change the isakmpd.conf on the VPN-peer
that the clients will be connecting to.

Mark T. Uemura
OpenBSD Support Japan Inc.
www.openbsd-support.com 

Re: How to set up a read-only CVS server?

[Stuart Henderson]

--On 22 June 2005 23:33 +0200, Frank Denis \(Jedi/Sector One\) wrote:


  My question may sound obvious: how to set up a read-only CVS
server, using the reference CVS or OpenCVS?


, end section "Setting up an 
anoncvs mirror".

Re: vnd/vnconfig to mount a BIN/CUE/ISO image for VCD playback.

[Diana Eichert]

Did you even READ the fine vnconfig man page?

diana

Re: Install on Multiple Disks

[Otto Moerbeek]

On Wed, 22 Jun 2005, L. V. Lammert wrote:

> At 02:04 PM 6/22/2005 -0500, Gabe Johanns wrote:
> > Hello,
> > 
> > I have been running BSD on a desktop machine for 3 months and I would like
> > to install OpenBSD on my test server. My test box is a P500 with 128MB of
> > RAM and three disk drives.
> > 
> > I would like to use 100% of the storage space on all three drives while
> > installing / on wd0, /swap on wd1, and all other partitions on wd2.
> > 
> > I have not found a way to use the installer to partition my drives in this
> > manner using fdisk and disklabel. I have looked in the man files and in
> > online FAQ's (although I have found how to move and resize the partitions on
> > an existing installation of the OS.)
> 
> The installer is not setup that way, .. but why complicate life? Install / &
> /usr on your main drive (they don't need a lot of space, anyway), .. you can
> always move /home and/or /var to the other drives after installation.

This is wrong info. It's perfectly possible to install with
various filesystems on different disks.

I'd have to check to know for sure, but I think having a swap
partition on the root disk is mandatory. But you can always add extra
swap partitions later. 

So do someting like:

create wd0a (/)  and wd0b (swap) on wd0
create wd1b (swap) on wd1
create other partitions on wd2, specifying the various mouint points

-Otto

vnd/vnconfig to mount a BIN/CUE/ISO image for VCD playback.

[Anon Y. Mous]

Hi:

  I have two files CD1, CD2{*.iso, *.cue, *.bin} that
I need
to mount virtually in OpenBSD 3.7/i386 for usage in
mplayer
for Video CD playback OR copying as raw data for
playback.

  [I can use bchunk to convert the *.bin, *.cue files
to two *.iso
files, (if necessary) to use vnconfig to mount these
images.]
 
  How do I use vnconfig and vnd to mount the image
file?

  Do I need to edit my /etc/fstab for svnd0(x) or
vnd0(x) as a
device? If so, should I create a /mnt/vnd or make
/mnt/cdrom 
the mount point?

  Do I need to be root or is sudo sufficient to make
these
changes?

  Finally, are there any limitations of vnd or
vnconfig that I should know about before attempting
this, such as, restrictions of file types that can be
used by the vnd driver?


Thanks,


[EMAIL PROTECTED]
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

How to set up a read-only CVS server?

[Frank Denis \(Jedi/Sector One\)]

  Hello,
  
  I'd like to offer a public OpenBSD CVS mirror, but I have no experience
with setting up CVS servers, especially public ones.

  My question may sound obvious: how to set up a read-only CVS server, using
the reference CVS or OpenCVS?
  
  I found various tutorials and scripts, but they all describe the insecure
pserver way. I tried to have different uids for the files and for the
anoncvs account, but the CVS server chokes when it comes to creating lock
files. The only working way I found was a systrace policy (just in case it
would be useful to anyone, you can find it here:
ftp://ftp.00f.net/misc/systrace/usr_bin_cvs). But there must be a most
obvious way to do it. How are you doing it, guys?

  TIA,
  
 -Frank.

Re: Install on Multiple Disks

[L. V. Lammert]

At 02:04 PM 6/22/2005 -0500, Gabe Johanns wrote:

Hello,

I have been running BSD on a desktop machine for 3 months and I would like
to install OpenBSD on my test server. My test box is a P500 with 128MB of
RAM and three disk drives.

I would like to use 100% of the storage space on all three drives while
installing / on wd0, /swap on wd1, and all other partitions on wd2.

I have not found a way to use the installer to partition my drives in this
manner using fdisk and disklabel. I have looked in the man files and in
online FAQ's (although I have found how to move and resize the partitions on
an existing installation of the OS.)


The installer is not setup that way, .. but why complicate life? Install / 
& /usr on your main drive (they don't need a lot of space, anyway), .. you 
can always move /home and/or /var to the other drives after installation.


Lee

Re: NFS Protocol not supported when mounting from a Linux machine.

[Rene Rivera]

Golliher, Blake wrote:

Does showmount -e against that nfs server show nfs version 2 as an
allowable service?


Well it shows the mount, I don't see how showmount could be used to tell 
if it's v2 or v3. Except perhaps if you mean that if it shows it at all 
it's v2:


bash-3.00# showmount -e 192.168.0.3
Exports list on 192.168.0.3:
/export192.168.0.2

192.168.0.2 is the OBSD box.

Matt Provost wrote:
Did you try mounting using both tcp and udp? 


No. But just did:

bash-3.00# mount_nfs -2 192.168.0.3:/export /mnt/export.3
mount_nfs: /mnt/export.3: Protocol not supported
bash-3.00# mount_nfs -2 -T 192.168.0.3:/export /mnt/export.3
mount_nfs: /mnt/export.3: Protocol not supported
bash-3.00# mount_nfs -2 -U 192.168.0.3:/export /mnt/export.3
mount_nfs: /mnt/export.3: Protocol not supported


Also try using rpcinfo
to see which protocols/versions are supported on the server:



rpcinfo -u hostname nfs
rpcinfo -u hostname mountd
rpcinfo -t hostname nfs
rpcinfo -t hostname mountd


It all looks OK:

bash-3.00# rpcinfo -u 192.168.0.3 nfs
program 13 version 2 ready and waiting
bash-3.00# rpcinfo -u 192.168.0.3 mountd
program 15 version 1 ready and waiting
program 15 version 2 ready and waiting
program 15 version 3 ready and waiting
bash-3.00# rpcinfo -t 192.168.0.3 nfs
program 13 version 2 ready and waiting
bash-3.00# rpcinfo -t 192.168.0.3 mountd
program 15 version 1 ready and waiting
program 15 version 2 ready and waiting
program 15 version 3 ready and waiting


