Re: syslogd udp port
> May I suggest some tolerance(doesn't have to be sincere) for people who > are simply either too busy or too lazy to read man pages in their > entirety. Absolutely not. You were lazy and unwilling to educate yourself, and are making other people watch you sluffing your way through life.
Re: syslogd udp port
Firstly I never said mentioned the word security, so I don't know where Tobias got that from. I apologise once again for not searching the archives and reading the man pages. May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? or perhaps that's openbsd's 'thing'? or if it isn't remind me what is... thanks anyway poncenby Theo de Raadt wrote: The port is also used to (potentially) send data out to other syslog servers. Therefore, it is left open. This is made ASTOUNDINGLY clear in the manual page, if you would read it: syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. See that? It says anything read is DISCARDED. This behaviour is not going to be changed. Period. I remember asking how to stop syslogd opening udp port 514 a while ago and never doing anything about it, here goes again... hopefully a relevant part of /etc/rc echo 'starting system logger' rm -f /dev/log if [ "X${named_flags}" != X"NO" ]; then rm -f /var/named/dev/log syslogd_flags="${syslogd_flags} -a /var/named/dev/log" fi if [ -d /var/empty ]; then rm -f /var/empty/dev/log mkdir -p -m 0555 /var/empty/dev syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" fi syslogd ${syslogd_flags} if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then if ifconfig pflog0 >/dev/null 2>&1; then ifconfig pflog0 up pflogd ${pflogd_flags} fi fi my /etc/rc.conf syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" output from command: netstat -p udp -an Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* reading the man page doesn't really answer why there is program listening on udp 514, seeing as I haven't passed syslogd the -u switch -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. can anyone point me in the right direction so this annoying behaviour stops. also, is there a switch for netstat which shows the pid/process for each listening port? thanks in advance poncenby -- This email has been verified as Virus free Virus Protection and more available at http://www.plus.net
HP thin Client
Anyone running HP thin client with OPENBSD (netbooting from a openbsd server)? What is your experience with them? thanks.
Re: syslogd udp port
On Thu, 04 Aug 2005 15:50:58 -0600, Theo de Raadt <[EMAIL PROTECTED]> wrote: >The port is also used to (potentially) send data out to other syslog >servers. Therefore, it is left open. This is made ASTOUNDINGLY >clear in the manual page, if you would read it: > > syslogd opens the above described socket whether or not it is running in > secure mode. If syslogd is running in secure mode, all incoming data on > this socket is discarded. The socket is required for sending forwarded > messages. > >See that? It says anything read is DISCARDED. > >This behaviour is not going to be changed. Period. Welcome Home Theo! (; JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: 3.7 Kernel pppoe not accepting incoming connections, userland works 100%
On Mon, Aug 01, 2005 at 11:24:32AM -0400, Steve Williams wrote: > I upgraded an OpenBSD server from 3.0 to 3.7-current. I am trying to > switch the pppoe from the user land pppoe to the kernel pppoe. The user > land one works 100% on 3.7, so I know it's not a physical problem. > Outgoing connections with the kernel pppoe are working 100%. HOWEVER, > with the kernel PPPOE, none of the incoming connections are working. > This server has send mail & httpd ( & ssh) configured, and it is not > accepting incoming connections for any of them :-( I can see packets > coming in the interface, (using tcpdump), but nothing happens! (snip) > Does anyone see anything obvious? Or not so obvious?? need more > information? I have tried to include everything that could possibly be > relevant. (Snip verbose and much appreciated configuration information.) >From ifconfig of userland pppoe: > em0: flags=8843 mtu 1500 > tun0: flags=8011 mtu 1492 Note the MTUs of the interfaces. > /etc/hostname.pppoe0 > > pppoedev em0 > !/sbin/ifconfig em0 mtu 1492 up media autoselect \ >description "Internet Connection" > !/usr/sbin/spppcontrol \$if myauthproto=pap \ >myauthname=SOME_AUTHNAME myauthkey=MY_PASSWORD > !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x > !/sbin/route add default 0.0.0.1 > up Note the mtu of the physical interface in the ifconfig command. And the ifconfig with the kernel driver: > em0: flags=8843 mtu 1492 > pppoe0: flags=8851 mtu 1492 PPPoE has an 8 byte header so its MTU must be 8 bytes smaller than that of the interface through which it's tunneled. pppoe(4) contains this ifconfig line: !/sbin/ifconfig ne0 up which works for me.
