Problem with NFS, everything freeze
Regards. I've got a problem with nfs. There are 2 servers. A and B. On server A I export one dir and start nfsd, portmap, mountd. On server B in mount A's exported dir. I begin to copy approxymately 40Mb up to A from B. At 30Mb the copy brokens and everything freeze on server B. B replyes to ping but nothing else. I waited 8 hours but nothing happened. I had to ask a restart for server B. For the most part it always happens. But why? Server A, B is OpenBSD 3.6 but I tried with 3.6-3.5 and the way around. They always freeze. I feel so uneasy..:/ The mount option was: serverA:/dir/ /mnt/nfsnfs rw 0 0 How can I avoid the feeze? I want to use nfs, to omit scp ( daily mail backups, sys backups and so on ) -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
Re: Did anybody hear this??
On 7/27/05, Chris Kuethe [EMAIL PROTECTED] wrote: On 7/26/05, Siju George [EMAIL PROTECTED] wrote: On 7/26/05, Bruno Delbono [EMAIL PROTECTED] wrote: +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: how much truth is actually in this article??? It makes a lot of sense and is right on. What I take out of this article is that having one single firewall (can be any type: network, application etc.) at the perimeter doesn't stop hackers. I don't see what really alarmed you? Thanks for the reply Bruno. Just the thing whether this is the current trend. eliminating firewalls and going for an alternative like he mentioned? You completely missed the point. The point was that the crunchy on the outside, chewy on the inside security model is wrong. A single perimeter firewall tends to allow the inside network to be woefully unsecure and this is something to be avoided. Or, put another way, the single greatest failing of a firewall is that it allows people to continue behaving unsafely. Think about it: if every host you control is set up to survive contact with an evil host, then it doesn't matter much if someone out there tries to break in, or someone brings in a virus-laden laptop or whatever else. So maybe the elimination of the firewall is a worthwhile pursuit so long as you keep an eye toward properly bolting down your empire. Yes :-( Thankyou so much :-) kind regards Siju CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Problem with NFS, everything freeze
are you running pf? are you scrubbing on an interface? On Wed, Jul 27, 2005 at 08:00:27AM +0200, Adam Papai wrote: Regards. I've got a problem with nfs. There are 2 servers. A and B. On server A I export one dir and start nfsd, portmap, mountd. On server B in mount A's exported dir. I begin to copy approxymately 40Mb up to A from B. At 30Mb the copy brokens and everything freeze on server B. B replyes to ping but nothing else. I waited 8 hours but nothing happened. I had to ask a restart for server B. For the most part it always happens. But why? Server A, B is OpenBSD 3.6 but I tried with 3.6-3.5 and the way around. They always freeze. I feel so uneasy..:/ The mount option was: serverA:/dir/ /mnt/nfsnfs rw 0 0 How can I avoid the feeze? I want to use nfs, to omit scp ( daily mail backups, sys backups and so on ) -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
Re: Problem with NFS, everything freeze
Steven Manos said: are you running pf? are you scrubbing on an interface? On server A there I use: scrub in all but not more special rules. On server B I didn't use scrub, only some pass in rulez for ssh/smtp -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
make /dev/pf world readable?
Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i if -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. I googled around and found that Squid happily changes the group and group mode bits on /dev/pf. Is that safe, from a compatibility point of view? And is it secure? Can I do it too? What would be the implications (apart from being incompatible with squid, obviously)? What are the security implications if I go one step beyond that and make /dev/pf world readable? I understand that all my users then can read the rule set -- and good luck to them. Anything else? TIA, Jan Sepp
Re: make /dev/pf world readable?
I dunno if it's safe or not, but you could use sudo or su username -c there. 2005/7/27, Jan Sepp [EMAIL PROTECTED]: This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root.
Phase 2 problem between isakmpd and Netscreen
(posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk
Re: Phase 2 problem between isakmpd and Netscreen
Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. People interrested in providing those, are welcome to contact me :-) HJ. On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer [EMAIL PROTECTED] Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
Trying to get little brain round NAT/Routing pf
I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. In my /etc/pf.conf I've got: scrub in binat from $alice to any - $alice block all #Allow packets from Alice to Bob pass in on $alice_if proto tcp from $alice to $bob port 25 keep state pass out on $bob_if proto tcp from $alice to $bob port 25 keep state #Allow packets from Bob to Alice pass in on $bob_if proto tcp from $bob to $alice port 25 keep state pass out on $alice_if proto tcp from $bob to $alice port 25 keep state With this, I can telnet bob 25 from alice and it works fine. However, I can't do telnet alice 25 from bob. I tried adding the line: binat from $bob to any - $bob but that didn't appear to make any difference. If I disable pf, then everything works fine (so I know routing tables, etc are correct) Can someone help me out here ? Am I aproaching this the right way or is there a better way to do this ? Thanks, GTG Gordon Ross, Network Manager/Rheolwr Rhydwaith Countryside Council for Wales/Cyngor Cefn Gwlad Cymru
Re: make /dev/pf world readable?
Thanks, but that would require me to hard-code the password in my script, so that will not work. Alexander Farber wrote: I dunno if it's safe or not, but you could use sudo or su username -c there. 2005/7/27, Jan Sepp [EMAIL PROTECTED]: This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root.
Re: Phase 2 problem between isakmpd and Netscreen
On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an industry standard IPSec implementation. Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk
Re: make /dev/pf world readable?
On Wed, 27 Jul 2005 10:26:46 +0200 Jan Sepp [EMAIL PROTECTED] wrote: Thanks, but that would require me to hard-code the password in my script, so that will not work. No it wouldnt. You can allow users to run commands with sudo without using passwords. man sudoers. --- Lars Hansson
Re: make /dev/pf world readable?
And/or you run su username -c command as root from its crontab, /etc/ppp/ppp.linkup, /etc/rc.local or wherever 2005/7/27, Lars Hansson [EMAIL PROTECTED]: On Wed, 27 Jul 2005 10:26:46 +0200 Jan Sepp [EMAIL PROTECTED] wrote: Thanks, but that would require me to hard-code the password in my script, so that will not work. No it wouldnt. You can allow users to run commands with sudo without using passwords. man sudoers.
Re: Create my own shell? SOLVED
Many thanks to all people of this mailing list for all the replies. Finally, I have edited the files I've downloaded from http://mongers.org/gw_menu and make my own shell. Thanks ;) El Lunes, 25 de Julio de 2005 21:03, escribis: On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? http://mongers.org/gw_menu But that might be too restricted for you. Have a nice day Morten -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Re: Problem with NFS, everything freeze
hey, yep, i made the same mistake first up too... from the pf users guide One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the do not fragment bit set, which are (properly) rejected by scrub. This can be resolved by use of the no-df option. Another reason is some multi-player games have connection problems passing through PF with scrub enabled. Other than these somewhat unusual cases, scrubbing all packets is highly recommended practice. On Wed, Jul 27, 2005 at 09:06:02AM +0200, Adam Papai wrote: Steven Manos said: are you running pf? are you scrubbing on an interface? On server A there I use: scrub in all but not more special rules. On server B I didn't use scrub, only some pass in rulez for ssh/smtp -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
Re: Trying to get little brain round NAT/Routing pf
--On 27 July 2005 10:19 +0100, Gordon Ross wrote: I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 How are the interfaces configured? (Best way is to paste output of 'ifconfig -a', and 'netstat -rn -f inet', this is easier to read than a verbal description). I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. That shouldn't be necessary, if it doesn't work without and this is a simple firewall between the two hosts, something else is likely to be amiss. Removing this is the first thing to try. scrub in binat from $alice to any - $alice block all # Allow packets from Alice to Bob pass in on $alice_if proto tcp from $alice to $bob port 25 keep state pass out on $bob_if proto tcp from $alice to $bob port 25 keep state # Allow packets from Bob to Alice pass in on $bob_if proto tcp from $bob to $alice port 25 keep state pass out on $alice_if proto tcp from $bob to $alice port 25 keep state With this, I can telnet bob 25 from alice and it works fine. However, I can't do telnet alice 25 from bob. can't:- It would be helpful to describe exactly what happens - connection times out? Connection immediately rejected? No route to host? Some other error? Copy-and-paste is best. It might help to include your whole pf.conf (xxx out the first byte of the IP address if you have to, but if you do this it's probably a good idea to double-check for typos first). Generally, to debug PF rulesets, use 'log' in many places (e.g. every block rule and maybe selected 'pass' rules), then watch the logged packets with # tcpdump -n -e -ttt -i pflog0 - this command line is described in the manual page for pflogd(8), and will show you the exact packets which are being blocked so you can see what you need to allow.