Any other ideas? I'm really lost here, because I've done everything I 
thought should be done. And just in case this is the exports on the 
Linux machine:


/export 192.168.0.2(rw,no_wdelay,no_subtree_check,sync)



--
-- Grafik - Don't Assume Anything
-- Redshift Software, Inc. - http://redshift-software.com
-- rrivera/acm.org - grafik/redshift-software.com
-- 102708583/icq - grafikrobot/aim - Grafik/jabber.org

Re: W32 codecs

[Jacob Meuser]

On Wed, Jun 22, 2005 at 03:38:14PM -0500, eric wrote:
> On Wed, 2005-06-22 at 15:15:21 -0500, Steve Tornio proclaimed...
> 
> > Looks like the port needs to be updated. The filename currently offered is 
> > all-20050412.tar.bz2.  It doesn't look like mplayer keeps the older codecs 
> > around.
> 
> Yep, that's all
> 
> I changed all-20050216.tar.bz2 to all-20050412.tar.bz2 in the Makefile
> and used `NO_CHECKSUM=YES make install`

you _could_ of course run 'make makesum', and then send a diff to the
listed MAINTAINER ...

-- 
<[EMAIL PROTECTED]>

Install on Multiple Disks

[Gabe Johanns]

Hello,



I have been running BSD on a desktop machine for 3 months and I would like
to install OpenBSD on my test server. My test box is a P500 with 128MB of
RAM and three disk drives.



I would like to use 100% of the storage space on all three drives while
installing / on wd0, /swap on wd1, and all other partitions on wd2.



I have not found a way to use the installer to partition my drives in this
manner using fdisk and disklabel. I have looked in the man files and in
online FAQ's (although I have found how to move and resize the partitions on
an existing installation of the OS.)



Is this possible, and I am just not making the mental connections required
when reading the man pages, or do I need to install and then move my /swap
and /usr /log etc partitions once the OS is installed?



Thanks

-Gabe

Re: W32 codecs

[eric]

On Wed, 2005-06-22 at 15:15:21 -0500, Steve Tornio proclaimed...

> Looks like the port needs to be updated. The filename currently offered is 
> all-20050412.tar.bz2.  It doesn't look like mplayer keeps the older codecs 
> around.

Yep, that's all

I changed all-20050216.tar.bz2 to all-20050412.tar.bz2 in the Makefile
and used `NO_CHECKSUM=YES make install`

thanks.

Re: W32 codecs

[Steve Tornio]

anyone know what happened to the w32codecs in the ports tree?

I'm using 3.7-STABLE and see this:

cirque$ cd ./graphics/win32-codecs
cirque$ sudo make
Password:
===>  Checking files for win32-codecs-20050216

all-20050216.tar.bz2 doesn't seem to exist on this system.


Looks like the port needs to be updated. The filename currently offered is 
all-20050412.tar.bz2.  It doesn't look like mplayer keeps the older codecs 
around.


http://www1.mplayerhq.hu/MPlayer/releases/codecs

Steve

Re: Blocking ARPS from certain individuals and priortizing other broadcasts

[Aaron Leach]

If it is an upper layer protocol that is using up all of the pf
states, can rules be created automatically that would block
individuals from doing this, or do I have to manually create a rule?
PLease let me know.

Thanks,

Aaron
iProvo Network Engineer

On 6/18/05, tony sarendal <[EMAIL PROTECTED]> wrote:
> On 19/06/05, Aaron Leach <[EMAIL PROTECTED]> wrote:
> > Is proxy ARP running by default on a typical BSD install? I am talking
> > about ARPS. The only traffic I can see coming into the box is ARP when
> > I do a network trace. As soon as I disable the customer, NAT returns
> > to normal as far as the entries are concerned. I enable the customer
> > and then I start increasing the table entries. I may be clueless, but
> > I thought BSD did not do Proxy ARP with the default install.
> >
> 
> I don't belive it does proxy ARP by default, but I'm just guessing. I
> don't see how ARP's would generate states PF, some real traffic is
> probably causing that.
> 
> What does pfctl -s states say ?
> Have a look into the man page for pf.conf, stateful tracking options,
> max-src-states and others. You can limit the number states allowed by
> one hosts, and some other useful stuff as well.
> 
> /Tony

W32 codecs

[eric]

anyone know what happened to the w32codecs in the ports tree?

I'm using 3.7-STABLE and see this:

cirque$ cd ./graphics/win32-codecs
cirque$ sudo make
Password:
===>  Checking files for win32-codecs-20050216
>> all-20050216.tar.bz2 doesn't seem to exist on this system.
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> http://www1.mplayerhq.hu/MPlayer/releases/codecs/.
ftp: Error retrieving file: 404 Not Found
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> http://www2.mplayerhq.hu/MPlayer/releases/codecs/.
ftp: Error retrieving file: 404 Not Found
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> ftp://mplayerhq.hu/MPlayer/releases/codecs/.
Failed to open file.
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> ftp://ftp.lug.udel.edu/MPlayer/releases/codecs/.
Failed to open file.
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> ftp://ftp.openbsd.org/pub/OpenBSD/distfiles//.
Unknown command.
Failed to open file.
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> ftp://ftp.usa.openbsd.org/pub/OpenBSD/distfiles//.
all-20050216.tar.bz2: No such file or directory.
>> Attempting to fetch /usr/ports/distfiles/all-20050216.tar.bz2 from
>> ftp://ftp.freebsd.org/pub/FreeBSD/distfiles//.
Trying 2001:4f8:0:2::e...
Failed to open file.
*** Error code 1

Stop in /usr/ports/graphics/win32-codecs (line 1952 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/graphics/win32-codecs (line 1407 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/graphics/win32-codecs (line 1596 of
/usr/ports/infrastructure/mk/bsd.port.mk).
cirque$

Re: NFS Protocol not supported when mounting from a Linux machine.

