Re: Did anybody hear this??

[Matthew Weigel]

Siju George said:
> Hi all,
>
> how much truth is actually in this article???
>
> http://www.securitypipeline.com/165700439

A lot.  And not so much.

Firewalls do nothing to verify the authenticity of packets
that get through, firewalls do nothing to protect the
secrecy of packets that get through.  Telnet behind a firewall
is still insecure to anything that is also behind the firewall,
for instance.

But, they *do* stop packets.  The author alludes to relying on
packet-stopping features of ACL-based switches, and that's not
really all that different from using a firewall.

And he pretends that the things firewalls do best - protect a
system you can't otherwise secure - is unnecessary.  Sorry, but
ActiveDirectory-authenticated Windows Filesharing is still
Windows Filesharing.

Should you depend on your firewall?  No.  Use it when other
solutions aren't available.  Is it a valid solution for some
problems?  Yes.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: OT: any problems with webservers on high ports blocked by corporate-firewalls?

[Miles Keaton]

Cool.  Thanks for your help, everyone.

Re: Did anybody hear this??

[Chris Kuethe]

On 7/25/05, Siju George <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> how much truth is actually in this article???
> http://www.securitypipeline.com/165700439

Bla bla bla firewalls are dead bla bla bla defense in depth bla bla bla.

Ultimately the good points the author makes are
1) you really should be securing everything up to the end host
2) you need to use "defense in depth".

Neither of these should be a surprise to anyone here.

Run pf to drop packets you don't need to see. Turn off un-needed
network services. Make your daemons drop privileges they don't need.
Use cryptography. Use exploit mitigation techniques. Validate input.
Use APIs designed for security. Write good clean, understandable code.
All of these bring a different asset to the table. If you've got a
bunch of easy-to-use security technologies, why would you not use
them... While the previous list assumes OpenBSD, a suitable list of
hardening practices is probably available for the platform/application
of your choice.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

VIA EPIA-V USB device problem

[Marc Beyerlin]

Hey.

I am trying hard to get some USB devices to work on a VIA EPIA-V  
board with VIA VT83C572
USB chipset using OpenBSD 3.7 (see dmesg below). I tried it with an  
USB stick an an
USB Ethernet adapter, both worked on an other machine with an asus  
board and openbsd 3.6,

so i am sure that both devices are OK.

The error i get is not very verbose: uhub0: device problem, disabling  
port x


Somewhere i read that this could maybe be a power problem, so i  
deattached so much

hardware as possible without effect.

Maybe somebody could give me help howto solve this problem or maybe  
some other hint.


Thanx in advance,
Marc Beyerlin


PS: #dmesg
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Samuel 2 ("CentaurHauls" 686-class) 800 MHz
cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX
real mem  = 796438528 (72K)
avail mem = 719544320 (702680K)
using 4278 buffers containing 39923712 bytes (38988K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(cc) BIOS, date 12/02/02, BIOS32 rev. 0 @  
0xfb140

apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf94
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/112 (5 entries)
pcibios0: PCI Exclusive IRQs: 10 11 15
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8231 ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0xa000  
0xda000/0x1800!

cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8601 PCI" rev 0x05
ppb0 at pci0 dev 1 function 0 "VIA VT82C601 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Trident CyberBlade i1" rev 0x6a
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 17 function 0 "VIA VT8231 ISA" rev 0x10
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06:  
ATA100, channel 0 configured to compatibility, channel 1 configured  
to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x1e: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x1e: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 17 function 4 "VIA VT8231 PMG" rev 0x10
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x51: irq 11  
address 00:40:63:ca:67:ad

ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0032, rev. 5
pciide1 at pci0 dev 20 function 0 "ITExpress IT8212F" rev 0x11: DMA,  
channel 0 wired to native-PCI, channel 1 wired to native-PCI

pciide1: using irq 15 for native-PCI interrupt
wd1 at pciide1 channel 0 drive 0: 
wd1: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd2 at pciide1 channel 0 drive 1: 
wd2: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd1(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd2(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 5
wd3 at pciide1 channel 1 drive 0: 
wd3: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd4 at pciide1 channel 1 drive 1: 
wd4: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd3(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
wd4(pciide1:1:1): using PIO mode 4, Ultra-DMA mode 5
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using  
wsdisplay0

pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
biomask f76d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
uhub0: port 1, set config at addr 2 failed
uhub0: device problem, disabling port 1
dkcsum: wd0 matched BIOS disk 80
dkcsum: wd1 matched BIOS disk 81
dkcsum: wd2 matched BIOS disk 82
dkcsum: wd3 matched BIOS disk 83
dkcsum: wd4 matched BIOS disk 84
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
uhub0: device problem, disabling port 2
uhub0: device problem, disabling port 1

Re: Did anybody hear this??

[Bruno Delbono]

+++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]:
 
> how much truth is actually in this article???

It makes a lot of sense and is right on. What I take out of this article is
that having one single firewall (can be any type: network, application etc.)
at the perimeter doesn't stop hackers.

I don't see what really alarmed you? The author makes excellent points and I 
agree with the him.  Now SMB's might traditionally fit better with these
articles, bigger enterprises tends to differ as many roles (for the users
anyway) are well defined and access (incoming, outgoing) for internal &
external.

-Bruno

Did anybody hear this??

[Siju George]

Hi all,

how much truth is actually in this article???

http://www.securitypipeline.com/165700439

Thankyou so much 

Kind regards

Siju

Re: carp failover on DSL and Cable connection?

[Jonathan Walther]

On Mon, Jul 25, 2005 at 10:54:00AM +0100, Stephen Marley wrote:

On Sun, Jul 24, 2005 at 10:37:29PM -0700, Jonathan Walther wrote:

I've read the carp manpage, but am not clear if carp is able to help
in the following scenario:

A box at a high availability colo site forwards some traffic to a
company LAN using a VPN.  There are two VPN connections it could
route packets through, one going through the LAN's Cable connection,
the other through its DSL connection.  Both VPN's connect to the same
end host on the other side of the two connections.

If the DSL connection goes down, I want all connections and traffic
to be shunted to the Cable connection.  I control both ends of the
VPN, which are OpenBSD Soekris boxes.

Is this possible out of the box and supported by OpenBSD, or is it
the wrong approach to trying to keep packets getting into the LAN
when one of the external connections fail?


You could run ospfd (or quagga) on each host. (You'll need to use gif
or gre tunnels to give a multicast capable link over the vpns). Make
the dsl tunnel the lower cost route and ospf will change the routing
tables to use the other link if it goes down. When it comes back up,
ospfd will switch the routing table back to the lower cost route. I use
precisely this method to provide a backup to a 100Mb WAN link using
ipsec/adsl.


Thank you Stephen!  This is exactly what I was looking for.  One
question; does this solution drop any connections during the change of
the routing table?  For my application, that isn't a problem, but it is
nice if it doesn't.