Re: Problem with NFS, everything freeze
Steven Manos said: hey, yep, i made the same mistake first up too... And did your system freeze as well like mine? Thanks anyway. I'll try this at home with 2 test NFS servers. ( of course with 2 openbsd ) I hope it will work. If not, I'll be sad. -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
Re: Trying to get little brain round NAT/Routing pf - SOLVED
Stuart Henderson [EMAIL PROTECTED] 27/07/2005 11:37:54 --On 27 July 2005 10:19 +0100, Gordon Ross wrote: I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. That shouldn't be necessary, if it doesn't work without and this is a simple firewall between the two hosts, something else is likely to be amiss. Removing this is the first thing to try. After setting up the logging, I saw which line was failing. After much head scratching, I noticed a silly little typo in an IP address (I'd reversed two digits) Fixed that and it all works fine. Thanks, GTG
Re: Anyone know of a mavell based dual gigE copper card
On 7/26/05, Bill Chmura [EMAIL PROTECTED] wrote: From what everyone told me last time, the SK stuff is good. So I can fit my network together with a few dual cards, trunk the smaller stuff together and then be on my way. Trouble is I cannot find (for the life of me) anything dual based on the marvell stuff. The obsd man page http://www.openbsd.org/cgi-bin/man.cgi?query=skapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html For dual it only lists the SK-9822 SK-NET GE-T dual port, copper adapter, which from threads I read is now realTek chips in the newer revs. I've tried contacting Marvell for info on products made using them, but no answer yet. I've searched, prodded, poked and cursed and I still have not found one. Thoughts or suggestions? I appreciate the advice from the last round... I am using much of it. -- Bill Chmura Note that I have only seen Linksys EG1032 gigabit adapters sporting RealTek chips, rev.2 is Marvel/SysKonnect (good) and the rev.3 is RealTek (bad/ugly) though they seem to attach after some jedi skills by Brad. How ever, as the man 4 sk page says, there are many other vendors that use the good chipset. The page also details that there is only one known vendor of dual port copper cards with this sk chip lineup. Somewhere in the archives there should be refs. to the syskonnect site (or google for it) as I cant remember the URL, you should be able to buy them from there. -- JPL
Re: Anyone know of a mavell based dual gigE copper card
Hi Johan, I think I am good at this point... SysKonnect is sending some cards out to Brad (I believe they said) and if those get tested soon enough we are going to buy them - otherwise I am going the Intel pro 1000/MT route. There is a lot of pressure to order the box, so thats the plan as it stands now. Thanks to everyone for the help! On Wed, 27 Jul 2005 14:28:25 +0200 Johan P. Lindstrvm [EMAIL PROTECTED] wrote: On 7/26/05, Bill Chmura [EMAIL PROTECTED] wrote: From what everyone told me last time, the SK stuff is good. So I can fit my network together with a few dual cards, trunk the smaller stuff together and then be on my way. Trouble is I cannot find (for the life of me) anything dual based on the marvell stuff. The obsd man page http://www.openbsd.org/cgi-bin/man.cgi?query=skapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html For dual it only lists the SK-9822 SK-NET GE-T dual port, copper adapter, which from threads I read is now realTek chips in the newer revs. I've tried contacting Marvell for info on products made using them, but no answer yet. I've searched, prodded, poked and cursed and I still have not found one. Thoughts or suggestions? I appreciate the advice from the last round... I am using much of it. -- Bill Chmura Note that I have only seen Linksys EG1032 gigabit adapters sporting RealTek chips, rev.2 is Marvel/SysKonnect (good) and the rev.3 is RealTek (bad/ugly) though they seem to attach after some jedi skills by Brad. How ever, as the man 4 sk page says, there are many other vendors that use the good chipset. The page also details that there is only one known vendor of dual port copper cards with this sk chip lineup. Somewhere in the archives there should be refs. to the syskonnect site (or google for it) as I cant remember the URL, you should be able to buy them from there. -- JPL -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
Re: Create my own shell? SOLVED
:-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: Many thanks to all people of this mailing list for all the replies. Finally, I have edited the files I've downloaded from http://mongers.org/gw_menu and make my own shell. Thanks ;) El Lunes, 25 de Julio de 2005 21:03, escribis: On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? http://mongers.org/gw_menu But that might be too restricted for you.
Recommendet (P)ATA-Controller for Raidframe
Hi! I plan to set up a fileserver using RAIDframe - I can't afford a hardware RAID-controller like Megaraid i4 (around EURO 280,--) and used ones are impossible to get, so I will use the software version. The raid will use 3 or 4 identical harddrives. My questions: - what is better, every drive use it's own IDE-channel (no master/slave) or not? - will it make a difference, if I use two 2 channel controller or a 4 channel one (like HighPoint RocketRAID 454)? - recommendations which controller(s) I should buy? The board, which I will use is a ASUS P5A Super 7 with ALi Aladdin V chipset. TIA and regards, Ulrich
Re: openbsd rpc/xdr
Sorry, but i found that code very ugly. This is just a personal feeling and i cannot explain why!! do i seem crazy, probably i am. I believe the code i saw was very poor design. But that's a personal taste only and should not be under jugdment. 0) Functions return 1 for success and 0 for failure (i don't like that); 1) too many function call between the caller and the real funcionality; 2) function names are to big. Do you have any other suggestions where i could download alternatives for rpc? thanks. On 27 Jul 2005 07:51:52 +0200, Artur Grabowski [EMAIL PROTECTED] wrote: Gustavo Rios [EMAIL PROTECTED] writes: Hey folks, i am doing efforts in order to learn about xdr/rpc. So, i decided to read some code in src/lib/libc/rpc. I found it to be a little heavy, cause there too many function invocation overhead between the caller and the real function that do the job. If I read correctly, it seems that you don't like fuction calls. Why are functions bad? You prefer a macro and inline hell? //art
Re: openbsd rpc/xdr
0) Functions return 1 for success and 0 for failure (i don't like that); Surely thats too trivial to hold a preference to? Most languages do it this way though.
Re: make /dev/pf world readable?
On Jul 27 09:31 AM, Jan Sepp wrote: Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i if -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. I googled around and found that Squid happily changes the group and group mode bits on /dev/pf. Is that safe, from a compatibility point of view? And is it secure? Can I do it too? What would be the implications (apart from being incompatible with squid, obviously)? What are the security implications if I go one step beyond that and make /dev/pf world readable? I understand that all my users then can read the rule set -- and good luck to them. Anything else? I just tried making a new pf device and changing permissions and it works ok for me. I assume that's why there is the -p switch to pfctl, so that you can have multiple device nodes. % sudo mknod /dev/pf2 c 73 0 % sudo chmod 555 /dev/pf2 % pfctl -srules -p /dev/pf2 rules follow % pfctl -srules pfctl: /dev/pf: Permission denied So maybe you can just make a copy of the device and chown it to the account that is running the script, and then use the -p switch to pfctl to use that device instead. Matt
Re: Create my own shell? SOLVED
Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu
Re: openbsd rpc/xdr
I did not meant alternatives to RPC approach? i mean alternatives to the standard implementation code of rpc. I don't feel like considering (as you self said) garbage like corba, rx, rxml-rpc I am considering rpc/xdr but a different code implementation. Thanks for your reply. On 7/27/05, Ian Delahorne [EMAIL PROTECTED] wrote: Do you have any other suggestions where i could download alternatives for rpc? corba, rx, xml-rpc they all suck, just in different ways. /ian
Re: Create my own shell? SOLVED
On Wed, 27 Jul 2005 15:46:00 +0200 Alexander Farber [EMAIL PROTECTED] wrote: Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu Mmh ... Instead of being a smartmouth, you should think a little about what would really happen and not make assumptions based on nothing. let's make the assumption that trap was not even called. If a user presses ctrl-c the script will exit, closing the user's session. What did you expect it to do ? Spawn a shell from nothing ? -- chaton@
Re: openbsd rpc/xdr
Do you have any other suggestions where i could download alternatives for rpc? corba, rx, xml-rpc they all suck, just in different ways. /ian
Re: Create my own shell? SOLVED