[Matt Provost]

On Jun 22 12:46 PM, Rene Rivera wrote:
> I'm trying to NFS mount from a Linux machine to my new OpenBSD setup and 
> it just doesn't work. I've run out of things to try, and I keep getting 
> the "Protocol not supported" error. Trying to force the NFS version:
> 
>   mount_nfs -2 x.x.x.x:/mnt/export /mnt/export
> 
> Doesn't seem to work as the Linux server keeps saying:
> 
>   svc: unknown version (3)
> 
> Any help appreciated.
> 

Did you try mounting using both tcp and udp? Also try using rpcinfo to
see which protocols/versions are supported on the server:

rpcinfo -u hostname nfs
rpcinfo -u hostname mountd
rpcinfo -t hostname nfs
rpcinfo -t hostname mountd

Matt

Re: unusual behaviour mixerctl & audioctl

[Jacob Meuser]

On Wed, Jun 22, 2005 at 12:59:35AM +0100, Ed Wandasiewicz wrote:
> Running 3.7-current, I get the following behaviour with audioctl &
> mixerctl.
> 
> % audioctl play.sample_rate=11025
> audioctl: set failed: Invalid argument
> 
> % mixerctl -w record.mic=100
> record.mic: 0 -> 0

I see the same thing with emu/SBLive!

> Also, if I try to record through a mic or line in, I get scrambled
> noise. My sound card is driven by the auich driver. Any suggestions?

but it does actually work for me.  are you sure you're playing with
the same parameters you are recording with?  how are you recording
and playing?  have you read
http://www.openbsd.org/faq/faq13.html#recordaudio ?

-- 
<[EMAIL PROTECTED]>

Re: NFS Protocol not supported when mounting from a Linux machine.

[Golliher, Blake]

Does showmount -e against that nfs server show nfs version 2 as an
allowable service?

-Blake 

-Original Message-
From: Rene Rivera [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 22, 2005 10:46 AM
To: misc@openbsd.org
Subject: NFS Protocol not supported when mounting from a Linux machine.

I'm trying to NFS mount from a Linux machine to my new OpenBSD setup and
it just doesn't work. I've run out of things to try, and I keep getting
the "Protocol not supported" error. Trying to force the NFS version:

mount_nfs -2 x.x.x.x:/mnt/export /mnt/export

Doesn't seem to work as the Linux server keeps saying:

svc: unknown version (3)

Any help appreciated.


--
-- Grafik - Don't Assume Anything
-- Redshift Software, Inc. - http://redshift-software.com
-- rrivera/acm.org - grafik/redshift-software.com
-- 102708583/icq - grafikrobot/aim - Grafik/jabber.org

NFS Protocol not supported when mounting from a Linux machine.

[Rene Rivera]

I'm trying to NFS mount from a Linux machine to my new OpenBSD setup and 
it just doesn't work. I've run out of things to try, and I keep getting 
the "Protocol not supported" error. Trying to force the NFS version:


mount_nfs -2 x.x.x.x:/mnt/export /mnt/export

Doesn't seem to work as the Linux server keeps saying:

svc: unknown version (3)

Any help appreciated.


--
-- Grafik - Don't Assume Anything
-- Redshift Software, Inc. - http://redshift-software.com
-- rrivera/acm.org - grafik/redshift-software.com
-- 102708583/icq - grafikrobot/aim - Grafik/jabber.org

Network Adapter couldnt UP

[Neta]

Hello All,
I have some strange with NIC Dlink DFE 528TX, dmesg recognize it as
rl0 and ifconfig mark this interface ACTIVE, but if I ping on it
replied with ping: send to : Host is down
Anybody have a clue?
Any incompatibility with this one?

Kind regards
neta

[EMAIL PROTECTED]

[Zoran Cvetkovic]

Pozdrav !!!

\

Ponudicu Vam dva nacina da dodjete do novca na 100% legalan i proveren nacin. 
Napomenucu Vam samo da MORATE da se pridrzavate uputstva i pravila kako Vam 
uspeh ne bi izostao. Licno ja radim oba posla isovremeno ( ne vidim razlog 
zasto ne biste i Vi ) i rezultati su vise nego zadovoljavajuci. Napominjem jos 
jednom DRZITE SE UPUTSVA !!!

 

1. Da li zelite da zaradite $25 za 30 sekundi? U pitanju je banka koja svim 
svojim novoupisanim clanovima daje $25. Ako upisete nekog preko Vaseg linka 
banka Vas casti od $5 do $30. Program preko koga mozete zaraditi preko $75.000 
!!! O blizim informacijama kontaktirajte me na [EMAIL PROTECTED]  POZURITE OVO 
NECE VECNO TRAJATI !!!

 

2.Nakon sto se upisete u banku OBAVEZNO posetite sajt www.laka-zarada.dzaba.com 
i upoznajte se sa fantasticnim programom za zaradu novca. Ovo je posao bez 
granica koji Vam moze doneti 50.000 eura za 90 dana. I to ne samo jednom !!! 
Obavezno posetite www.laka-zarada.dzaba.com 

 

PREPORUKA: Nemojte slati nista u attachementu jer ljudi izbegavaju da otvaraju 
attachment.

 

Nadam se da necete propustiti priliku koja ce Vam promeniti zivot na bolje !!! 
Svakog minuta svog zivota imamo izbor za totalni preokret, a zivot prodje i mi 
kazemo da nismo imali ni vremena ni prilike za to !!! SAMO NAPRED !!! HRABRO 
!!! 

ZELIM VAM PUNO SRECE !!!
Za sva pitanja stojim Vam na raspolaganju. Molim Vas obavestite me o vasim 
odlukama !!!

[EMAIL PROTECTED]
S` postovanjem

Nikola Cvetkovic











-
How much mail storage do you get for free? Yahoo! Mail gives you 1GB! 
Get Yahoo! Mail

openbgpd: route reflector not announcing all routes?