Jonathan

--
 It's not true unless it makes you laugh,   
but you don't understand it until it makes you weep.


Eukleia: Jonathan Walther
Address: 5690 Pioneer Ave, Burnaby, BC  V5H2X6 (Canada)
Contact: 604-430-4973
Website: http://reactor-core.org/
Puritan: Purity of faith, Purity of doctrine
Puritan: Sola Scriptura, Tota Scriptura

 Love is a sharp sword.  Hold it by the right end.

Re: Disable IPv6 on 3.7

[Lars Hansson]

On Tue, 26 Jul 2005 08:29:19 +0800
"Russell J. Wood" <[EMAIL PROTECTED]> wrote:

> Yes, one can by commenting out `OPTION INET6' in the kernel
> configuration.

That wasnt the question. The question was if it can be done WITHOUT
a custom kernel and the answer to that is no.

---
Lars Hansson

Re: OT: any problems with webservers on high ports blocked by corporate-firewalls?

[Lars Hansson]

On Mon, 25 Jul 2005 08:42:33 -0700
Miles Keaton <[EMAIL PROTECTED]> wrote:

> In a proxyserver like that, if someone tried to go to
> http://somedomain.com:8765/ would it work?

If it was set up to allow connections to port 8765 it would but that pretty
much defeats the purpose of doing the blocking in the first place.

---
Lars Hansson

Re: mouse button emulation x.org & backspace & 8 bit X

[rutledge.50]

Rafael Marques Parra wrote:


Could you send me your line about the right button mouse emulation ??? I have a 
powerbook g4 and I use windowmaker so I need the emulation.

Thanks in advance.



Hi Rafael,
Sure, here is my ~/.Xmodmap:

keycode 76 = Pointer_Button2 Pointer_Drag2
keycode 95 = Pointer_Button3 Pointer_Drag3
keycode 107 = BackSpace
keycode 113 = Delete
keycode 64 = Pointer_EnableKeys

This makes F10 middle-click
 F11 right-click
 top-right-delete backspace
 enter-on-end-of-spacebar delete
 right-option toggle-mouse-button-emulation

Here is my .xinitrc:
xmodmap $HOME/.Xmodmap &
xsetroot -solid darkgrey &
icewm

I launch X by typing xinit.  My button emulation is ready to go 
automagically, I just hit the right option key to enable it.  If your 
keycodes are different than mine, you can use xev to find out the 
keycode values for your keyboard. 


Are you using wireless under OpenBSD?  If so, what device?

Linc


_
- Todito Mail te ofrece 50 MB de espacio en tu buzsn gratis + 10 MB de disco 
duro virtual.
?Qui esperas para sacar tu cuenta en Todito Mail?
www.toditomail.com

Re: Disable IPv6 on 3.7

[Sean Brown]

On July 25, 2005 7:34 pm, Peter Hessler wrote:
> On Tue, 26 Jul 2005 08:58:38 +0800
>
> "Russell J. Wood" <[EMAIL PROTECTED]> wrote:
> : Wow. I'm honestly suprised by the responses I've received. All I did
> : was answer a question and now I'm being jumped on, repeatedly.
>
> You told a user how to aim the proverbial gun at their foot.  I'm
> suprised the responses are this polite.

He didn't say anything that isn't in the OpenBSD FAQ.

Re: Disable IPv6 on 3.7

[Peter Hessler]

On Tue, 26 Jul 2005 08:58:38 +0800
"Russell J. Wood" <[EMAIL PROTECTED]> wrote:

: Wow. I'm honestly suprised by the responses I've received. All I did
: was answer a question and now I'm being jumped on, repeatedly.

You told a user how to aim the proverbial gun at their foot.  I'm
suprised the responses are this polite.

-- 
A day without sunshine is like night.

Re: Disable IPv6 on 3.7

[knitti]

On 7/26/05, Russell J. Wood <[EMAIL PROTECTED]> wrote:
> On Mon, Jul 25, 2005 at 08:42:29PM -0400, Brad wrote:
> > Go ahead if you want to use a custom un-supported system.
> 
> Thanks, I will.
> 
> > What is it that you think you're gaining from this?
> 
> A system without IPv6.
> 

you won't. you'll get a kernel without IPv6. and a broken system.

--knitti

Re: Disable IPv6 on 3.7

[Russell J. Wood]

On Tue, Jul 26, 2005 at 10:51:05AM +1000, Rod.. Whitworth wrote:
> On Tue, 26 Jul 2005 08:29:19 +0800, Russell J. Wood wrote:
> 
> >Yes, one can by commenting out `OPTION INET6' in the kernel
> >configuration.
> 
> You have the OP asking if he can disable it " on OpenBSD 3.7 without
> building a custom kernel ?"
> and you offer that really bright solution ?
> Just commenting it out won't do anything if he doesn't proceed to build
> a custom kernel.

I didn't see that line... I apologize.

> >And one would want to do that if they don't use, IPv6, since it's
> >pointless fat otherwise.
> 
> I suggest you STFA for unwanted consequences of such an action. They
> include, but are not limited to, cutting off support from the really
> cluey people here when problems arise.

What? If that's the case, a ``really cluey person'' wouldn't need
support, right?

> Most of the fat that needs cutting is in the brainspace of uninformed
> responders to a misguided, but probably innocent, query.

Wow. I'm honestly suprised by the responses I've received. All I did
was answer a question and now I'm being jumped on, repeatedly.

- Russell

Re: Disable IPv6 on 3.7

[Russell J. Wood]

On Mon, Jul 25, 2005 at 08:42:29PM -0400, Brad wrote:
> Go ahead if you want to use a custom un-supported system.

Thanks, I will.

> What is it that you think you're gaining from this?

A system without IPv6.

> On Tue, Jul 26, 2005 at 08:29:19AM +0800, Russell J. Wood wrote:
> > Yes, one can by commenting out `OPTION INET6' in the kernel
> > configuration.
> > 
> > And one would want to do that if they don't use, IPv6, since it's
> > pointless fat otherwise.
> > 
> > - Russell
> > 
> > On Mon, Jul 25, 2005 at 04:57:17AM -0500, Shawn K. Quinn wrote:
> > > On Mon, 2005-07-25 at 10:17 +0100, Gordon Ross wrote:
> > > > Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> > > > kernel ?
> > > 
> > > No, but why would you need to? Just don't assign an Internet-routable
> > > IPv6 address to the interface, if you're worried about security.
> > > 
> > > -- 
> > > Shawn K. Quinn <[EMAIL PROTECTED]>

Re: Disable IPv6 on 3.7

[Rod.. Whitworth]

On Tue, 26 Jul 2005 08:29:19 +0800, Russell J. Wood wrote:

>Yes, one can by commenting out `OPTION INET6' in the kernel
>configuration.