With Ctrl-c the shell doesn't finish. The shell file is showed here: #!/bin/sh # $Id: menu,v 1.5 2004/05/20 12:15:57 holsta Exp $ # # Menu wrapper for FireWired. Ctrl-C is ignored and user input is never # passed to the command line. PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:. export PATH HOME TERM umask 077 HELP=/home/console/menu.help GREETING=/home/console/menu.greeting trap 2 grep -v ^# $GREETING while true do echo FireWired \c if read line then case $line in ) continue;; esac set -- $line case $1 in CASAV.bash) CASAV.bash;; CAcceso.bash) CAcceso.bash;; CActivarPolitica.sh)CActivarPolitica.sh;; CAnadirFiltroProxy.sh) CAnadirFiltroProxy.sh;; CAnadirPuertoProxy.sh) CAnadirPuertoProxy.sh;; CAnadirRedProxy.sh) CAnadirRedProxy.sh;; CApaga.sh) CApaga.sh;; CAplicarRFPProxy.sh)CAplicarRFPProxy.sh;; CAyuda.sh) CAyuda.sh;; CBorrarEncam.sh)CBorrarEncam.sh;; CBorrarEstad.sh)CBorrarEstad.sh;; CBorrarFiltroProxy.sh) CBorrarFiltroProxy.sh;; CBorrarObjeto.bash) CBorrarObjeto.bash;; CBorrarPolitica.sh) CBorrarPolitica.sh;; CBorrarPuertoProxy.sh) CBorrarPuertoProxy.sh;; CBorrarRedProxy.sh) CBorrarRedProxy.sh;; CBorrarRegla.bash) CBorrarRegla.bash;; CBorrarReglaBINAT.bash) CBorrarReglaBINAT.bash;; CBorrarReglaNAT.bash) CBorrarReglaNAT.bash;; CBorrarReglaPF.bash)CBorrarReglaPF.bash;; CBorrarReglaRDR.bash) CBorrarReglaRDR.bash;; CBorrarReglaVPN.bash) CBorrarReglaVPN.bash;; CBorrarRuta.bash) CBorrarRuta.bash;; CBridges.bash) CBridges.bash;; CConfFabrica.sh)CConfFabrica.sh;; CConsola.bash) CConsola.bash;; CCrearObjeto.bash) CCrearObjeto.bash;; CCrearPolitica.bash)CCrearPolitica.bash;; CCrearReglaBINAT.bash) CCrearReglaBINAT.bash;; CCrearReglaNAT.bash)CCrearReglaNAT.bash;; CCrearReglaPF.bash) CCrearReglaPF.bash;; CCrearReglaRDR.bash)CCrearReglaRDR.bash;; CCrearReglaVPN.bash)CCrearReglaVPN.bash;; CCrearRuta.bash)CCrearRuta.bash;; CDNS.sh)CDNS.sh;; CDepurar.sh)CDepurar.sh;; CDesactivarPolitica.sh) CDesactivarPolitica.sh;; CGW.sh) CGW.sh;; CInterfacesIP.bash) CInterfacesIP.bash;; CListaObj.sh) CListaObj.sh;; CLogout.sh) CLogout.sh;; CManuales.sh) CManuales.sh;; CModificarObjeto.bash) CModificarObjeto.bash;; CModificarReglaBINAT.bash) CModificarReglaBINAT.bash;; CModificarReglaNAT.bash)CModificarReglaNAT.bash;; CModificarReglaPF.bash) CModificarReglaPF.bash;; CModificarReglaRDR.bash)CModificarReglaRDR.bash;; CModificarReglaVPN.bash)CModificarReglaVPN.bash;; CMostrarPolActiva.sh) CMostrarPolActiva.sh;; CMostrarPoliticas.sh) CMostrarPoliticas.sh;; CMostrarPoliticasUser.sh) CMostrarPoliticasUser.sh;; CMostrarReglas.sh) CMostrarReglas.sh;; CMostrarReglasBINAT.sh) CMostrarReglasBINAT.sh;; CMostrarReglasNAT.sh) CMostrarReglasNAT.sh;; CMostrarReglasPF.sh)CMostrarReglasPF.sh;; CMostrarReglasRDR.sh) CMostrarReglasRDR.sh;; CMostrarReglasVPN.sh) CMostrarReglasVPN.sh;; CMoverReglaPF.bash) CMoverReglaPF.bash;; CMoverReglaVPN.bash)CMoverReglaVPN.bash;; CPassword.sh) CPassword.sh;; CPing.sh) CPing.sh;; CProxy.sh) CProxy.sh;; CProxyFtp.sh) CProxyFtp.sh;; CProxyTransp.sh)CProxyTransp.sh;; CReboot.sh) CReboot.sh;; CReloj.sh) CReloj.sh;; CSMTP.bash) CSMTP.bash;; CSsh.sh)CSsh.sh;; CTraceroute.sh) CTraceroute.sh;; CVPN.bash) CVPN.bash;; CVPNAnadirSucursal.bash)CVPNAnadirSucursal.bash;; CVPNClientes.bash)
Re: rdr question
Stuart Henderson scribbled on : --On 27 July 2005 00:27 +0200, GV wrote: In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! No, you need some kind of 'reverse-proxy' to do this type of thing (maybe pound, tinyproxy 1.70, or squid in accelerator-mode). It would run on either the PF box or another box that you rdr to. httpd with mod_proxy enabled does this just fine for http; https is problematic... -- Mark C. Prins Spatial Fusion Specialist / Network Specialist SkypeMe@ callto:mark.prins-caris.nl -- _ CARIS 2005 - Mapping A Seamless Society 10th International User Group Conference and Educational Sessions 26-29 September 2005: World Trade Center, Halifax (Nova Scotia) Canada Visit http://www.caris.com/caris2005 or send email enquiries to [EMAIL PROTECTED] for more information. _ CARIS Geographic Informations Sytems BV phone: +31 413 296 010 fax: +31 413 296 012 web: http://www.caris.nl product support: [EMAIL PROTECTED] sales/marketing: [EMAIL PROTECTED] _ This email contains confidential information for the intended recipient. If you are not the intended addressee please, notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this message until such a time as a written contract has been signed on behalf of the company named above. _ This message has been scanned for viruses using McAfee Groupshield. This message may have been modified by the scanner. _
Re: missing: ./etc/acpi (missing instructions in following-current on i386)
--- b h [EMAIL PROTECTED] wrote: Date: Mon, 25 Jul 2005 07:30:52 -0700 (PDT) From: b h [EMAIL PROTECTED] Subject: Re: missing: ./etc/acpi To: Stuart Henderson [EMAIL PROTECTED], misc@openbsd.org --- Stuart Henderson [EMAIL PROTECTED] wrote: --On 24 July 2005 14:25 -0700, b h wrote: Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) missing: ./etc/acpi Check you have updated /etc/mtree files from /usr/src/etc and have run mtree (right near the end of http://www.openbsd.org/faq/upgrade37.html). Since you have a file in /dev on one machine and not the other, also check you have run MAKEDEV. I took your suggestions and ran both the mtree and MAKEDEV lines on both machines, and rebooted, and still, only one has the acpi device. secondly, I am also very diligent at running the cd /usr/src/etc env DESTDIR=/ make distrib-dirs line during every upgrade and lastly the machine that has the device node (but also gives me the error), was installed fresh (reformatted) from a snapshot on or around June 8, and -following-current (post 3.7 instructions) does not mention anything about devices or updates regarding acpi to /etc for i386. so, for the other machine that is missing the /dev/acpi... I had installed from a snap (reformatted) I think in the middle of 3.6 and 3.7, and I thought I also was very diligent with my upgrading, keeping current within a week or so, doing all the -following-current instructions etc.). For good measure, this morning I copied over the mtree from etc3.7.tgz and ran it. then upgraded all my src via cvs again (updates since yesterday), and reran all the steps, making GENERIC, make obj, make build, that make distrib-dirs line, etc (and like I said earlier, I had run MAKEDEV). the whole deal, and still, no acpi device. so, both machines work perfectly, (even though I am getting that insecurity mail about missing) but it bothers me I don't know what machine is currently in the proper state, whether that device should actually be there or not, any other ideas? thanks b I still got the missing file in my daily report every day. I looked on the cvsweb, and I can't find (unless I'm using it wrong) any mention of an /etc/acpi file or directory at all! Where would this message have came from? But besides that prob... On my other machine, expanding out base3.7 from release and copying MAKEDEV over to /dev and running MAKEDEV all does not create the acpi device... however, copying over the one from the most recent snapshot does. so, following the normal src compile instructions, (as referenced here: http://www.openbsd.org/faq/faq5.html#Bld, especially the line that says If building -current: Update /dev and /etc, with the changes listed in current.html.) However looking at http://www.openbsd.org/faq/current.html, there are no mention of the new dev. I can only assume that something is missing. Is there more missing from this file (especially since I receive the missing ./etc/acpi error) thanks b Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
isakmpd failing from rc.conf
Hi all, I have a 3.6 release macppc with ipsec patches applied and a 3.7 release sparc64 connected via ipsec. This has been forced into a production environment so I cant carry out full tests until the weekend. Everything works perfectly without issue, but only if I start isakmpd as the last step of rc.local. If I start it from rc.conf the tunnel does not get established. As mentioned full testing has not been carried out but if the answer to this is obvious I would appreciate some feedback. Steve
Re: Create my own shell? SOLVED
Yes, maybe you're right. I've tried sneaking past if read line (a backslash newline would make it take more lines) and set -- $line (tried semiclons, redirections and backticks) and if match=`grep ^$1$ $HOSTS` ; then ssh $match ( . would match a buildhost ) and echo Unknown command or host: $line. ( tried \characters ) But didn't manage to break it :-) Yet!! Regards Alex 2005/7/27, chaton [EMAIL PROTECTED]: On Wed, 27 Jul 2005 15:46:00 +0200 Alexander Farber [EMAIL PROTECTED] wrote: Or if a user presses ctrl-C before the trap command is executed? 2005/7/27, Alexander Farber [EMAIL PROTECTED]: :-) What about ctrl-Z, does that secure gateway menu script ignore that too? 2005/7/27, Abel Talaversn Estevez [EMAIL PROTECTED]: http://mongers.org/gw_menu Mmh ... Instead of being a smartmouth, you should think a little about what would really happen and not make assumptions based on nothing. let's make the assumption that trap was not even called. If a user presses ctrl-c the script will exit, closing the user's session. What did you expect it to do ? Spawn a shell from nothing ? -- chaton@
Re: Create my own shell? SOLVED
On Wed, 27 Jul 2005 16:27:32 +0200 Abel Talaversn Estevez [EMAIL PROTECTED] wrote: With Ctrl-c the shell doesn't finish. The shell file is showed here: [...] That was my point.