[Joe .]

hi,
i am trying to aggregate a few transit providers into a device that
can't handle the full feeds from them. to get around that i am getting
the full feeds into an obsd 3.7 machine and then setting up a session
to reflect the finalized table to the device. instead of having 3 full
feeds it has only 1 that is the composite of the rest.

on the bsd reflector i have the following config for the route reflector client:

neighbor $device {
remote-as $as
descr "session to route reflector client"
route-reflector $device
local-address $local_ip
passive
}

the problem is that between the 3 providers a finalized fib is created
on the obsd machine that has ~160,000 routes (the rib table is like
400,000+) . the rib that results on the reflector client $device only
has a mere 77,820 routes. it's not summarizing them either, some just
seem to be missing entirely.

the bsd machine has over a GB of ram so i don't think that is the
issue. any help would be appreciated.

thanks!
joe

Re: Can't get through ftp-proxy/ftp-gateway :(

[Stuart Henderson]

--On 22 June 2005 10:13 -0500, L. V. Lammert wrote:


At 01:08 PM 6/22/2005 +0200, Dunric wrote:

Our LAN is connected to the Internet with Proxy gateway. Access is
authorized and requires following communication scheme:

USER 
PASS 
USER <[EMAIL PROTECTED]>
PASS 

Both proxy server and gateway are using this scheme, they just
listen on  different ports.

How do I setup OpenBSD's ftp client to communicate with such proxy ?


Why not use Lynx? It's a lot prettier than an ftp client, and I
expect it might be more capable of handling yoru proxies.


No good for pkg_add.

Looking at ftp manual, how about something like this in .netrc:

machine ftp.openbsd.org
login proxy_user
password proxy_password
macdef init
user ftp
pass ftp@

Update (was Re: Greylisting causes mail failure)

[Hannah Schroeter]

Hello!

On Wed, Jun 22, 2005 at 05:56:45PM +0200, Hannah Schroeter wrote:
>Hello!

>I'm trying to deliver a mail (a bug report) from source IP
>  212.227.35.69
>and seem to not get it through.

>Some time earlier I had the same problem, and even after many retries
>(i.e. after more time than the greylisting timeout should be) it didn't
>get through.

>What's wrong?

Ok, this time it worked after a bit more than 25 minutes.
Sorry that I've reported that so fast, the reason was that last time I
tried to send a mail from this box, it *never* came through, not even
after 25 minutes, not even after days.

>Is that IP on a blacklist? If so which one?

Scrap that.

>Perhaps it'd be an improvement to spamd to report to the client on how
>it got decided to block or greylist the IP, as that can come quite handy
>if debugging is needed (i.e. legitimate mail doesn't get through even
>after the usual greylist timeout).

That suggestion still stands in my eyes.

Kind regards,

Hannah.

unusual behaviour mixerctl & audioctl

[Ed Wandasiewicz]

Running 3.7-current, I get the following behaviour with audioctl &
mixerctl.

% audioctl play.sample_rate=11025
audioctl: set failed: Invalid argument

% mixerctl -w record.mic=100
record.mic: 0 -> 0

Also, if I try to record through a mic or line in, I get scrambled
noise. My sound card is driven by the auich driver. Any suggestions?

Log outout (AUDIO_DEBUG)
% audioctl play.sample_rate=11025
audioctl: set failed: Invalid argument

Jun 21 21:04:50 blackbird /bsd: mixer_ioctl(20,'M',0) result 0
Jun 21 21:04:50 blackbird /bsd: mixer_ioctl(20,'M',1)
Jun 21 21:04:50 blackbird /bsd: AUDIO_MIXER_WRITE
Jun 21 21:04:50 blackbird /bsd: read(1e) = 0
Jun 21 21:04:50 blackbird /bsd: mixer_ioctl(20,'M',1) result 0
Jun 21 21:04:50 blackbird /bsd: mixer_ioctl(20,'M',0)
Jun 21 21:04:50 blackbird /bsd: AUDIO_MIXER_READ
Jun 21 21:04:50 blackbird /bsd: read(1e) = 0
Jun 21 21:04:50 blackbird /bsd: mixer_ioctl(20,'M',0) result 0
Jun 21 21:04:50 blackbird /bsd: mixer_close: unit 0
Jun 21 21:13:16 blackbird /bsd: audio_open: dev=0x2ac0 flags=0x3
sc=0xd1fa8e00 h
dl=0xd1f9a000
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(48,'A',27)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETDEV
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(48,'A',27) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETENC
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(32,'A',28) result 22
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',29)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETFD
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',29) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',34)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETPROPS
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',34) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',26)
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(4,'A',26) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(136,'A',21)
Jun 21 21:13:16 blackbird /bsd: AUDIO_GETINFO
Jun 21 21:13:16 blackbird /bsd: read(1a) = 0
Jun 21 21:13:16 blackbird /bsd: AUDIO_MIXER_ENUM: 0 0 7 0
Jun 21 21:13:16 blackbird /bsd: read(1a) = 0
Jun 21 21:13:16 blackbird /bsd: AUDIO_MIXER_ENUM: 0 0 7 0
Jun 21 21:13:16 blackbird /bsd: read(e) = 8008
Jun 21 21:13:16 blackbird /bsd: read(e) = 8008
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(136,'A',21) result 0
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(136,'A',22)
Jun 21 21:13:16 blackbird /bsd: AUDIO_SETINFO mode=0x0
Jun 21 21:13:16 blackbird /bsd: audio: Setting record params sr=8000,
enc=1, cha
n=1, prec=8
Jun 21 21:13:16 blackbird /bsd: audio: Setting play params sr=11025,
enc=1, chan
=1, prec=8
Jun 21 21:13:16 blackbird /bsd: set_rate(0)  0
Jun 21 21:13:16 blackbird /bsd: set_rate(0)  0
Jun 21 21:13:16 blackbird /bsd: audio_calc_blksize: record blksize=448
Jun 21 21:13:16 blackbird /bsd: audio_calc_blksize: play blksize=2240
Jun 21 21:13:16 blackbird /bsd: audio_calc_blksize: play blksize=2240
Jun 21 21:13:16 blackbird /bsd: audio: After setting record params
sr=8000, enc=
1, chan=1, prec=8
Jun 21 21:13:16 blackbird /bsd: audio: After setting play params
sr=11025, enc=1
, chan=1, prec=8
Jun 21 21:13:16 blackbird /bsd: read(1a) = 0
Jun 21 21:13:16 blackbird /bsd: au_set_gain: gain=127 balance=32, l=127
r=127
Jun 21 21:13:16 blackbird /bsd: audio_ioctl(136,'A',22) result 22

% audioctl -a
name=ICH4 AC97
version=0x01
config=auich0
encodings=ulinear:8,mulaw:8*,alaw:8*,slinear:8*,slinear_le:16,ulinear_le:16*,slinear_be:16*,ulinear_be:16*
properties=full_duplex,mmap,independent
full_duplex=0
fullduplex=0
blocksize=2240
hiwat=29
lowat=21
monitor_gain=0
mode=
play.rate=11025
play.channels=1
play.precision=8
play.encoding=mulaw
play.gain=127
play.balance=32
play.por

Greylisting causes mail failure

[Hannah Schroeter]

Hello!