You have the OP asking if he can disable it " on OpenBSD 3.7 without
building a custom kernel ?"
and you offer that really bright solution ?
Just commenting it out won't do anything if he doesn't proceed to build
a custom kernel.

>
>And one would want to do that if they don't use, IPv6, since it's
>pointless fat otherwise.

I suggest you STFA for unwanted consequences of such an action. They
include, but are not limited to, cutting off support from the really
cluey people here when problems arise.

Most of the fat that needs cutting is in the brainspace of uninformed
responders to a misguided, but probably innocent, query.
>
>- Russell
>
>On Mon, Jul 25, 2005 at 04:57:17AM -0500, Shawn K. Quinn wrote:
>> On Mon, 2005-07-25 at 10:17 +0100, Gordon Ross wrote:
>> > Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
>> > kernel ?
>> 
>> No, but why would you need to? Just don't assign an Internet-routable
>> IPv6 address to the interface, if you're worried about security.
>> 
>> -- 
>> Shawn K. Quinn <[EMAIL PROTECTED]>
>> 
>> 
>> !DSPAM:42e4b954947071591711796!
>
>

>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: Disable IPv6 on 3.7

[Brad]

Go ahead if you want to use a custom un-supported system.

What is it that you think you're gaining from this?


On Tue, Jul 26, 2005 at 08:29:19AM +0800, Russell J. Wood wrote:
> Yes, one can by commenting out `OPTION INET6' in the kernel
> configuration.
> 
> And one would want to do that if they don't use, IPv6, since it's
> pointless fat otherwise.
> 
> - Russell
> 
> On Mon, Jul 25, 2005 at 04:57:17AM -0500, Shawn K. Quinn wrote:
> > On Mon, 2005-07-25 at 10:17 +0100, Gordon Ross wrote:
> > > Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> > > kernel ?
> > 
> > No, but why would you need to? Just don't assign an Internet-routable
> > IPv6 address to the interface, if you're worried about security.
> > 
> > -- 
> > Shawn K. Quinn <[EMAIL PROTECTED]>
> > 
> > 
> > !DSPAM:42e4b954947071591711796!

Re: Disable IPv6 on 3.7

[Russell J. Wood]

Yes, one can by commenting out `OPTION INET6' in the kernel
configuration.

And one would want to do that if they don't use, IPv6, since it's
pointless fat otherwise.

- Russell

On Mon, Jul 25, 2005 at 04:57:17AM -0500, Shawn K. Quinn wrote:
> On Mon, 2005-07-25 at 10:17 +0100, Gordon Ross wrote:
> > Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> > kernel ?
> 
> No, but why would you need to? Just don't assign an Internet-routable
> IPv6 address to the interface, if you're worried about security.
> 
> -- 
> Shawn K. Quinn <[EMAIL PROTECTED]>
> 
> 
> !DSPAM:42e4b954947071591711796!

eTimeBanker® Online Banking Account Access Limited (Security Code: PP-090-227-824)

[[EMAIL PROTECTED]]

[IMAGE]

   Dear Bank Of The West Customer,
  This is your official notification from Bank Of The West that the
service(s) listed below
   will be deactivated and deleted if not renewed immediately. Previous
notifications have
   been sent to the Billing Contact assigned to this account. As the
Primary Contact, you
   must renew the service(s) listed below or it will be deactivated and
deleted. Renew Now 
   SERVICE : Bank Of The West eTimeBanker with Bill Pay.
   EXPIRATION: Jul 30, 2005 
   Thank you,Bank Of The West Management Center Customer Support 
  
*
   IMPORTANT CUSTOMER SUPPORT INFORMATION
  
*   
Please do not reply to this message. For any inquiries, contact Customer
Service.Document Reference: (87051203).Bank Of The West, N.A.
Member FDIC.  Equal Housing Lender.
   Copyright ) 2005 Bank Of The West, N.A. All rights reserved.

Re: IPSec Routing / Multiple Subnets / GRE Revisited

[Brian A. Seklecki]

On Sat, 23 Jul 2005, Hans-Joerg Hoexer wrote:


Hi,

On Fri, Jul 22, 2005 at 06:43:34PM -0400, Brian A. Seklecki wrote:

The URL:

http://digitalfreaks.org/~lavalamp/openbsd_ipsec_generic.png


Outlines the generic cookie-cutter configuration from vpn(8) with
addressing changes.  A couple of comments on that document:


[...]


yes, please.


For the record, before I submit this PR, here is the generic isakmpd.conf 
from my lab:


---

[General]
Listen-on=  192.168.100.2

Default-Phase-1-Lifetime= 600,60:900
Default-Phase-2-Lifetime= 300,60:900

[Phase 1]
192.168.100.1=  ISAKMP-peer-Concentrator

[Phase 2]
Connections=IPsec-PghToConcentrator

[ISAKMP-peer-Concentrator]
Phase=  1
Transport=  udp
Address=192.168.100.1
Configuration=  Default-main-mode
Authentication= lies

[IPsec-PghToConcentrator]
Phase=  2
ISAKMP-peer=ISAKMP-peer-Concentrator
Configuration=  Default-quick-mode
Local-ID=   Net-Pgh
Remote-ID=  Net-Concentrator

[Net-Pgh]
ID-type=IPV4_ADDR
Address=192.168.100.2
Protocol=   47

[Net-Concentrator]
ID-type=IPV4_ADDR
Address=192.168.100.1
Protocol=   47

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-TRP-3DES-MD5-SUITE

--

The otherside is understandably opposite in respective places.


I create my tunnels:

# ifconfig gre0 create
# ifconfig gre0 192.168.200.2 192.168.200.1 netmask 0x link0 up
# ifconfig gre0 tunnel 192.168.100.2 192.168.100.1

---

Routing tables

Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 
192.168.100.1/32 0 192.168.100.2/32 0 47 192.168.100.1/50/use/in 
192.168.100.2/32 0 192.168.100.1/32 0 47 192.168.100.1/50/require/out



sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x2f88fffb auth hmac-md5 enc 3des-cbc
state larval replay 16 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.2
address_dst: 192.168.100.1
identity_src: type prefix id 0: 192.168.100.2/32
identity_dst: type prefix id 0: 192.168.100.1/32
key_auth: bits 128: 0a4e518fdb7dfdf5d3a32b1e486490a7
	key_encrypt: bits 192: 
d11e3b020f96c8160fdd8bee9778e2acee2790cd5be31e86

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0xf75988c3 auth hmac-md5 enc 3des-cbc
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.1
address_dst: 192.168.100.2
identity_src: type prefix id 0: 192.168.100.1/32
identity_dst: type prefix id 0: 192.168.100.2/32
key_auth: bits 128: 6d4096f6a3971b31b2a1642fb6563cc8
	key_encrypt: bits 192: 
4e833ca770b3c9409c7308522fa2ed8ad73a05911beaacab