Re: Recommendet (P)ATA-Controller for Raidframe
The raid will use 3 or 4 identical harddrives. Is that mirrored? If so, heres a gotcha: http://www.openbsd.org/cgi-bin/man.cgi?query=raidctlsektion=8 Note as well that RAID 1 sets are currently limited to only 2 components. At present, n-way mirroring is not possible. However, I think with multiple layered mirroring, what you want is possible. As stuart has pointed out, upgrading that will not be as easy as it could with hw raid. Hope that sves you some time and frustration. regards Edd
Re: missing: ./etc/acpi (missing instructions in following-current on i386)
b h schrieb: --- b h [EMAIL PROTECTED] wrote: Date: Mon, 25 Jul 2005 07:30:52 -0700 (PDT) From: b h [EMAIL PROTECTED] Subject: Re: missing: ./etc/acpi To: Stuart Henderson [EMAIL PROTECTED], misc@openbsd.org --- Stuart Henderson [EMAIL PROTECTED] wrote: --On 24 July 2005 14:25 -0700, b h wrote: Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) missing: ./etc/acpi [...] It was removed. See http://marc.theaimsgroup.com/?l=openbsd-cvsm=111783772926051w=2 and http://www.openbsd.org/cgi-bin/cvsweb/src/etc/mtree/4.4BSD.dist
Re: Phase 2 problem between isakmpd and Netscreen
Sean, Take a look at http://www.vpnc.org/. They perform all sorts of VPN device interoperability tests, using OpenBSD as the common denominator. They have info on how to set up your Netscreen box to make it work with OpenBSD. -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 2:50 AM To: Hans-Joerg Hoexer Cc: misc Subject: Re: Phase 2 problem between isakmpd and Netscreen On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an industry standard IPSec implementation. Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type:
Unsubscription Confirmation
Thank you for subscribing. You have now unsubscribed and no more messages will be sent.
Re: missing: ./etc/acpi (missing instructions in following-current on i386)
--- Ulrich Kahl [EMAIL PROTECTED] wrote: b h schrieb: --- b h [EMAIL PROTECTED] wrote: Date: Mon, 25 Jul 2005 07:30:52 -0700 (PDT) From: b h [EMAIL PROTECTED] Subject: Re: missing: ./etc/acpi To: Stuart Henderson [EMAIL PROTECTED], misc@openbsd.org --- Stuart Henderson [EMAIL PROTECTED] wrote: --On 24 July 2005 14:25 -0700, b h wrote: Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) missing: ./etc/acpi [...] It was removed. See http://marc.theaimsgroup.com/?l=openbsd-cvsm=111783772926051w=2 and http://www.openbsd.org/cgi-bin/cvsweb/src/etc/mtree/4.4BSD.dist Hi Ulrich thanks for the answer. Actually, I remember originally seeing that msg now that I was reminded. D'oh. However, why is my daily insecurity script still complaining about it on my one machine - how was that problem still occur after following the documented upgrade procedure? In otherwords, what did I miss updating that will prevent the daily script from complaining about /etc/acpi? and secondly, I still believe there is instructions missing on the following-current page about adding that device node. thanks b Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
suggested /etc/skel/ modifications
1) add the line umask 077 to .profile 2)add the file .kshrc containing at least the line set -o vi Also modify adduser so that the home directory permissions of new users are set to drwx-- instead of drwxr-xr-x
restore: Tape block size problem?
I am attempting to perform and verify a backup on a server, per the instructions in the FAQ, but am getting this error: restore: Tape block size (32758) is not a multiple of dump block size (1024) Is there something I'm doing wrong or is this a hardware problem? This is the first backup attempt for this server, and the hardware is donated. Dan Hamlin # mount /dev/sd0a on / type ffs (local, softdep) /dev/sd0i on /home type ffs (local, nodev, nosuid, softdep) /dev/sd0d on /usr type ffs (local, nodev, softdep) /dev/sd1a on /usr/local/samba/share type ffs (local, nodev, softdep) /dev/sd0e on /var type ffs (local, nodev, nosuid, softdep) /dev/sd0f on /var/log type ffs (local, nodev, nosuid, softdep) /dev/sd0g on /var/spool type ffs (local, nodev, nosuid, softdep) /dev/sd0h on /var/www type ffs (local, nodev, nosuid, softdep) # dump -0au -f /dev/rst0 /dev/rsd1a DUMP: Date of this level 0 dump: Wed Jul 27 10:13:35 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rsd1a (/usr/local/samba/share) to /dev/rst0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 1647628 tape blocks. DUMP: Volume 1 started at: Wed Jul 27 10:13:42 2005 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 7.61% done, finished in 1:00 DUMP: 15.45% done, finished in 0:54 DUMP: 23.23% done, finished in 0:49 DUMP: 31.05% done, finished in 0:44 DUMP: 39.10% done, finished in 0:38 DUMP: 48.17% done, finished in 0:32 DUMP: 57.22% done, finished in 0:26 DUMP: 66.36% done, finished in 0:20 DUMP: 75.06% done, finished in 0:14 DUMP: 83.40% done, finished in 0:09 DUMP: 91.80% done, finished in 0:04 DUMP: 1651755 tape blocks on 1 volume DUMP: Volume 1 completed at: Wed Jul 27 11:13:18 2005 DUMP: Volume 1 took 0:59:36 DUMP: Volume 1 transfer rate: 461 KB/s DUMP: Date of this level 0 dump: Wed Jul 27 10:13:35 2005 DUMP: Date this dump completed: Wed Jul 27 11:13:18 2005 DUMP: Average transfer rate: 461 KB/s DUMP: level 0 dump on Wed Jul 27 10:13:35 2005 DUMP: Closing /dev/rst0 DUMP: DUMP IS DONE # restore -tvs 1 -f /dev/rst0 Verify tape and initialize maps restore: Tape block size (32758) is not a multiple of dump block size (1024) # OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 499 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133783552 (130648K) avail mem = 115458048 (112752K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/14/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:20:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xe8000/0x6000! 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX rev 0x03 siop0 at pci0 dev 6 function 0 Symbios Logic 53c875 rev 0x14: irq 5, using 4K of on-board RAM scsibus0 at siop0: 16 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, BB00921B91, 3B05 SCSI2 0/direct fixed sd0: 8678MB, 5273 cyl, 20 head, 168 sec, 512 bytes/sec, 17773524 sec total sd1 at scsibus0 targ 1 lun 0: COMPAQ, BB00921B91, 3B05 SCSI2 0/direct fixed sd1: 8678MB, 5273 cyl, 20 head, 168 sec, 512 bytes/sec, 17773524 sec total siop1 at pci0 dev 6 function 1 Symbios Logic 53c875 rev 0x14: irq 9, using 4K of on-board RAM scsibus1 at siop1: 16 targets tl0 at pci0 dev 7 function 0 Compaq ProLiant Netelligent 10/100 TX rev 0x10: irq 10 address 00:50:8b :a2:5a:25 lxtphy0 at tl0 phy 1: LXT970 10/100 media interface, rev. 3 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface ukphy0: OUI 0x100014, model 0x0001, rev. 5 vga1 at pci0 dev 8 function 0 ATI Mach64 GV rev 0x7a wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq Netelligent ASMC rev 0x00 at pci0 dev 9 function 0 not configured ppb0 at pci0 dev 10 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 ahc1 at pci1 dev 8 function 0 Adaptec AHA-2940U rev 0x00: irq 11 scsibus2 at ahc1: 8 targets st0 at scsibus2 targ 6 lun 0: HP, C1533A, A708 SCSI2 1/sequential removable st0: density code 0x13, 512-byte blocks, write-enabled pcib0 at pci0 dev 20 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 20 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: COMPAQ, CDR-8435, 0013 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) uhci0 at pci0
Re: openbsd rpc/xdr
On Wed, Jul 27, 2005 at 10:55:51AM -0300, Gustavo Rios wrote: I did not meant alternatives to RPC approach? i mean alternatives to the standard implementation code of rpc. I don't feel like considering (as you self said) garbage like corba, rx, rxml-rpc I am considering rpc/xdr but a different code implementation. There are several layers of api to ONC RPC. I suggest you read a book like the O'Reilly kangaroo book, Power programming with RPC. Sun Microsystems gave away the rpc code, so I'd guess most implementations are based on their code. -- stephen
Re: openbsd rpc/xdr
Thanks Stephen. On 7/27/05, Stephen Marley [EMAIL PROTECTED] wrote: On Wed, Jul 27, 2005 at 10:55:51AM -0300, Gustavo Rios wrote: I did not meant alternatives to RPC approach? i mean alternatives to the standard implementation code of rpc. I don't feel like considering (as you self said) garbage like corba, rx, rxml-rpc I am considering rpc/xdr but a different code implementation. There are several layers of api to ONC RPC. I suggest you read a book like the O'Reilly kangaroo book, Power programming with RPC. Sun Microsystems gave away the rpc code, so I'd guess most implementations are based on their code. -- stephen
Re: restore: Tape block size problem?