I'm trying to deliver a mail (a bug report) from source IP
  212.227.35.69
and seem to not get it through.

Some time earlier I had the same problem, and even after many retries
(i.e. after more time than the greylisting timeout should be) it didn't
get through.

What's wrong?

Is that IP on a blacklist? If so which one?

Perhaps it'd be an improvement to spamd to report to the client on how
it got decided to block or greylist the IP, as that can come quite handy
if debugging is needed (i.e. legitimate mail doesn't get through even
after the usual greylist timeout).

Kind regards,

Hannah.

Re: Can't get through ftp-proxy/ftp-gateway :(

[L. V. Lammert]

At 01:08 PM 6/22/2005 +0200, Dunric wrote:
Our LAN is connected to the Internet with Proxy gateway. Access is 
authorized and requires following communication scheme:


USER 
PASS 
USER <[EMAIL PROTECTED]>
PASS 

Both proxy server and gateway are using this scheme, they just listen on 
different ports.


How do I setup OpenBSD's ftp client to communicate with such proxy ?


Why not use Lynx? It's a lot prettier than an ftp client, and I expect it 
might be more capable of handling yoru proxies.


Lee

Re: isakmpd only works if one side begins the communication

[Abel Talaverón Estevez]

El Miircoles, 22 de Junio de 2005 15:33, jared r r spiegel escribis:
> On Wed, Jun 22, 2005 at 02:01:43PM +0200, Abel Talaversn Estevez wrote:
> > Is it normal? Can I solve it with a parameter like "Retransmit" or
> > "Timeout"? I know that it happens something similar with D-Link
> > Firewalls.
>
>   need configs to answer accurately, please.
>
>   shouldn't need to dinker with retransmit or timeout values., shouldn't
>   need to 'kickstart' the connection with a ping or so, unless it was
> so-configured to begin with.
>
>   jared
>
> -
>
> [ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]



isakmpd.conf on one side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30


[Phase 1]
10.0.0.57=  PEER-VPNPrueba2
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba2


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba2
[PEER-VPNPrueba2]
Phase=  1
Transport=  udp
Address=10.0.0.57
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba2
[CONN-VPNPrueba2]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba2
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba2
Remote-ID=  ID-RemoteSubnet-VPNPrueba2

#Local ID Section
[ID-LocalSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0



isakmpd.conf on the other side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30




[Phase 1]
10.0.0.67=  PEER-VPNPrueba
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba
[PEER-VPNPrueba]
Phase=  1
Transport=  udp
Address=10.0.0.67
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba
[CONN-VPNPrueba]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba
Remote-ID=  ID-RemoteSubnet-VPNPrueba

#Local ID Section
[ID-LocalSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0



Any idea?
I've been trying some values in check-interval and exchange-max-time with no 
success

Re: trouble compiling kernel with aac

[Jason Crawford]

The OP was trying to compile it on amd64, which it won't work on.
You're using it on i386, which it *sort of* works on. But it was
removed from the GENERIC kernel for i386 right before 3.7 was tagged,
and if there has been any work done to the kernel which might have
broken aac, no one would know (or care) since it's no longer
supported, and since Adaptec has made it quite clear they don't like
us.

On 6/22/05, O b s d <[EMAIL PROTECTED]> wrote:
> >Don't use Adaptec RAID (aac).  I does not work.
> 
> Works fine for me in 3.5 using dell perc 3/Di (aac).  Has the driver
> regressed any in 3.7?
> 
> 
> 
> Brad.
> 
> _
> SEEK: Over 80,000 jobs across all industries at Australia's #1 job site.
> http://ninemsn.seek.com.au?hotmail

upgrading from 3.5 -> 3.6 -> 3.7 worked perfectly

[Scott Plumlee]

Pardon the noise, but I just finished my first ever upgrade of an 
OpenBSD machine.  I'd like to thank the OpenBSD team for providing the 
clearest and easiest upgrade path I've ever experienced.  Upgraded to 
3.6 and then right to 3.7 without any problems as all, and then 
reinstalled all the packages and everything just worked without needing 
an extra keystroke at all.  Thanks again for the best computing 
environment around.

packagesbootstrap 0.1

[Laurence Tratt]

I have made available the first release of packagesbootstrap at:

  http://tratt.net/laurie/obsd/packagesbootstrap/

>From the description:

  packagesbootstrap is a small utility which bulk downloads OpenBSD binary
  packages. The downloaded packages can then be installed en masse,
  minimising downtime.

Some of packagesbootstrap features:

  * Requires only utilities found in base install of OpenBSD - can be run on
a freshly installed machine.
  * Can interpret the output of pkg_info directly. If a list of packages is
not specified, the output from pkg_info on the machine packagesbootstrap
is being run on is used automatically.
  * Downloads the latest version of a package.
  * Understands package flavours.
  * Asks the user what to do in the presence of multiple versions of the same
package.
  * Warns the user at the end of the download which packages could not be
downloaded.
  * Can download packages for -current or -stable. packagesbootstrap detects
which version the user is running, but this can be overridden.

There are various potential ways that packagesbootstrap could be used. I
typically use it either to get a freshly installed machine into shape, to
minimise downtime when updating a server, or just as a quick way to update a
desktop machine to the latest snapshot.

packagesbootstrap is released under a BSD / MIT licence. Please feel free to
poke and prod the source code and send me any updates.


Laurie
-- 
http://tratt.net/laurie/-- Personal
http://convergepl.org/  -- The Converge programming language
http://sosym.dcs.kcl.ac.uk/ -- Software and Systems Modelling Team

Re: isakmpd only works if one side begins the communication

[jared r r spiegel]

On Wed, Jun 22, 2005 at 02:01:43PM +0200, Abel Talaversn Estevez wrote:
> 
> Is it normal? Can I solve it with a parameter like "Retransmit" or "Timeout"? 
> I know that it happens something similar with D-Link Firewalls.
 
  need configs to answer accurately, please.

  shouldn't need to dinker with retransmit or timeout values., shouldn't
  need to 'kickstart' the connection with a ping or so, unless it was 
so-configured
  to begin with.

  jared

- 

[ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]

Re: OpenBSD 3.7, xorg.conf for dual head matrox mga?