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x0e22792c auth hmac-md5 enc 3des-cbc
state larval replay 16 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.1
address_dst: 192.168.100.2
identity_src: type prefix id 0: 192.168.100.1/32
identity_dst: type prefix id 0: 192.168.100.2/32
key_auth: bits 128: aaab5a489fe9c6fe7f950ecd7e8665c6
	key_encrypt: bits 192: 
aabf088d4bb7928dd5d3515359fdc0a0c7bbd1bc11a705ab

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x61def2ad auth hmac-md5 enc 3des-cbc
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.2
address_dst: 192.168.100.1
identity_src: type prefix id 0: 192.168.100.2/32
identity_dst: type prefix id 0: 192.168.100.1/32
key_auth: bits 128: 96bcaad8da66a92d67247f1bcc8ab0e1
	key_encrypt: bits 192: 
1fe5ada905338811fa97ad1af009e11f2237c434a225fc00





When I start isakmpd(8), i can use tcpdump(8) to see that the only traffic 
between 192.168.100.2 and 192.168.100.1 that is encrypted (seen via enc0) 
is GRE encapsulated traffic:


At that point in time:

*) Bot

Re: IDE / SATA Filesystem Mounting Problem

[George Georgalis]

On Fri, Jul 22, 2005 at 05:38:54PM -0500, bofh wrote:
>On 7/20/05, Ryan Yu <[EMAIL PROTECTED]> wrote:
>>
>> I'm having a problem adding a SATA drive to my current obsd configuration.
>> I
>> have two IDE drives in the box. A 12gig and a 40gig. I have the /, /usr,
>> /var, /tmp and swap on the 12gig and /home on the 40 gig. I just purchased
>> a
>> SATA drive with a pci controller card to add to the box. When I do add it
>> to
>> the box, the bios recognizes the disk and everything, and then it asks me
>> which device to boot from at which point I choose the IDE Master. The obsd
>> kernel boots fine, but then when it tries to mount the filesystems, there
>> are
>> errors. The problem is that when I add the SATA drive, the device ID
>> becomes
>> wd0.
>>
>
>Sounds like a bios configuration. You probably have one of the newer bioses
>which allows you to choose from multiple boot devices, and if it fails, it
>falls through to the next. That's why you can boot. However, because the
>sata drive (probably because the pci controller is given priority) was the
>first drive "seen", it became wd0.
>
>All you have to do is to go into the bios, and set the boot priority such
>that the ide drive boots before everything else.

My particular BIOS (and I'm not the OP) will allow disabling the first
or second (pata) ide channel, and/or the on-board sata controller.  In
the boot order, it gives hd-0, hd-1, ... cdrom, lan, scsi, as options
(no sata). With everything enabled, it starts counting disks from the
PATA controller, then on-board SATA, then pci controllers, when OpenBSD
re-mounts the root fs in rw mode, it counts disks from the outside of
pci controllers, then on-board SATA, then on-board PATA.

So the root fs that gets mounted rw is not necessarily the same root ro
that it was booted from.

// George


-- 
George Georgalis, systems architect, administrator <
http://galis.org/ cell:646-331-2027 mailto:[EMAIL PROTECTED]

Out of Office AutoReply: [SPAM_EMAIL] - Mail Delivery (failure [EMAIL PROTECTED]) - Email found in subject

[Mandeep Sodhi]

I am currently out of the office and will return on 7/27. If this is urgent 
please reach me on my cell phone 916-704-7077. I will also be checking my 
emails periodically.

thanks
mandeep

Mandeep Sodhi
Vice President Sales
R Systems Inc
http://www.rsystems.com
Work: 916-939-5108 
Cell:   916-704-7077 
Fax:   916-939-6303 
"A CMM Level 5 Company"

Re: OT: any problems with webservers on high ports blocked by corporate-firewalls?

[knitti]

On 7/25/05, Miles Keaton <[EMAIL PROTECTED]> wrote:
> On 7/25/05, Lars Hansson <[EMAIL PROTECTED]> wrote:
> > FYI, we block *everything*, employees have to use our proxyserver (squid)
> > to browse the web.
> 
> In a proxyserver like that, if someone tried to go to
> http://somedomain.com:8765/ would it work?

i don't know,. but you could set up apache as proxy, use mod_proxy and
mod_rewrite to map http://somedomain.com/user1 to
http://somedomain.com:8765 or http://internal.somedomain.com:8765 or
whatever. repeat for more
users and increase ports.

--knitti

Re: OT: any problems with webservers on high ports blocked by cor porate-firewalls?

[Spruell, Darren-Perot]

From: Miles Keaton [mailto:[EMAIL PROTECTED]
> On 7/25/05, Lars Hansson <[EMAIL PROTECTED]> wrote:
> > FYI, we block *everything*, employees have to use our 
> proxyserver (squid)
> > to browse the web.
> 
> In a proxyserver like that, if someone tried to go to
> http://somedomain.com:8765/ would it work?

Only if the proxy was configured to consider that a safe port to allow
clients access to. By default it is not.

At any rate, the last two companies I have worked for have had a default
deny outbound policy. It's been good to see the advantages of that over
allowing all traffic outbound. When everything was allowed outbound, our
address space got listed on several RBLs because of email-propogating worms
connecting out and we had several fiascos with a group of lusers port
scanning remote subnets. We to restricted outbound web access (HTTP, HTTPS,
FTP) to only come through our caches. It's arguably a safer approach.

DS

Re: OT: any problems with webservers on high ports blocked by corporate-firewalls?

[Miles Keaton]

On 7/25/05, Lars Hansson <[EMAIL PROTECTED]> wrote:
> FYI, we block *everything*, employees have to use our proxyserver (squid)
> to browse the web.

In a proxyserver like that, if someone tried to go to
http://somedomain.com:8765/ would it work?

Re: Create my own shell?

[Qv6]

>   Operating ksh in restricted mode may fulfill your needs. Here from
> the man page for ksh (this is the public domain Korn Shell in
> OpenBSD):
>
> -r  Restricted shell.  A shell is ``restricted'' if this option
> is used or if either the basename the shell was invoked with or the
> SHELL parameter match the pattern ``*r*sh'' (e.g. rsh, rksh, rpdksh).
>  The following restrictions come into effect after the shell
> processes any profile and ENV files:
>
 
bash has the same switch. see man bash

Re: Create my own shell?

[Andreas Kahari]

On 25/07/05, Abel Talaversn Estevez <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> I need to create a particular but simple shell for a firewall running OpenBSD
> 3.6. The idea is create a user whose shell is a very limited one. This shell
> or command line interpreter (CLI) must have permissions only in the home
> directory.
> 
> How could I do this? Any ideas? Editing the source code of sh?, for example.
> Make my own cli?