On Wed, 27 Jul 2005, Daniel Hamlin wrote: I am attempting to perform and verify a backup on a server, per the instructions in the FAQ, but am getting this error: restore: Tape block size (32758) is not a multiple of dump block size (1024) Is there something I'm doing wrong or is this a hardware problem? This is the first backup attempt for this server, and the hardware is donated. Dan Hamlin Fixed in 3.6-stable, a patch is available. Please read html://www.openbsd.org/errata.html before reporting a problem, -Otto # mount /dev/sd0a on / type ffs (local, softdep) /dev/sd0i on /home type ffs (local, nodev, nosuid, softdep) /dev/sd0d on /usr type ffs (local, nodev, softdep) /dev/sd1a on /usr/local/samba/share type ffs (local, nodev, softdep) /dev/sd0e on /var type ffs (local, nodev, nosuid, softdep) /dev/sd0f on /var/log type ffs (local, nodev, nosuid, softdep) /dev/sd0g on /var/spool type ffs (local, nodev, nosuid, softdep) /dev/sd0h on /var/www type ffs (local, nodev, nosuid, softdep) # dump -0au -f /dev/rst0 /dev/rsd1a DUMP: Date of this level 0 dump: Wed Jul 27 10:13:35 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rsd1a (/usr/local/samba/share) to /dev/rst0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 1647628 tape blocks. DUMP: Volume 1 started at: Wed Jul 27 10:13:42 2005 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 7.61% done, finished in 1:00 DUMP: 15.45% done, finished in 0:54 DUMP: 23.23% done, finished in 0:49 DUMP: 31.05% done, finished in 0:44 DUMP: 39.10% done, finished in 0:38 DUMP: 48.17% done, finished in 0:32 DUMP: 57.22% done, finished in 0:26 DUMP: 66.36% done, finished in 0:20 DUMP: 75.06% done, finished in 0:14 DUMP: 83.40% done, finished in 0:09 DUMP: 91.80% done, finished in 0:04 DUMP: 1651755 tape blocks on 1 volume DUMP: Volume 1 completed at: Wed Jul 27 11:13:18 2005 DUMP: Volume 1 took 0:59:36 DUMP: Volume 1 transfer rate: 461 KB/s DUMP: Date of this level 0 dump: Wed Jul 27 10:13:35 2005 DUMP: Date this dump completed: Wed Jul 27 11:13:18 2005 DUMP: Average transfer rate: 461 KB/s DUMP: level 0 dump on Wed Jul 27 10:13:35 2005 DUMP: Closing /dev/rst0 DUMP: DUMP IS DONE # restore -tvs 1 -f /dev/rst0 Verify tape and initialize maps restore: Tape block size (32758) is not a multiple of dump block size (1024) # OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 499 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133783552 (130648K) avail mem = 115458048 (112752K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/14/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:20:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xe8000/0x6000! 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX rev 0x03 siop0 at pci0 dev 6 function 0 Symbios Logic 53c875 rev 0x14: irq 5, using 4K of on-board RAM scsibus0 at siop0: 16 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, BB00921B91, 3B05 SCSI2 0/direct fixed sd0: 8678MB, 5273 cyl, 20 head, 168 sec, 512 bytes/sec, 17773524 sec total sd1 at scsibus0 targ 1 lun 0: COMPAQ, BB00921B91, 3B05 SCSI2 0/direct fixed sd1: 8678MB, 5273 cyl, 20 head, 168 sec, 512 bytes/sec, 17773524 sec total siop1 at pci0 dev 6 function 1 Symbios Logic 53c875 rev 0x14: irq 9, using 4K of on-board RAM scsibus1 at siop1: 16 targets tl0 at pci0 dev 7 function 0 Compaq ProLiant Netelligent 10/100 TX rev 0x10: irq 10 address 00:50:8b :a2:5a:25 lxtphy0 at tl0 phy 1: LXT970 10/100 media interface, rev. 3 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface ukphy0: OUI 0x100014, model 0x0001, rev. 5 vga1 at pci0 dev 8 function 0 ATI Mach64 GV rev 0x7a wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq Netelligent ASMC rev 0x00 at pci0 dev 9 function 0 not configured ppb0 at pci0 dev 10 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 ahc1 at pci1 dev 8 function 0 Adaptec AHA-2940U rev 0x00: irq 11 scsibus2 at ahc1: 8 targets st0 at scsibus2 targ 6 lun 0: HP, C1533A, A708 SCSI2 1/sequential removable st0: density code 0x13, 512-byte blocks, write-enabled pcib0 at pci0 dev 20 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 20 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired
Re: suggested /etc/skel/ modifications
Quoting Dave Feustel [EMAIL PROTECTED]: 1) add the line umask 077 to .profile 2)add the file .kshrc containing at least the line set -o vi Also modify adduser so that the home directory permissions of new users are set to drwx-- instead of drwxr-xr-x I agree with including a configurable solution for #3. #1 however would break a lot of software installations etc. #2 would also be subject of personal preferences imho. This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED]
Re: missing: ./etc/acpi (missing instructions in following-current on i386)
--On 27 July 2005 10:03 -0700, b h wrote: However, why is my daily insecurity script still complaining about it on my one machine - how was that problem still occur after following the documented upgrade procedure? In otherwords, what did I miss updating that will prevent the daily script from complaining about /etc/acpi? I wrote on 25 July: ... Check you have updated /etc/mtree files from /usr/src/etc and ...
IMAP ssl problems
I've installed the UW-IMAP package and placed the correct start up lines in /etc/inetd.conf. I've gotten this package to work correctly on past installations. Whenever I try to connect using IMAP, I get the following error: Unable to load certificate from /etc/ssl/certs/imapd.pem. That's because that's not where that certificate is, as per the instructions it's in /etc/ssl/imapd.pem. Did the package change where to place the certs without updating the documentation? My sendmail installation is using TLS and that's where my confCACERT_PATH/etc. varialbes point to. IMAP doesn't read any of these from sendmail, does it? -James Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: missing: ./etc/acpi (missing instructions in following-current on i386)
b h schrieb: --- Ulrich Kahl [EMAIL PROTECTED] wrote: b h schrieb: --- b h [EMAIL PROTECTED] wrote: Date: Mon, 25 Jul 2005 07:30:52 -0700 (PDT) From: b h [EMAIL PROTECTED] Subject: Re: missing: ./etc/acpi To: Stuart Henderson [EMAIL PROTECTED], misc@openbsd.org --- Stuart Henderson [EMAIL PROTECTED] wrote: --On 24 July 2005 14:25 -0700, b h wrote: Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) missing: ./etc/acpi [...] It was removed. See http://marc.theaimsgroup.com/?l=openbsd-cvsm=111783772926051w=2 and http://www.openbsd.org/cgi-bin/cvsweb/src/etc/mtree/4.4BSD.dist Hi Ulrich thanks for the answer. Actually, I remember originally seeing that msg now that I was reminded. D'oh. However, why is my daily insecurity script still complaining about it on my one machine - how was that problem still occur after following the documented upgrade procedure? In otherwords, what did I miss updating that will prevent the daily script from complaining about /etc/acpi? and secondly, I still believe there is instructions missing on the following-current page about adding that device node. thanks b Strange, maybe sysutils/mergemaster will help. I always update my system (/etc, ...) this way. Regards, Ulrich
Re: To secure WiFi networks
authpf and a decent ruleset. use a central box and tunnel it back. redirect all unauthenticated http traffic to a website showing them what to do to get authenticted. see http://www.ualberta.ca/CNS/wireless/ for a description of what we use here. * Johan P. Lindstrvm [EMAIL PROTECTED] [2005-07-16 10:48]: Thanks for all the replies, I see now that I should explain myself further. The scenario I am thinking of is when you run a public WiFi access point at let's say a campus with many new visitors from different organisations and you don't want to start messing around with WAP, WEP, IPSec, PPP or L2TP, having staff/manuals to help visitors setting up tunnels on their Windows XP / 2000 laptops is just not feasible. I am after a zero configuration solution for just the HTTP traffic, and if the sites browsed does not support https then there is little I can do on my end. On 7/15/05, Nick Holland [EMAIL PROTECTED] wrote: On Fri, Jul 15, 2005 at 06:03:01PM +0200, Johan P. Lindstrvm wrote: ... I'm not too familiar with the inner workings of the needed technologies (sometimes a pro, often a con) but what if one would use a https proxy, like say squid with SSL/TLS support, to obfuscate the http traffic leaving your laptop over the WiFi LAN to your local OpenBSD box that runs the proxy, that would then with some magic serve you the pages. So that http traffic could not be intercepted on the open WiFi network. ... Before you worry about this too much... IF you are worried about people packet sniffing your wireless connection, you should probably be running some kind of encryption on the traffic already, wireless or not. What's the point of encrypting from your laptop to the firewall, if it is then sent plain-text to the remote end over the common cable that many of your neighbors are also attached to. By this point in time, any communications over the internet which should not be sniffed should be encrypted end-to-end. That was a specific answer to a specific question. the above reply is not meant to imply wireless security issues don't matter. IF the question is, How do I keep people out of my wireless network, or how do I keep them from sniffing internal traffic in my network, my answer would be very different...but that wasn't the question. Nick. -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