[steve . shockley]

On Wed, June 22, 2005 7:29 am, chefren wrote:
> Is there someone who has a working dual monitor matrox X11 configuration?

http://digital-domain.net/lug/multi-monitor/

Re: pf/NAT/DNS Problems in OpenBSD-3.7 Current

[Stuart Henderson]

--On 22 June 2005 09:03 -0400, Vivek Ayer wrote:


Once I enable pf with the given ruleset, I can't all of a sudden ping
to domains.


PF is doing exactly what you told it ...


priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8 }"
  [...]
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets


If your ISP is using addresses within 192.168/16 for their 
infrastructure, you can't block access to those addresses.




So, now the question is, can I do NAT from one interface to two
internal interfaces? Or, would I have to modify it and in doing ext_if
--> NAT --> int_if --> NAT --> wir_if (wireless interface)?

 [...]

nat on $ext_if from !($ext_if) -> ($ext_if:0)

what does this exactly do? Looking at it, I don't see int_if and
wir_if to which it does nat to.


($ext_if) means "the IP address of $ext_if", in your case dc1.
!($ext_if) means the opposite of the above: any IP address *other than* 
the address of dc1.


So, this NATs traffic from any addresses not assigned to your external 
interface. Alternatively you could use something like,


nat on $ext_if from $int_if:network -> ($ext_if:0)
nat on $ext_if from $wir_if:network -> ($ext_if:0)



Also, in dhcpd.conf, do I need to have the statement:

option domain-name-servers 192.168.1.1

to tell the dhcp clients of the internal interfaces that the
nameserver they will be using is the ISP's?


Yes (unless you run a forwarder yourself, or configure the clients DNS 
resolver addresses manually).




Sorry to bother you guys like this. I'm a newbie in OpenBSD as well as
pf. Thanks a lot, though.


With  and pf.conf(5) by your side, 
start minimal (maybe just a nat rule, "pass on {$int_if, $wir_if}" 
"block in on $ext_if", "pass out on $ext_if keep state") and then 
gradually refine. Make one change at a time, test it and understand 
what it does before moving on to the next.


Using 'log' in your rules (both "pass" and "block" rules at first) and 
monitoring with tcpdump (as described in pflogd(8)) will show you the 
effects of any new rules which you try. You'll also find "pfctl -sr -v 
-v" useful in debugging firewall rules, and "pfctl -sn -v -v" useful in 
debugging nat/rdr.

Re: anoncvs

[Ray Percival]

On Wed, Jun 22, 2005 at 06:43:36AM -0400, Nick Holland wrote:
> Ray Percival wrote:
> > Trying to track -stable according to the FAQ I'm doing the following.
> >
> > setenv [EMAIL PROTECTED]:/cvs #Which seems to take
and
> > the following cvs commands work and the fingerprints match.
> >
> > Then
> >
> > cvs up -rOPENBSD_3_7  -Pd
> > ? archivers/w-cabextract-1.1
> > ? archivers/w-unzip-5.51
> > ? archivers/w-faad-2.0p1
> > ? archivers/w-id3lib-3.8.3
> > ? archivers/w-lame-3.96.1
> > ? archivers/w-liba52-0.7.4p0
> > ? archivers/w-libid3tag-0.15.1b
> > ? archivers/w-libmad-0.15.1b
> > ? archivers/w-libmikmod-3.1.10p3
> > ? archivers/w-libogg-1.1.2
> > ? archivers/w-libvorbis-1.1.0p0
> > ? archivers/w-xmms-1.2.10p0
> > ? archivers/w-db-4.2.52p2
> > ? archivers/w-gdbm-1.8.3
> > ? archivers/w-autoconf-2.13p0
> > ? archivers/w-autoconf-2.57
> > ? archivers/w-autoconf-2.59
> > ? archivers/w-automake-1.4-p6p2
> > ? archivers/w-fribidi-0.10.4
> > ? archivers/w-gmake-3.80p0
> > ? archivers/w-gmp-4.1.4
> > ? archivers/w-help2man-1.29
> > ? archivers/w-libdvdread-0.9.4
> > ? archivers/w-libtool-1.5.10p2
> > ? archivers/w-metaauto-0.4
> > ? archivers/w-nasm-0.98.38
> > ? archivers/w-pkgconfig-0.15.0
> > ? archivers/w-sdl-1.2.7p1-sun
> > ? archivers/w-ffmpeg-20050130p0
> > ? archivers/w-libmpeg2-0.4.0b
> > ? archivers/w-python-2.3.5
> > ? archivers/w-tcl-8.4.7p1
> > ? archivers/w-libdvdnav-0.1.9
> > ? archivers/w-BitTorrent-3.4.2
> > ? archivers/w-wget-1.8.2
> > ? archivers/w-upsd-2.0
> > ? archivers/w-aspell-0.50.5p1
> > ? archivers/w-expat-1.95.6
> > ? archivers/w-texi2html-1.64
> > ? archivers/obconf
> > ? archivers/w-msttcorefonts-1.2
> > ? archivers/w-tk-8.4.7
> > ? archivers/w-vlc-0.8.1p1
> > ? archivers/w-wxWidgets-gtk-2.4.2p0-gtk2
> > ? archivers/w-wxWidgets-headers-2.4.2p0
> > cannot create_adm_p /tmp/anoncvs.cMrHUf9372/cvs-serv15237/archivers
> > No such file or directory
> >
> > in /usr/ports
> >
> > and in /usr/src (Which has been populated from the CD)
> >
> > cvs up -rOPENBSD_3_7 -Pd
> > cannot create_adm_p /tmp/anoncvs.UAKvF11238/cvs-serv31158/bin
> > No such file or directory
> >
> > I think I'm doing everything right. And can't find any steps that I'm
missing
> > inThe how-to. So what am I doing wrong, please.
>
> The ? files are files/directories which are in your tree, but not in the
> CVS repository.  Apparently, you are fond of building stuff from source
> rather than using packages. :) (hmm...some of that stuff looks like it
> is in the wrong place.  you might have Other Problems there)
Well this *is* my first OpenBSD box. Had to try it out. That and I got rather
frustrated with pkg_add not finding things and just built some stuff. Should
likely stop that. :) Yeah, at least one of those is a unofficial port. But
that's a rant for another day
>
> The error message is, unfortunately, very vague.  CVS is kinda bizzare
> -- you can spend a lot of time trying to figure out why it can't create
> something in your /tmp directory, only to find out it was complaining
> about a problem on the SERVER end.
>
> So...first of all, check to make sure your /tmp directory is writable,
> make sure you have plenty of free space (note how I carefully dodged the
> any numbers that define "plenty" -- but 20M would probably do it).  If
> that doesn't do it, try a different repository.  Or try today, the
> problem may be long-since resolved.
Cool thanks for the hints. Checking now.
>
> Nick.
>