Try existing solutions first.

Debian packages something called "Operators Shell" (osh).  You could
possibly try porting it if rksh isn't enough.

http://packages.debian.org/stable/shells/osh

I'm unaware of anything similar in the OpenBSD port tree.

Andreas

-- 
Andreas Kahari

PGP: 1024D/C2E163CB

Re: bgpd and community attribute setting

[G Douglas Davidson]

On Jul 25, 2005, at 10:49 AM, Henning Brauer wrote:


* G Douglas Davidson <[EMAIL PROTECTED]> [2005-07-25 16:30]:
I'm running bgpd on openbsd version 3.5 (I know, time to upgrade.)  
I'm

attempting to create a network statement that sets the community value
to "NO_EXPORT" for a network and I'm getting syntax errors.


support for setting communities was added post-3.5.


but I'd need to upgrade for that (it's on the agenda.)


well a current bgpd should compile on an older OpenBSD with minor
adjustments - but you really want to upgrade, there were changes wrt
the routing table and kernel memory usage that help bgpd machines a 
lot.


--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the 
simplicity.

(Dennis Ritchie)



Thanks for the info.  I think I'll go with the update and keep it 
simple.


Many Thanks!

--
G. Douglas Davidson  | CityNet, Inc.
[EMAIL PROTECTED] | Pittsburgh, PA
voice: 412.481.5406  | fax: 412.431.1315

HP DL145 G2?

[Mike Shaw]

Hey folksI'm about to build another obsd server for some pseudo-mission
critical work, and HP is kind of our standard now. I've verified with
someone off list that a DL140's run well, but for performance and
philosophical reasons I'm choosing AMD...looking at a DL145 G2 2Ghz SATA.

I saw some troubles on the archives regarding this, but I wanted to verify
the latest:

* Are the broadcom nics reliable at this point?
* I'm assuming amd64 OpenBSD is ready for prime time.
* Any potential gotchas?

-MIke

Re: bgpd and community attribute setting

[Henning Brauer]

* G Douglas Davidson <[EMAIL PROTECTED]> [2005-07-25 16:30]:
> I'm running bgpd on openbsd version 3.5 (I know, time to upgrade.)  I'm 
> attempting to create a network statement that sets the community value 
> to "NO_EXPORT" for a network and I'm getting syntax errors.

support for setting communities was added post-3.5.

> but I'd need to upgrade for that (it's on the agenda.)

well a current bgpd should compile on an older OpenBSD with minor 
adjustments - but you really want to upgrade, there were changes wrt 
the routing table and kernel memory usage that help bgpd machines a lot.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: Create my own shell?

[Jon Drews]

On 7/25/05, Abel Talaversn Estevez <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> I need to create a particular but simple shell for a firewall running OpenBSD
> 3.6. The idea is create a user whose shell is a very limited one. This shell
> or command line interpreter (CLI) must have permissions only in the home
> directory.

Hi:

  Operating ksh in restricted mode may fulfill your needs. Here from
the man page for ksh (this is the public domain Korn Shell in
OpenBSD):

-r  Restricted shell.  A shell is ``restricted'' if this option is
 used or if either the basename the shell was invoked with or the
 SHELL parameter match the pattern ``*r*sh'' (e.g. rsh, rksh,
 rpdksh).  The following restrictions come into effect after the
 shell processes any profile and ENV files:

 o   The cd command is disabled.
 o   The SHELL, ENV, and PATH parameters cannot be changed.
 o   Command names can't be specified with absolute or relative
 paths.
 o   The -p option of the built-in command command can't be used.
 o   Redirections that create files can't be used (i.e. `>', `>|',
 `>>', `<>'). 

-- 
Kind regards,
Jonathan

Re: missing: ./etc/acpi

[b h]

--- Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 24 July 2005 14:25 -0700, b h wrote:
> 
> > Checking special files and directories.
> > Output format is:
> > filename:
> > criteria (shouldbe, reallyis)
> > missing: ./etc/acpi
> 
> Check you have updated /etc/mtree files from
> /usr/src/etc and have run 
> mtree (right near the end of 
> ).
> 
> Since you have a file in /dev on one machine and not
> the other, also 
> check you have run MAKEDEV.
> 

I took your suggestions and ran both the mtree and
MAKEDEV lines on both machines, and rebooted, and
still, only one has the acpi device.

secondly, I am also very diligent at running the  cd
/usr/src/etc && env DESTDIR=/ make distrib-dirs line
during every upgrade

and lastly the machine that has the device node (but
also gives me the error), was installed fresh
(reformatted) from a snapshot on or around June 8, and
-following-current (post 3.7 instructions) does not
mention anything about devices or updates regarding
acpi to /etc for i386.

so, for the other machine that is "missing" the
/dev/acpi... I had installed from a snap (reformatted)
I think in the middle of 3.6 and 3.7, and I thought I
also was very diligent with my upgrading, keeping
current within a week or so, doing all the
-following-current instructions etc.).  For good
measure, this morning I copied over the mtree from
etc3.7.tgz and ran it.  then upgraded all my src via
cvs again (updates since yesterday), and reran all the
steps, making GENERIC, make obj, make build, that make
distrib-dirs line, etc  (and like I said earlier,
I had run MAKEDEV).  the whole deal, and still, no
acpi device.

so, both machines work perfectly, (even though I am
getting that insecurity mail about missing) but it
bothers me I don't know what machine is currently in
the proper state, whether that device should actually
be there or not, 

any other ideas?

thanks
b





Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

Re: 3.7 install hangs with 3ware 8006-2LP

[L. V. Lammert]

On Mon, 25 Jul 2005, Willi Schiegel wrote:

> Hello Group,
>
> I tried to install OpenBSD 3.7 on an Intel Pentium4 system with a 3ware
> Escalade 8006-2LP raid controller but the installation hangs with a
> system freeze. I found in the supported hardware section of the OpenBSD
> documentation under RAID and Cache Controllers:
>
> - 3ware Escalade 3W-5x00 and 3W-6x00 series (twe) (A) (C)
>
> So my controller seems not to be supported. Does anyone know when the
> 8006-2LP will be supported?
>
You really should check the archives before asking a question - this issue
has been beat to death in the past two years (3Ware refuses to release any
documentation).

The answer to your question is - probably never.

If you need h/w RAID, go LSI.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

bgpd and community attribute setting

[G Douglas Davidson]

I'm running bgpd on openbsd version 3.5 (I know, time to upgrade.)  I'm 
attempting to create a network statement that sets the community value 
to "NO_EXPORT" for a network and I'm getting syntax errors.  I've 
tried:


network 192.168.1.0/24 set community 65535:65281

And I get:

Jul 25 07:43:51 freeza bgpd[845]: /etc/bgpd.conf:20: syntax error

I've also tried setting things up with the network statement separate:

network 192.168.1.0/24

and adding this to the filter section:

match prefix 192.168.1.0/24 set community 65535:65281

And again, there is the syntax error.