Re: Writes to samba server very, very slow (SOLVED)
Try disabling apm. # config -e -o /nbsd /bsd ukc disable apm 252 apm0 disabled ukc quit # cp /bsd /obsd # mv /nbsd /bsd # reboot If that speeds it up you have the hlt hlt issue. it's fixed in current and stable -Bob * Gary Clemans-Gibbon [EMAIL PROTECTED] [2005-07-22 18:14]: Gary Clemans-Gibbon wrote: Hi All, I just built a OpenBSD 3.7 samba file server for my home lan. It's a P3 500, 128mb RAM, with a 2 gig IDE HDD for the OS and two x Maxtor 200 GB IDE drives for data. Everything is working fine except that when I copy files to the box from a Windows XP box the transfers are very slow, like 9 minutes for a 48 Mb file. Copying the same file back to the win box is quick - a couple of seconds as you'd expect. Please forgive me if I don't provide all the needed info here or if I didn't run any obvious checks. Please indicate what info is needed and how to get it and I'll repost it. This same hardware was previously running RH7.3 with samba and worked fine. I've tried a different ethernet cable and a different port on my switch too. many thanks in advance, Gary Here is /etc/samba/smb.conf global section.. [global] workgroup = myworkgroup server string = My Samba Server hosts allow = 192.168.20. 127.0.0.1 log file = /var/log/smbd.%m security = user socket options = TCP_NODELAY IPTOS_LOWDELAY read raw = yes write raw = yes Here is dmesg OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 501 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE cpu0: disabling processor serial number real mem = 133787648 (130652K) avail mem = 115580928 (112872K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(06) BIOS, date 03/03/00, BIOS32 rev. 0 @ 0xf0520 apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xd92 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0d10/128 (6 entries) pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE cpu0: disabling processor serial number real mem = 133787648 (130652K) avail mem = 115580928 (112872K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(06) BIOS, date 03/03/00, BIOS32 rev. 0 @ 0xf0520 apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xd92 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0d10/128 (6 entries) pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Nvidia Riva TNT rev 0x04 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Seagate Technology 1080MB - ST31082A wd0: 16-sector PIO, LBA, 1032MB, 2114180 sectors wd1 at pciide0 channel 0 drive 1: Maxtor 6B200P0 wd1: 16-sector PIO, LBA48, 194481MB, 398297088 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 wd2 at pciide0 channel 1 drive 0: Maxtor 6Y200P0 wd2: 16-sector PIO, LBA48, 194481MB, 398297088 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: , 52X24X52 CD-RW, 1.07 SCSI0 5/cdrom removable wd2(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq 9 usb0 at uhci0: USB revision
Re: spamd greylisting, masking on /24
You really do not need to do this in spamd. Do it in pf. i.e: table nospamd persist file /etc/mail/nogreylist ... no rdr $ext_if proto tcp from nospamd to $mailserver port smtp * Stuart Henderson [EMAIL PROTECTED] [2005-07-26 04:23]: I seem to remember seeing a patch to spamd that makes greylisting only look at the first /24 of the address, but I can't find it after fairly extensive searching with google/marc. Does anyone have a copy they could point me at? The whitelists on puremagic.com (on which greylisting.org's lists are based) don't list networks with a common spool unless more than a /24 is involved (there are some /24 listed with other factors requiring whitelisting, e.g. unique sender addresses per delivery attempt). -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
Re: To secure WiFi networks
Thanks Bob I will certainly have a peek, I am starting to think authpf is the way to go, but the users at the intended facility are far from self sufficient/ self educating (plain lack of interest) and that usually spells trouble when helping out... or a fortune if you are a consultant, if you don't want to read the manual, then have some one else do it for you @ $110+ an hour =) -- Johan On 7/27/05, Bob Beck [EMAIL PROTECTED] wrote: authpf and a decent ruleset. use a central box and tunnel it back. redirect all unauthenticated http traffic to a website showing them what to do to get authenticted. see http://www.ualberta.ca/CNS/wireless/ for a description of what we use here. * Johan P. Lindstrvm [EMAIL PROTECTED] [2005-07-16 10:48]: Thanks for all the replies, I see now that I should explain myself further. The scenario I am thinking of is when you run a public WiFi access point at let's say a campus with many new visitors from different organisations and you don't want to start messing around with WAP, WEP, IPSec, PPP or L2TP, having staff/manuals to help visitors setting up tunnels on their Windows XP / 2000 laptops is just not feasible. I am after a zero configuration solution for just the HTTP traffic, and if the sites browsed does not support https then there is little I can do on my end. On 7/15/05, Nick Holland [EMAIL PROTECTED] wrote: On Fri, Jul 15, 2005 at 06:03:01PM +0200, Johan P. Lindstrvm wrote: ... I'm not too familiar with the inner workings of the needed technologies (sometimes a pro, often a con) but what if one would use a https proxy, like say squid with SSL/TLS support, to obfuscate the http traffic leaving your laptop over the WiFi LAN to your local OpenBSD box that runs the proxy, that would then with some magic serve you the pages. So that http traffic could not be intercepted on the open WiFi network. ... Before you worry about this too much... IF you are worried about people packet sniffing your wireless connection, you should probably be running some kind of encryption on the traffic already, wireless or not. What's the point of encrypting from your laptop to the firewall, if it is then sent plain-text to the remote end over the common cable that many of your neighbors are also attached to. By this point in time, any communications over the internet which should not be sniffed should be encrypted end-to-end. That was a specific answer to a specific question. the above reply is not meant to imply wireless security issues don't matter. IF the question is, How do I keep people out of my wireless network, or how do I keep them from sniffing internal traffic in my network, my answer would be very different...but that wasn't the question. Nick. -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
OpenBSD 3.7 on VM Workstation 5
Just finished installing OpenBSD 3.7 from CD onto VM Ware Workstation 5 build 13124 with Windows XP sp2 as host OS. As Client OS I chose FreeBSD, VM Ware tools not installed, virtual terminals CTRL+ALT+Fn does not work since CTRL+ALT releases control from the VM Ware application. Here is the dmesg.boot OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,PNI real mem = 267952128 (261672K) avail mem = 237731840 (232160K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a5) BIOS, date 02/11/05, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 4096MB, 8388608 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-3520A, 1.04 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x00: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) mpt0 at pci0 dev 16 function 0 Symbios Logic 53c1030 rev 0x01: irq 11 mpt0: running in vmware, skipping pageretrieval mpt0: IM support: 0 scsibus1 at mpt0: 16 targets le1 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10: irq 10 le1: address 00:0c:29:91:ef:ac le1: 8 receive buffers, 2 transmit buffers eap0 at pci0 dev 18 function 0 Ensoniq AudioPCI97 rev 0x02: irq 9 ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3) audio0 at eap0 midi0 at eap0: AudioPCI MIDI UART isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb65 netmask ef65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: suggested /etc/skel/ modifications
On Wed, Jul 27, 2005 at 12:13:01PM -0500, Dave Feustel wrote: | 1) add the line | umask 077 | to .profile This breaks certain ports (as I found out the hard way) | 2)add the file .kshrc containing at least the line | set -o vi Better to export VISUAL=vi in your .profile if that's what you prefer. I don't think it's a good idea to change this default for all users - not everyone loves vi that much, some people find it annoying on the commandline. Those people that prefer there shells in vi mode have the option to export VISUAL=vi or set -o vi. From a wet What The Hack, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: IMAP ssl problems
On Wed, 2005-07-27 at 10:54:36 -0700, stupidmail4me proclaimed... I've installed the UW-IMAP package and placed the correct start up lines in /etc/inetd.conf. I've gotten this package to work correctly on past installations. Go ask on the UW-IMAP list. This is an OpenBSD list.