--
BOFH excuse #139:

UBNC (user brain not connected)

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: OpenBSD 3.7, xorg.conf for dual head matrox mga?

[Nick Holland]

On Wed, Jun 22, 2005 at 01:29:26PM +0200, chefren wrote:
> Is there someone who has a working dual monitor matrox X11 configuration?

yes.

Nick.

Re: pf/NAT/DNS Problems in OpenBSD-3.7 Current

[Vivek Ayer]

Hey all,

I'm a bit confused with all the help I'm getting. Let's just backtrack
for a second. I have an external interface (dc1) which is the
internet. I get connected via dhclient. All goes well so far. Before
pf, I enable dhcpd to two interfaces, (dc0 and ral0). This goes fine
as well. I've tested both interfaces and I can ssh into the firewall
from both interfaces. So far so good.

Once I enable pf with the given ruleset, I can't all of a sudden ping
to domains. The DNS server of the external interface (ISP) is
192.168.1.1. I use Sprint DSL (no PPPoE required) (will change to UVA
T1 Ethernet) and their DNS server is 192.168.1.1. Like I said, I'm not
running a nameserver on the firewall, so all I would have to do is
forward the nameserver that the external interface retrieves to the
internal interface(s). Something goes wrong in pf which all of you
have pointed out already. I need pf to do NAT.

So, now the question is, can I do NAT from one interface to two
internal interfaces? Or, would I have to modify it and in doing ext_if
--> NAT --> int_if --> NAT --> wir_if (wireless interface)?

Also, Jason, what do I snip and what do I keep exactly? It's kind of
unclear. Do I snip the priv_nets declaration? 192.168.1.1 is outside
the firewall. It's the ISP's nameserver. The question is, why can't I
ping to domains (google.com) right after I enable pf? Also, in
dhcpd.conf, do I need to have the statement:

option domain-name-servers 192.168.1.1

to tell the dhcp clients of the internal interfaces that the
nameserver they will be using is the ISP's?

Karl,

This one tries to do NAT on all IP's not coming from
any internal and wifi address pool?!

What do you mean by that? I can't do NAT to two interfaces from
ext_if? Do I have to NAT from dc1 to dc0 and then dc0 to ral0?

Also,

nat on $ext_if from !($ext_if) -> ($ext_if:0)

what does this exactly do? Looking at it, I don't see int_if and
wir_if to which it does nat to.


Sorry to bother you guys like this. I'm a newbie in OpenBSD as well as
pf. Thanks a lot, though.

Vivek

Re: spamd greylisting and server pools

[Frank Bax]

At 03:47 PM 6/21/05, Mark Pecaut wrote:


On Tue, Jun 21, 2005 at 03:19:45PM -0400, Joseph C. Bender wrote:
> comments that document who that server belongs to.  Gmail is one example
> of a particularly frustrating set of mail servers to deal with.  Two /24's
> (at least that I can recall off the top of my head).  And it seems like a
> mail retry comes from damn near every IP if greylisting bounces it.

This is where SPF actually comes in handy.  Just look at the spf
record for that domain and manually whitelist that.



Is SPF record always in sync with mail server configs?  Not the last time I 
checked AOL. 

isakmpd only works if one side begins the communication

[Abel Talaverón Estevez]

Hi all,

I'm working with a firewall running OpenBSD with isakmpd. When I want to 
connect 2 or more firewalls, I can see the tunnels via: "netstat -rn | grep 
encap" but the only way to begin the real communication is starting it by one 
of the sides. If a try to begin with the other side it doesn't work until I 
do a ping (or some kind of communication) from the other side.

Is it normal? Can I solve it with a parameter like "Retransmit" or "Timeout"? 
I know that it happens something similar with D-Link Firewalls.

Thanks!!

OpenBSD 3.7, xorg.conf for dual head matrox mga?

[chefren]

Is there someone who has a working dual monitor matrox X11 configuration?


+++chefren

Can't get through ftp-proxy/ftp-gateway :(

[Dunric]

Our LAN is connected to the Internet with Proxy gateway. Access is authorized 
and requires following communication scheme:

USER 
PASS 
USER <[EMAIL PROTECTED]>
PASS 

Both proxy server and gateway are using this scheme, they just listen on 
different ports.

How do I setup OpenBSD's ftp client to communicate with such proxy ?
I've tried to scpecify login information in URL (export 
ftp_proxy="ftp://myname:[EMAIL PROTECTED]:8821/"), tried ftp-gateway mode 
(export FTPMODE=gate;
export FTPSERVER="myname:[EMAIL PROTECTED]"; export FTPSERVERPORT=8921) but all 
attempts has failed :(
AFAIK ~/.netrc file can contain authentication informations for remote ftp 
server only.

Please help, I cann't add any package from ports. I've manualy downloaded and 
installed wget and it can pass our proxy so if there is some way how to force 
pkg_add
to use wget instead of ftp, there should be some solution.