I see that in the latest version I can:

network 192.168.1.0/24 set community NO_EXPORT

but I'd need to upgrade for that (it's on the agenda.)

Thanks for any assistance!


--
G. Douglas Davidson  | CityNet, Inc.
[EMAIL PROTECTED] | Pittsburgh, PA
voice: 412.481.5406  | fax: 412.431.1315

Re: Create my own shell?

[Ivo Dijkhuis]

Abel Talaversn Estevez wrote:

Hi all,

I need to create a particular but simple shell for a firewall running OpenBSD 
3.6. The idea is create a user whose shell is a very limited one. This shell 
or command line interpreter (CLI) must have permissions only in the home 
directory.


How could I do this? Any ideas? Editing the source code of sh?, for example. 
Make my own cli?


Maybe something like rksh (ksh -r) ?

Regards,
Ivo

pfsync problem

[luis]

Hi all,

i've a problem with pfsync. 

If i permit the change of information throw pfsync the downloads from 
ftp server
rarely finish with success. This seem's to affect only the ftp downloads.
 I've made a tcpdump from pfsync0 and i can't see a state termination 
problem.

Can you tell me if there is something wrong with this config?

Here is my ifconfig and pf config (/etc/pf.conf) in firewall 1 and 
firewall 2.

my ifconfig

lo0: flags=8049 mtu 33224
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
rl0: flags=8943 mtu 1500
address: 00:50:bf:d2:7d:cc
media: Ethernet autoselect (100baseTX full-duplex)
status: active
rl1: flags=8943 mtu 1500
address: 00:08:a1:7d:ac:82
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet x.y.z.225 netmask 0xfff0 broadcast x.y.z.239
rl2: flags=8943 mtu 1500
address: 00:08:a1:7a:93:eb
media: Ethernet autoselect (100baseTX full-duplex)
status: active
dc0: flags=8843 mtu 1500
address: 00:80:ad:7f:ac:0e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
pflog0: flags=141 mtu 33224
pfsync0: flags=41 mtu 1348
pfsync: syncdev: dc0 syncpeer: 10.0.0.2 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=8843 mtu 1500
carp: MASTER carpdev rl0 vhid 1 advbase 1 advskew 0
inet x.y.142.142 netmask 0xfffc broadcast x.y.142.143
carp1: flags=8843 mtu 1500
carp: MASTER carpdev rl1 vhid 2 advbase 1 advskew 0
inet x.y.z.227 netmask 0xfff0 broadcast x.y.z.239
carp2: flags=8843 mtu 1500
carp: MASTER carpdev rl2 vhid 3 advbase 1 advskew 0
inet x.y.z.241 netmask 0xfff8 broadcast x.y.z.247

   my pf.conf

# macros
int_ext = "rl0"
int_dmz_p = "rl1"
int_dmz_g = "rl2"
carp_ext = "carp0"
carp_dmz_p = "carp1"
carp_dmz_g = "carp2"

M = "x.y.z.230"
B = "x.y.z.231"
FTP = "x.y.z.228"
S = "x.y.z.229"
G = "x.y.z.242"
B = "x.y.z.252"

dmz_p = "x.y.z.224/28"
dmz_g = "x.y.z.240/29"
dmz_b = "x.y.z.248/29"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options

set block-policy drop
set loginterface $int_ext
set state-policy floating

# scrub

scrub in all min-ttl 2 no-df fragment reassemble

#Queueing

#Translation

#Filter rules

block log all

#carp and pfsync

pass quick on {rl0 rl1 rl2} proto carp keep state (no-sync)
pass quick on dc0 proto pfsync

pass quick on lo0 all

block drop in  quick on $int_ext from $priv_nets to any
block drop out quick on $int_ext from any to $priv_nets

pass in quick on $int_dmz_p proto udp from { $dmz_p $dmz_b } to  port 
123 keep state (no-sync)

pass in quick on $int_ext proto tcp from any to $M port http flags S/SA 
synproxy state
#pass in quick on $int_ext proto tcp from any to $B port http flags S/SA
 synproxy state

pass in quick on $int_ext proto tcp from any to $S port 1755 flags S/SA 
synproxy state
pass in quick on $int_ext proto udp from any to $S port 1755 keep state

pass in quick on $int_ext proto tcp from any to $S port 554 flags S/SA 
synproxy state

pass in quick on $int_ext proto udp from any to $S port 5005 keep state

pass in quick on $int_ext proto { tcp udp icmp } from any to $G flags S/SA
 keep state

#ftp

# control

pass in quick on $int_ext proto tcp from any to $FTP port 21 flags S/SA 
synproxy state

# data

pass in quick on $int_ext proto tcp from any to $FTP port 12000:13000 
flags S/SA synproxy state


block in quick on $int_dmz_p proto tcp from $dmz_p to $int_dmz_p
block in quick on $int_dmz_p proto udp from $dmz_p to $int_dmz_p

pass in quick on $int_dmz_p proto tcp from $dmz_p to any flags S/SA keep
 state
pass in quick on $int_dmz_p proto { udp icmp } from $dmz_p to any keep 
state


block in quick on $int_dmz_p proto tcp from $dmz_b to $int_dmz_p
block in quick on $int_dmz_p proto udp from $dmz_b to $int_dmz_p

pass in quick on $int_dmz_p proto tcp from $dmz_b to any flags S/SA keep
 state
pass in quick on $int_dmz_p proto { udp icmp } from $dmz_b to any keep 
state


block in quick on $int_dmz_g proto tcp from $dmz_g to $carp_dmz_g
block in quick on $int_dmz_g proto udp from $dmz_g to $carp_dmz_g

pass in quick on $int_dmz_g proto tcp from $dmz_g to any flags S/SA keep
 state
pass in quick on $int_dmz_g proto { udp icmp } from $dmz_g to any keep 
state

pass out quick on $int_ext proto { tcp udp icmp } from $carp_ext to any 
flags S/SA modulate state (no-sync)
pass out quick on $int_dmz_p proto { tcp udp } from $int_dmz_p to any 
flags S/SA modulate state (no-sync)
pass out quick on $int_dmz_g proto { tcp udp icmp } from $carp_dmz_g to 
any flags S/SA modulate state (no-sync)
pass out quick on rl2 proto {tcp udp icmp} from any to any flags S/SA 
keep state (no-sync)


pass out on $int_ext proto tcp all keep state flags S/SA

Create my own shell?

[Abel Talaverón Estevez]

Hi all,

I need to create a particular but simple shell for a firewall running OpenBSD 
3.6. The idea is create a user whose shell is a very limited one. This shell 
or command line interpreter (CLI) must have permissions only in the home 
directory.