Re: OpenBSD 3.7 on VM Workstation 5
And you dont know how to reassign the release key? On Wed, Jul 27, 2005 at 11:22:56PM +0200, Johan P. Lindstrvm wrote: Just finished installing OpenBSD 3.7 from CD onto VM Ware Workstation 5 build 13124 with Windows XP sp2 as host OS. As Client OS I chose FreeBSD, VM Ware tools not installed, virtual terminals CTRL+ALT+Fn does not work since CTRL+ALT releases control from the VM Ware application. Here is the dmesg.boot OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,PNI real mem = 267952128 (261672K) avail mem = 237731840 (232160K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a5) BIOS, date 02/11/05, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 4096MB, 8388608 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-3520A, 1.04 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x00: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) mpt0 at pci0 dev 16 function 0 Symbios Logic 53c1030 rev 0x01: irq 11 mpt0: running in vmware, skipping pageretrieval mpt0: IM support: 0 scsibus1 at mpt0: 16 targets le1 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10: irq 10 le1: address 00:0c:29:91:ef:ac le1: 8 receive buffers, 2 transmit buffers eap0 at pci0 dev 18 function 0 Ensoniq AudioPCI97 rev 0x02: irq 9 ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3) audio0 at eap0 midi0 at eap0: AudioPCI MIDI UART isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb65 netmask ef65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
problems adding packages in 3.7
Hi Folks, I'm getting errors about missing libraries while adding packages to a 3.7 system. This was a new install with 3.7 so there should not be any old stuff laying around -bash-3.00$ sudo pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz Can't install ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz: lib not found intl.1.1 Even by looking in the dependency tree: libiconv-1.9.2, gettext-0.10.40p2 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. -bash-3.00$ uname -a OpenBSD matata.insec.auckland.ac.nz 3.7 GENERIC#50 i386 I understand that it can not find lib intl.1.1 and that it has looked for it in the package dependencies. However I don't understand what it is suggesting I do with pkg_info (yes I've read the man page). A little more guidance would be appreciated. Cheers, Russell
Re: problems adding packages in 3.7 -- solved
It has just been pointed out to me (off list) that I was loading the package from the 3.6 tree. Doh!!! Russell Russell Fulton wrote: Hi Folks, I'm getting errors about missing libraries while adding packages to a 3.7 system. This was a new install with 3.7 so there should not be any old stuff laying around -bash-3.00$ sudo pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz Can't install ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz: lib not found intl.1.1 Even by looking in the dependency tree: libiconv-1.9.2, gettext-0.10.40p2 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. -bash-3.00$ uname -a OpenBSD matata.insec.auckland.ac.nz 3.7 GENERIC#50 i386 I understand that it can not find lib intl.1.1 and that it has looked for it in the package dependencies. However I don't understand what it is suggesting I do with pkg_info (yes I've read the man page). A little more guidance would be appreciated. Cheers, Russell
Re: problems adding packages in 3.7
On Thu, Jul 28, 2005 at 10:42:25AM +1200, Russell Fulton wrote: I'm getting errors about missing libraries while adding packages to a 3.7 system. This was a new install with 3.7 so there should not be any old stuff laying around -bash-3.00$ sudo pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz Adding 3.6 packages to a 3.7 system may be a little bit unsupported.
Re: spamd greylisting, masking on /24
--On 27 July 2005 13:50 -0600, Bob Beck wrote: You really do not need to do this in spamd. Do it in pf. table nospamd persist file /etc/mail/nogreylist Been doing that for months, but it takes quite a while to add enough networks to be useful, and there's always another round the corner. I don't think I've seen any up-to-date 'greylisting whitelists' that include common-spool senders from /24 and smaller, but those are responsible for most excessive delays I've seen. (The other delays I see are usually shorter [2-4h or so], mostly from ISPs using Exim shunting delayed mail off to another host to shorten queues on their primary relays and not bothering to retry for a while).
Re: OpenBSD 3.7 on VM Workstation 5
I'm just curious what the point of sending the dmesg was? It's not like people haven't been running OpenBSD under VMware for years now. This isn't stating anything new. On Wed, Jul 27, 2005 at 11:22:56PM +0200, Johan P. Lindstrvm wrote: Just finished installing OpenBSD 3.7 from CD onto VM Ware Workstation 5 build 13124 with Windows XP sp2 as host OS. As Client OS I chose FreeBSD, VM Ware tools not installed, virtual terminals CTRL+ALT+Fn does not work since CTRL+ALT releases control from the VM Ware application. Here is the dmesg.boot OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,PNI real mem = 267952128 (261672K) avail mem = 237731840 (232160K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a5) BIOS, date 02/11/05, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 4096MB, 8388608 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-3520A, 1.04 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x00: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) mpt0 at pci0 dev 16 function 0 Symbios Logic 53c1030 rev 0x01: irq 11 mpt0: running in vmware, skipping pageretrieval mpt0: IM support: 0 scsibus1 at mpt0: 16 targets le1 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10: irq 10 le1: address 00:0c:29:91:ef:ac le1: 8 receive buffers, 2 transmit buffers eap0 at pci0 dev 18 function 0 Ensoniq AudioPCI97 rev 0x02: irq 9 ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3) audio0 at eap0 midi0 at eap0: AudioPCI MIDI UART isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb65 netmask ef65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: suggested /etc/skel/ modifications
On Wednesday 27 July 2005 04:23 pm, Paul de Weerd wrote: On Wed, Jul 27, 2005 at 12:13:01PM -0500, Dave Feustel wrote: | 1) add the line | umask 077 | to .profile This breaks certain ports (as I found out the hard way) I was wondering about that. Which ports broke? Thanks, Dave
Re: OpenBSD 3.7 on VM Workstation 5
From: Brad [mailto:[EMAIL PROTECTED] I'm just curious what the point of sending the dmesg was? It's not like people haven't been running OpenBSD under VMware for years now. This isn't stating anything new. Because its the Proper thing to do. Don't discourage thoroughness. DS
Re: problems adding packages in 3.7
Russell Fulton wrote: Hi Folks, I'm getting errors about missing libraries while adding packages to a 3.7 system. This was a new install with 3.7 so there should not be any old stuff laying around -bash-3.00$ sudo pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz Can't install ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz: lib not found intl.1.1 Even by looking in the dependency tree: libiconv-1.9.2, gettext-0.10.40p2 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. -bash-3.00$ uname -a OpenBSD matata.insec.auckland.ac.nz 3.7 GENERIC#50 i386 I understand that it can not find lib intl.1.1 and that it has looked for it in the package dependencies. However I don't understand what it is suggesting I do with pkg_info (yes I've read the man page). A little more guidance would be appreciated. Cheers, Russell It looks like your command is searching for packages in the 3.6 directory, not the 3.7 directory: ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/ should be: ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/ -- Joe
Re: OpenBSD 3.7 on VM Workstation 5
On Wed, Jul 27, 2005 at 04:56:23PM -0700, Spruell, Darren-Perot wrote: From: Brad [mailto:[EMAIL PROTECTED] I'm just curious what the point of sending the dmesg was? It's not like people haven't been running OpenBSD under VMware for years now. This isn't stating anything new. Because its the Proper thing to do. Don't discourage thoroughness. DS I can look in the mailing list archives and find plenty of dmesgs from VMware. Posting another one doesn't do anything useful. I'm not discouraging thoroughness but I am discouraging pointless posts to [EMAIL PROTECTED]
Re: OpenBSD 3.7 on VM Workstation 5
Spruell, Darren-Perot wrote: Because its the Proper thing to do. Don't discourage thoroughness. http://www.openbsd.org/faq/faq4.html#SendDmesg says it's [EMAIL PROTECTED], not [EMAIL PROTECTED]
Re: OpenBSD 3.7 on VM Workstation 5
From: Brad [mailto:[EMAIL PROTECTED] From: Brad [mailto:[EMAIL PROTECTED] I'm just curious what the point of sending the dmesg was? It's not like people haven't been running OpenBSD under VMware for years now. This isn't stating anything new. Because its the Proper thing to do. Don't discourage thoroughness. DS I can look in the mailing list archives and find plenty of dmesgs from VMware. Posting another one doesn't do anything useful. I'm not discouraging thoroughness but I am discouraging pointless posts to [EMAIL PROTECTED] And suppose VMWare decides to emulate different hardware/architectures in their VMs? Suddenly, the dmesg becomes very pertinent. Point is, better to be swamped with too much information than too little. You'll find that statement in the archives as well. DS
1U server recommendation
Hello, Can anyone recommend a decent rack server from HP, Dell, IBM or CDW that will run OpenBSD for webserver use? I would prefer a machine that has SCSI drives with Mirror Raid capabilities. I know I can go piecemeal one from FRY's but I need one that can have a hardware support agreement tied to it. I was glancing at the sunfire v20z , ibm xseries 306 and HP DL360 with Smart Array 6i. The dl360 looks like it fits the bill but I have had problems in the past with the smart array on older DL class boxes. The server(s) will be used for web shell and sftp services under medium loads. Thank you. -mb
Re: 1U server recommendation
On Jul 26, 2005, at 11:24 PM, Matthew Bettinger wrote: Hello, Can anyone recommend a decent rack server from HP, Dell, IBM or CDW that will run OpenBSD for webserver use? I would prefer a machine that has SCSI drives with Mirror Raid capabilities. I know I can go piecemeal one from FRY's but I need one that can have a hardware support agreement tied to it. I was glancing at the sunfire v20z , ibm xseries 306 and HP DL360 with Smart Array 6i. The dl360 looks like it fits the bill but I have had problems in the past with the smart array on older DL class boxes. The server(s) will be used for web shell and sftp services under medium loads. Thank you. I've been happy with our recent purchase of Dell PowerEdge 750's for the same purposes you mention. We neglected any hardware RAID in favor of OpenBSD RAIDframe. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: 1U server recommendation
I run heaps off Dell PowerEdge 1550, 1650, 1750 and 1850 without issues. On Tue, Jul 26, 2005 at 10:24:18PM -0500, Matthew Bettinger wrote: Hello, Can anyone recommend a decent rack server from HP, Dell, IBM or CDW that will run OpenBSD for webserver use? I would prefer a machine that has SCSI drives with Mirror Raid capabilities. I know I can go piecemeal one from FRY's but I need one that can have a hardware support agreement tied to it. I was glancing at the sunfire v20z , ibm xseries 306 and HP DL360 with Smart Array 6i. The dl360 looks like it fits the bill but I have had problems in the past with the smart array on older DL class boxes. The server(s) will be used for web shell and sftp services under medium loads. Thank you. -mb
Re: OpenBSD 3.7 on VM Workstation 5
Brad wrote: I'm just curious what the point of sending the dmesg was? All things considered, I'd rather have five things I don't need than have one thing I wanted that was missing. If for nothing else, it's a refreshing Something Different from the Send me some useful info! exchanges). Heck, how many times have I spotted something in a unneeded dmesg that actually did or may have pertained to the user's question? (A: lots!) If nothing else, dmesg tells us if someone is running a Theo-built kernel, a home-built GENERIC (which we have to take with a big grain of salt until we commit those changes that prevent even root from editing /usr/src/sys/arch/*/conf/GENERIC), or a definite Ricer, which are details that aren't always communicated accurately through other means. Granted, in this case, OpenBSD was working perfectly, VMware was blocking certain keystrokes, but obviously the OP didn't recognize that, or they wouldn't have posted here. Hey, not sure reassigning the release sequence would have occurred to me if one of my coworkers hadn't said, You'll want to change that so CTR-ALT-Fn works. I've also discovered there are ways to configure VMware so it doesn't work with OpenBSD. Besides, I haven't seen a VMware 5 dmesg yet, and we all know how excited I get over dmesgs. :) (what's the point of YOUR sending the dmesg again, rather than trimming down the reply? :) If in doubt, send the dmesg. If you think it isn't necessary, send the dmesg. If you are absolutely sure the question has nothing to do with hardware (or virtual hardware), and you have confirmed the situation on five different platforms, dmesg is optional. In my opinion, of course. :) However, my time lately is much less, there are lots of messages I've been completely ignoring (or laughing at to myself as others try to help the clueless, but still never ask for the obvious first-step in debugging) because I don't have time to beg for every bit and piece of info to verify (or disprove) a suspicion. Nick. (dmesg, dammit!)