Thx

Re: anoncvs

[Nick Holland]

Ray Percival wrote:
> Trying to track -stable according to the FAQ I'm doing the following.
> 
> setenv [EMAIL PROTECTED]:/cvs #Which seems to take and
> the following cvs commands work and the fingerprints match.
> 
> Then
> 
> cvs up -rOPENBSD_3_7  -Pd
> ? archivers/w-cabextract-1.1
> ? archivers/w-unzip-5.51
> ? archivers/w-faad-2.0p1
> ? archivers/w-id3lib-3.8.3
> ? archivers/w-lame-3.96.1
> ? archivers/w-liba52-0.7.4p0
> ? archivers/w-libid3tag-0.15.1b
> ? archivers/w-libmad-0.15.1b
> ? archivers/w-libmikmod-3.1.10p3
> ? archivers/w-libogg-1.1.2
> ? archivers/w-libvorbis-1.1.0p0
> ? archivers/w-xmms-1.2.10p0
> ? archivers/w-db-4.2.52p2
> ? archivers/w-gdbm-1.8.3
> ? archivers/w-autoconf-2.13p0
> ? archivers/w-autoconf-2.57
> ? archivers/w-autoconf-2.59
> ? archivers/w-automake-1.4-p6p2
> ? archivers/w-fribidi-0.10.4
> ? archivers/w-gmake-3.80p0
> ? archivers/w-gmp-4.1.4
> ? archivers/w-help2man-1.29
> ? archivers/w-libdvdread-0.9.4
> ? archivers/w-libtool-1.5.10p2
> ? archivers/w-metaauto-0.4
> ? archivers/w-nasm-0.98.38
> ? archivers/w-pkgconfig-0.15.0
> ? archivers/w-sdl-1.2.7p1-sun
> ? archivers/w-ffmpeg-20050130p0
> ? archivers/w-libmpeg2-0.4.0b
> ? archivers/w-python-2.3.5
> ? archivers/w-tcl-8.4.7p1
> ? archivers/w-libdvdnav-0.1.9
> ? archivers/w-BitTorrent-3.4.2
> ? archivers/w-wget-1.8.2
> ? archivers/w-upsd-2.0
> ? archivers/w-aspell-0.50.5p1
> ? archivers/w-expat-1.95.6
> ? archivers/w-texi2html-1.64
> ? archivers/obconf
> ? archivers/w-msttcorefonts-1.2
> ? archivers/w-tk-8.4.7
> ? archivers/w-vlc-0.8.1p1
> ? archivers/w-wxWidgets-gtk-2.4.2p0-gtk2
> ? archivers/w-wxWidgets-headers-2.4.2p0
> cannot create_adm_p /tmp/anoncvs.cMrHUf9372/cvs-serv15237/archivers
> No such file or directory
> 
> in /usr/ports
> 
> and in /usr/src (Which has been populated from the CD)
> 
> cvs up -rOPENBSD_3_7 -Pd
> cannot create_adm_p /tmp/anoncvs.UAKvF11238/cvs-serv31158/bin
> No such file or directory
> 
> I think I'm doing everything right. And can't find any steps that I'm missing
> inThe how-to. So what am I doing wrong, please.

The ? files are files/directories which are in your tree, but not in the
CVS repository.  Apparently, you are fond of building stuff from source
rather than using packages. :) (hmm...some of that stuff looks like it
is in the wrong place.  you might have Other Problems there)

The error message is, unfortunately, very vague.  CVS is kinda bizzare
-- you can spend a lot of time trying to figure out why it can't create
something in your /tmp directory, only to find out it was complaining
about a problem on the SERVER end.

So...first of all, check to make sure your /tmp directory is writable,
make sure you have plenty of free space (note how I carefully dodged the
any numbers that define "plenty" -- but 20M would probably do it).  If
that doesn't do it, try a different repository.  Or try today, the
problem may be long-since resolved.

Nick.

Re: spamd greylisting and server pools

[Stuart Henderson]

--On 21 June 2005 20:02 -0600, Steve Williams wrote:


What is the best way to add entries from greylisting.org to my
spamd-white table?


Personally I've been keeping them separate, e.g.

table  persist
table  persist
table  persist file "/etc/spamd-nogrey"

rdr proto tcp from  to (self) port smtp -> 127.0.0.1 port
spamd rdr proto tcp from ! to (self) port smtp ->
127.0.0.1 port spamd
no rdr proto tcp from  to (self) port smtp

This way, spamd-white is locally-generated data, and spamd-nogrey is
from greylisting.org and sources noted from examining spamdb output
every so often.

Note PF needs host-addresses, CIDR, or resolvable names, and not the
'missing octet' form used on greylisting.org (i.e. use 1.2.3.0/24 not
1.2.3).


Thank you VERY much for the information.  That is too cool.  This
poses another question... and I am sorry to bother you!

When the /etc/spamd-nogrey file is updated, is running:

pfctl -t spamd-nogrey -T replace -f /etc/spamd-nogrey

the best way to get the updated file loaded into the rules?


That's a good way - if you're watching the output, you might want to 
add -v to the line, which will display what changes have been made; if 
there are certain problems with the file format, this might alert you 
to them.


The other option is to reload the PF rules i.e. 'pfctl -f /etc/pf.conf' 
or just the tables 'pfctl -Tl -f /etc/pf.conf', which will also update 
the table from the file.



THANK YOU THANK YOU THANK YOU for the pointer about the format of the
file on greylist.org.  I would have NEVER found that one without many
bruises on my forehead and a huge bald spot on my head!


No problem (-:

Re: spamd greylisting and server pools

[Heinrich Rebehn]

Many helpful people wrote:

[snip]

Thanks to all for so many replies :-)
You have convinced me that relying only on Sender/Recipient is really a 
bad idea. I will try the mentioned patch(es) that whitelist a complete 
/24 subnet.


Regards,

Heinrich

Re: LinuxTag Karlsruhe Germany June 22 - 25

[Wim Vandeputte]

On Tue, Jun 21, 2005 at 06:23:20AM -0600, Bob Beck wrote:
> > I'll be hiding in the back, wearing nothing but a Speedo, it's really really
> > warm here. Yeah for global warming!
> > 
>   Wim hanging out in a speedo? Darn. Where's my frequent flyer miles.
> If I'm quick I can bring my speedo and hang out with him :)

only if Bob brings his thong...

Re: trouble compiling kernel with aac

[O b s d]

Don't use Adaptec RAID (aac).  I does not work.


Works fine for me in 3.5 using dell perc 3/Di (aac).  Has the driver 
regressed any in 3.7?




Brad.

_
SEEK: Over 80,000 jobs across all industries at Australia's #1 job site.   
http://ninemsn.seek.com.au?hotmail