How could I do this? Any ideas? Editing the source code of sh?, for example. 
Make my own cli?
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

Re: 005_libz.patch - fails to change directory

[Brad]

On Mon, Jul 25, 2005 at 09:03:03AM -0400, Clint M. Sand wrote:
> On Fri, Jul 22, 2005 at 08:00:50PM -0600, Todd C. Miller wrote:
> > In message <[EMAIL PROTECTED]>
> > so spake Uwe Dippel (udippel):
> > 
> > > Strange, we had the same thing with the last patch.
> > 
> > Looks like the main ftp mirror is not updating.  I've left a
> > message but it may not get fixed for a while...
> > 
> >  - todd
> 
> Any update on this? 003, 004, 005 all seem to still have the incorrect
> path.

3, 4 and 5 are just fine as they are right now.

Re: The MD5-File at the Server... (Request for RMD160 and SHA1 Checksums)

[Marc Espie]

On Mon, Jul 25, 2005 at 01:38:01PM +0200, [EMAIL PROTECTED] wrote:
> MD5 is brocken like rmd160 and sha1. But to make an attack vs. all the 3
> algorithms seams to be impossible (for now..).
> And it's much harder to not change e.g. the file-size if you created a
> collision against all of the algorithms (worst-case).
> 
> I hope I where bale to explain why just MD5 isn't enought to make sure
> that nothings happened with the files.
> And even I was not able to explain it it shouldn't be that problem to
> include rmd160 and sha1 checksums too (and if you've some time left maybe
> also the file-size?).

For now, MD5 is still enough.

No-one is still able to compute an arbitrary pre-image from a given MD5.
What's currently feasible is to create two files which yield the same MD5,
but this relies on both files containing a very specific, tailored, engineered,
contiguous sequence of 1024 bytes.

So, for now, no-one knows how to replace a valid file with another file with
the same MD5, unless they happen to have created *both* files...

... which means that the attacker *is* the software distributor. A very
valid threat, but which does not apply at all to the OpenBSD basic 
distribution right now.

The ports tree is another matter, especially distfiles handling, where some
software distributor can be the attacker, which is the reason why you can
decide to re-check rmd160 instead of sha1,  for instance, 
if you have any doubts.  We provide the data, no automated means to check, 
but that's something you can still trivially do.

cd /usr/ports && PREFERRED_CIPHERS=rmd160 make checksum

will check a full ports tree against rmd160.

Re: 005_libz.patch - fails to change directory

[Clint M. Sand]

On Fri, Jul 22, 2005 at 08:00:50PM -0600, Todd C. Miller wrote:
> In message <[EMAIL PROTECTED]>
>   so spake Uwe Dippel (udippel):
> 
> > Strange, we had the same thing with the last patch.
> 
> Looks like the main ftp mirror is not updating.  I've left a
> message but it may not get fixed for a while...
> 
>  - todd

Any update on this? 003, 004, 005 all seem to still have the incorrect
path.

Re: The MD5-File at the Server... (Request for RMD160 and SHA1 Checksums)

[sebastian . rother]

> On 2005-07-25 08:41, [EMAIL PROTECTED] wrote:
>> And yes: Adding another Checksum wouldn't prevent an Attacker to recrete
>> these files and replace them. But the chance isn't very high that an
>> attackler could own 3 or 4 different Servers in different networks at
>> the
>> same time. So every user would be able to compare the Checksums with
>> checksums stored in a file on another server.
>
> Wouldn't it be easier to just download the MD5-files from more than one
> mirror then and compare them? This, of course, requires than the master
> site isn't comprimised but othervise I think it's just as good as more
> checksums.

That is no protection againste the kinf of attack I'm talking about
because the MD5-Checksumm will be the same even the content of the file
has changed.

Such an attack can't be detected by the algorithm (otherwise it wouldn't
be an attack, or?). The only prevention would be a digital signature or
more Checksums (rmd160+sha1+filesize).

So it must have a reason why every distinfo contains 3 checksums and the
filesize. So I wonder why the BASE-Files wich are needed to install the OS
are not "protected" with such a mechanism.
That would allow the enduser (huhu, hello... here I am ,) ) to compare the
different checksums with:

a) the files I downloaded
b) with other servers because these files could have been replaced by an
   attackera


MD5 is brocken like rmd160 and sha1. But to make an attack vs. all the 3
algorithms seams to be impossible (for now..).
And it's much harder to not change e.g. the file-size if you created a
collision against all of the algorithms (worst-case).

I hope I where bale to explain why just MD5 isn't enought to make sure
that nothings happened with the files.
And even I was not able to explain it it shouldn't be that problem to
include rmd160 and sha1 checksums too (and if you've some time left maybe
also the file-size?).

Kind regards,
Sebastian

Re: The MD5-File at the Server... (Request for RMD160 and SHA1 Checksums)

[Erik Wikström]

On 2005-07-25 12:16, Erik Wikstrvm wrote:

On 2005-07-25 08:41, [EMAIL PROTECTED] wrote:

And yes: Adding another Checksum wouldn't prevent an Attacker to recrete
these files and replace them. But the chance isn't very high that an
attackler could own 3 or 4 different Servers in different networks at the
same time. So every user would be able to compare the Checksums with
checksums stored in a file on another server.


Wouldn't it be easier to just download the MD5-files from more than one
mirror then and compare them? This, of course, requires than the master
site isn't comprimised but othervise I think it's just as good as more
checksums.


Sorry, that was stupid, next time I'll make sure to wake up before
replying.

--
Erik Wikstrvm

Re: The MD5-File at the Server... (Request for RMD160 and SHA1 Checksums)

[Erik Wikström]

On 2005-07-25 08:41, [EMAIL PROTECTED] wrote:

And yes: Adding another Checksum wouldn't prevent an Attacker to recrete
these files and replace them. But the chance isn't very high that an
attackler could own 3 or 4 different Servers in different networks at the
same time. So every user would be able to compare the Checksums with
checksums stored in a file on another server.


Wouldn't it be easier to just download the MD5-files from more than one
mirror then and compare them? This, of course, requires than the master
site isn't comprimised but othervise I think it's just as good as more
checksums.

--
Erik Wikstrvm

Spam mail warning notification! (LGI Policies)

[NO-REPLY . antispam]

 eManager Notification *

The following mail was blocked since it contains sensitive content.

Source mailbox: 
Destination mailbox(es): [EMAIL PROTECTED]
Policy: LGI Policies
Action: Delete

Content filter has detected a sensitive e-mail.

*** End of message *
From: misc@openbsd.org
To: [EMAIL PROTECTED]
Subject: Delivery reports about your e-mail
Date: Mon, 25 Jul 2005 12:09:01 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0010_CC990182.302898DC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.