Re: suggested /etc/skel/ modifications
Dave Feustel wrote: 1) add the line umask 077 to .profile 2)add the file .kshrc containing at least the line set -o vi Also modify adduser so that the home directory permissions of new users are set to drwx-- instead of drwxr-xr-x OpenBSD is a general purpose OS. There are lots of general purposes out there. :) All three of those are personal preference things. You want them that way, someone else might be much more interested in sharing files between users rather than keeping files completely private by default. These changes would break many people's expectations, and with the exception of the last, are EASILY implemented with a siteXX.tgz file. The last one could be more generally addressed with a adduser.local script. Of course, you could also just make a wrapper script that does whatever you want to do to the users...which is probably even more general. For many apps, there are a LOT of things you might want to do that adduser(8) doesn't cover, a custom script is probaby the best choice. Nick.
no sound on Dell4550 (soundblaster live, emu)
Good morning, I have a Dell4550 where which I can't get sound to work on. Both 3.7 and -current gives me the same result, everything looks ok on boot. # vlc mpeg file VLC media player 0.8.1 Janus [0211] mpeg_audio decoder: MPGA channels:2 samplerate:44100 bitrate:192 SDL: Audio timeout - buggy audio driver? (disabled) audio: Bad file descriptor Any ideas are welcome. I intended to leave the box at my parents house since we currently live in different countries and supporting old windows boxes is no fun. /Tony # dmesg OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz (GenuineIntel 686-class) 2.53 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 535887872 (523328K) avail mem = 482185216 (470884K) using 4278 buffers containing 26898432 bytes (26268K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/12/02, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeae0/160 (8 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801BA LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xf800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82845G/GL rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82845G/GL/GV/GE/PE AGP rev 0x01 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Nvidia GeForce4 MX 420 rev 0xa3 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 9 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 3 ehci0: EHCI version 1.0 ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub3: single transaction translator uhub3: 6 ports with 6 removable, self powered ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x81 pci2 at ppb1 bus 2 emu0 at pci2 dev 0 function 0 Creative Labs SoundBlaster Live rev 0x00: irq 10 ac97: codec id 0x83847608 (SigmaTel STAC9708/11) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at emu0 Creative Labs PCI Gameport Joystick rev 0x00 at pci2 dev 0 function 1 not configured Texas Instruments TSB12LV26 FireWire rev 0x00 at pci2 dev 1 function 0 not configured fxp0 at pci2 dev 8 function 0 Intel PRO/100 VE rev 0x81: irq 11, address 00:07:e9:d2:84:de inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801DB LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801DB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD300BB-75DEA0 wd0: 16-sector PIO, LBA, 28610MB, 58593750 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, DVD-ROM SD-616T, F310 SCSI0 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: HL-DT-ST, CD-RW GCE-8481B, C102 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 Intel 82801DB SMBus rev 0x01 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb6d netmask eb6d ttymask fbef pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS
Re: spamd greylisting, masking on /24
Practically, I've never found any need to use anything beyond the greylisting.org whitelist in that manner, as well as ensuring I'm running spamlogd correctly so that outbound servers get whitelisted.. At least with our 70,000 lusers worth of mailboxes. -Bob * Stuart Henderson [EMAIL PROTECTED] [2005-07-27 18:12]: --On 27 July 2005 13:50 -0600, Bob Beck wrote: You really do not need to do this in spamd. Do it in pf. table nospamd persist file /etc/mail/nogreylist Been doing that for months, but it takes quite a while to add enough networks to be useful, and there's always another round the corner. I don't think I've seen any up-to-date 'greylisting whitelists' that include common-spool senders from /24 and smaller, but those are responsible for most excessive delays I've seen. (The other delays I see are usually shorter [2-4h or so], mostly from ISPs using Exim shunting delayed mail off to another host to shorten queues on their primary relays and not bothering to retry for a while). -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
Re: 1U server recommendation
On 7/27/05, Marco Peereboom [EMAIL PROTECTED] wrote: On Tue, Jul 26, 2005 at 10:24:18PM -0500, Matthew Bettinger wrote: Can anyone recommend a decent rack server from HP, Dell, IBM or CDW that will run OpenBSD for webserver use? I would prefer a machine that has SCSI drives with Mirror Raid capabilities. I know I can go piecemeal one from FRY's but I need one that can have a hardware support agreement tied to it. I run heaps off Dell PowerEdge 1550, 1650, 1750 and 1850 without issues. Similar results here. The PE1850 is a solid machine, with (optional) dual power supplies, hardware mirroring SCSI controller, and if you really want to get crazy, you can even configure it to use half the RAM as a spare bank so even a DIMM failure won't take the server down (haven't tested this personally). Some PE models can be ordered with your choice of embedded 'bge' or 'em' interfaces, go with 'em'. Same goes for the RAID controller -- not all PERCs are the supported 'ami' LSILogic MegaRAID chipset; the PERC4/ei in the 1850 is supported as of 3.7. Lastly, most (all?) current PowerEdge products can be configured for serial console in the BIOS, many have optional (not OpenBSD supported) DRAC network management daughterboards for remote recovery from just about any type of crash. The OpenManage server runs on Linux or MS-Windows. Kevin Kadow
Re: OpenBSD 3.7 on VM Workstation 5
Johan P. Lindstrvm schrieb: Just finished installing OpenBSD 3.7 from CD onto VM Ware Workstation 5 build 13124 with Windows XP sp2 as host OS. As Client OS I chose FreeBSD, VM Ware tools not installed, virtual terminals CTRL+ALT+Fn does not work since CTRL+ALT releases control from the VM Ware application. You can reconfigure VMWare to use another hotkey for releasing control. Then you can use the terminals. -- Sauerland Spielgerdte GmbH Andri Ndhring
Re: OpenBSD 3.7 on VM Workstation 5
And you could always use that silly patch that makes it so that alt-fn switches console modes :D I am not your puppet. Since when? Now get your spongy ping ass out there and dance for the cameras -Nora in (Death to Smoochy) On Thu, 28 Jul 2005, Andre Naehring wrote: Date: Thu, 28 Jul 2005 07:36:07 +0200 From: Andre Naehring [EMAIL PROTECTED] To: OpenBSD MISC misc@openbsd.org Subject: Re: OpenBSD 3.7 on VM Workstation 5 Johan P. Lindstrvm schrieb: Just finished installing OpenBSD 3.7 from CD onto VM Ware Workstation 5 build 13124 with Windows XP sp2 as host OS. As Client OS I chose FreeBSD, VM Ware tools not installed, virtual terminals CTRL+ALT+Fn does not work since CTRL+ALT releases control from the VM Ware application. You can reconfigure VMWare to use another hotkey for releasing control. Then you can use the terminals. -- Sauerland Spielgerdte GmbH Andri Ndhring