Re: The MD5-File at the Server... (Request for RMD160 and SHA1 Checksums)

[Luis Bruno]

[EMAIL PROTECTED] wrote:

Btw: Because another guy told me to buy a CD: I do
 But what's about ARCHs wich ar enot on the CD?


Which reminds me: I'd love to be able to *buy* a DVD from Wim with all 
i386 packages. I know how to make one, but if I'm buying the pack, I'd 
like to have all the stuff I use.


And I'm not criticizing the layout; I know compromises must be made. So 
there must be a reason why DVDs aren't available (from the project), right?


Cheers,
--
Luis Bruno

Re: carp failover on DSL and Cable connection?

[Stephen Marley]

On Sun, Jul 24, 2005 at 10:37:29PM -0700, Jonathan Walther wrote:
> I've read the carp manpage, but am not clear if carp is able to help in
> the following scenario:
> 
> A box at a high availability colo site forwards some traffic to a
> company LAN using a VPN.  There are two VPN connections it could route
> packets through, one going through the LAN's Cable connection, the other
> through its DSL connection.  Both VPN's connect to the same end host on
> the other side of the two connections.
> 
> If the DSL connection goes down, I want all connections and traffic to
> be shunted to the Cable connection.  I control both ends of the VPN,
> which are OpenBSD Soekris boxes.
> 
> Is this possible out of the box and supported by OpenBSD, or is it the
> wrong approach to trying to keep packets getting into the LAN when one
> of the external connections fail?

You could run ospfd (or quagga) on each host. (You'll need to use gif or
gre tunnels to give a multicast capable link over the vpns). Make the
dsl tunnel the lower cost route and ospf will change the routing tables
to use the other link if it goes down. When it comes back up, ospfd will
switch the routing table back to the lower cost route. I use precisely
this method to provide a backup to a 100Mb WAN link using ipsec/adsl.

Actually, for something as simple as this you could probably get away
with writing a script to change the routing table when some condition
occurs, like failure of a ping over the dsl link, but using ospf is a
neater way to do it.

-- 
stephen

Re: Disable IPv6 on 3.7

[Shawn K. Quinn]

On Mon, 2005-07-25 at 10:17 +0100, Gordon Ross wrote:
> Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> kernel ?

No, but why would you need to? Just don't assign an Internet-routable
IPv6 address to the interface, if you're worried about security.

-- 
Shawn K. Quinn <[EMAIL PROTECTED]>

Re: Disable IPv6 on 3.7

[Lars Hansson]

On Mon, 25 Jul 2005 10:17:56 +0100
"Gordon Ross" <[EMAIL PROTECTED]> wrote:

> Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> kernel ?

No.

---
Lars Hansson

Re: Disable IPv6 on 3.7

[Andreas Kahari]

See the archives.  Here's is one example:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=109473296323761&w=2

Andreas

On 25/07/05, Gordon Ross <[EMAIL PROTECTED]> wrote:
> Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom 
> kernel ?
> 


-- 
Andreas Kahari

PGP: 1024D/C2E163CB

Re: Disable IPv6 on 3.7

[Lukas Ratajski]

On Monday 25 July 2005 11:17, you wrote:
> Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom
> kernel ?

I suggest that you leave it untouched. If you decide not to do so, be prepared 
to encounter problems without any support from here. This issue appeared some 
time ago (and appears again and again), take a look at this thread: 

http://marc.theaimsgroup.com/?l=openbsd-misc&m=109468634528474&w=2

Greetings,
Lukas.

-- 
Lukas Ratajski - [EMAIL PROTECTED]
Feel free to use PGP public key 0xEF4DA75A for e-mail encryption

Disable IPv6 on 3.7

[Gordon Ross]

Is it possible to disable IPv6 on OpenBSD 3.7 without building a custom kernel ?

Thanks,

GTG

Gordon Ross,
Network Manager/Rheolwr Rhydwaith
Countryside Council for Wales/Cyngor Cefn Gwlad Cymru

Re: OT: any problems with webservers on high ports blocked by corporate-firewalls?

[Lars Hansson]

On Sun, 24 Jul 2005 15:24:06 -0700
Miles Keaton <[EMAIL PROTECTED]> wrote:

> Wondering if anyone has seen a trend these days for most companies to
> block all but port 80 or something?

FYI, we block *everything*, employees have to use our proxyserver (squid)
to browse the web.

---
Lars Hansson

Re: missing: ./etc/acpi

[Stuart Henderson]

--On 24 July 2005 14:25 -0700, b h wrote:


Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
missing: ./etc/acpi


Check you have updated /etc/mtree files from /usr/src/etc and have run 
mtree (right near the end of 
).


Since you have a file in /dev on one machine and not the other, also 
check you have run MAKEDEV.

Get desired NWID

[Marc Winiger]

Hi

On wi(4) wlan cards it is possible to get the desired nwid with
WI_RID_DESIRED_SSID, independent whether the card is associated to an 
access point or not.

Cards with other drivers, are using SIOCG80211NWID to get the nwid. But 
this value contains the actual nwid associated to, not the one I set.

I have to decide, whether the nwid is set to a name or ANY. Does anybody 
know if that is possible?

Marc

-- 
micro systems, wiesendamm 2a, postfach, 4019 basel
fon: +41 61 383 05 10  -  fax: +41 61 383 05 12
http://www.msys.ch/  -  [EMAIL PROTECTED]

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Conexant "Amigo " usb ADSL modem .

[RGKärcher]

Hi guys , 

How can I make it works the usb modem conexant "Amigo"
under OpenBSD ? 

On linux I have to recompile the kernel and do other
stuff to make it works ...

Have any of you have succedded using this kind of Adsl
Usb modem ? 

Thanks in advance , 

Regards , 

Richard Karcher 





Ricardo german Kdrcher

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam !gratis! 
!Abrm tu cuenta ya! - http://correo.yahoo.com.ar

3.7 install hangs with 3ware 8006-2LP

[Willi Schiegel]

Hello Group,

I tried to install OpenBSD 3.7 on an Intel Pentium4 system with a 3ware 
Escalade 8006-2LP raid controller but the installation hangs with a 
system freeze. I found in the supported hardware section of the OpenBSD 
documentation under RAID and Cache Controllers:


- 3ware Escalade 3W-5x00 and 3W-6x00 series (twe) (A) (C)

So my controller seems not to be supported. Does anyone know when the 
8006-2LP will be supported?


Thank you very much.

Greetings
Willi Schiegel

--
===
Bernstein-Zentrum Berlin |   Tel.: +49-30-2093-9089
Willi Schiegel   |   Fax:  +49-30-2093-8801
Invalidenstrasse 42  | E-Mail: [EMAIL PROTECTED]
D-10115 Berlin   |   Web: http://www.bccn-berlin.de
===