Re: software testing
> You're also likely to get more useful responses if you include _any_ > details about what your software does, what it's written in, or even a > URL to the source (if you really want useful comments). Here you have it: http://www.cyberspace.org/~grios/project.html Since, i would really appreciate your comments.
Re: Soekris & OBSD as servers
On 8/5/05, Scott Francis <[EMAIL PROTECTED]> wrote: > On 8/4/05, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > I would like to set a obsd and soekris boxes as a server for about 100 > > users. > > This box is supposed to handle NIS + Kerberos. > > > > Does such configuration can handle the task ? I mean on a performance > > matter. > > Does anybody have such configuration? I am not asking jus ton OpenBSD, but a combination of OBSD and Soekris. I am considering using OpenBSD+soekris for this task: (NIS and Kerberos) because i believe this type of service to be light for the amount of users i have to handle. Any other services will be handle by other hardware, like the NFS, web and the like. For now, let's just consider NIS and Kerberos on OBSD 3.7 and soekris. My concern is whether i could use OBSD with soekris. I could for instance use QNX with an embed NIS and kerberos to achieve paramount performance even on such a modest hardware and no other OS i known could beat. But, again, i would like to stay with OBSD. > the default config on OpenBSD can easily handle 100 users. Whether or > not a Soekris is the right _hardware_ platform is another matter > altogether. If you're handling users, as opposed to just packets, you > will probably want some kind of disk-based storage for their home > directories, NIS+ databases, etc. But then, you could do this with a > Soekris too with the right adapter, but you might as well use a > generic x86 machine at that point. > > Remember: OpenBSD is software, and runs on many platforms. Soekris is > x86 hardware, geared towards specific tasks (typically networking, not > user management, databases, web serving, etc. etc.), and can run > OpenBSD or other operating systems. > > If you have this firmly in mind already and I'm just misparsing your > English, my apologies. > -- > [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 > encrypted email to the latter address please > http://darkuncle.net/pubkey.asc for public key
Re: software testing
On 8/4/05, Gustavo Rios <[EMAIL PROTECTED]> wrote: > I asked to see how the box would behave in terms of performance. go grab the oldest PC you can find and you'll probably have roughly equivalent CPU and RAM performance. I hope you're not considering disk I/O as part of "performance", because Soekris boxes don't come with disks. The hardware specs on Soekris gear are clearly listed on the website - you should be able to make rough estimates based on the performance of your software on the hardware you have available. You're also likely to get more useful responses if you include _any_ details about what your software does, what it's written in, or even a URL to the source (if you really want useful comments). -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key
Re: Soekris & OBSD as servers
On 8/4/05, Gustavo Rios <[EMAIL PROTECTED]> wrote: > I would like to set a obsd and soekris boxes as a server for about 100 users. > This box is supposed to handle NIS + Kerberos. > > Does such configuration can handle the task ? I mean on a performance matter. > Does anybody have such configuration? the default config on OpenBSD can easily handle 100 users. Whether or not a Soekris is the right _hardware_ platform is another matter altogether. If you're handling users, as opposed to just packets, you will probably want some kind of disk-based storage for their home directories, NIS+ databases, etc. But then, you could do this with a Soekris too with the right adapter, but you might as well use a generic x86 machine at that point. Remember: OpenBSD is software, and runs on many platforms. Soekris is x86 hardware, geared towards specific tasks (typically networking, not user management, databases, web serving, etc. etc.), and can run OpenBSD or other operating systems. If you have this firmly in mind already and I'm just misparsing your English, my apologies. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key
pf overload - Banning hosts for n Minutes?
Hello again everybody, With the overload-option in PF it's possible to block connections from hosts wich break my FW-Rules like e.g. too many connection in n Minutes. 'overload' will include the IP into a table and flush every connection created by this IP. I would like to know if there's any timeming-option how long an IP should be banned? During my experience with Bot-Networks I know that the most Bots infect computers wich have a dynamic IP. So if a Bot-infected Computer or a "bad guy" tries e.g. to DDoS a Webserver using HTTP-Get or SYN the IP of the "bad guy" will be added to the table and blocked. But because the most IPs in the internet are "dynamic" it would affect also other ppl. who get an IP wich was in use by an attacker. I found (during reading the pf-Manual) no option wich specifies how long such IPs should be banned. For now I use a CronJob to flush this table and remove every entry e.g. one time each hour. The CronJob itself is just a workaround for me so like to ask if it's possible to enable a timer-like mechanism for such IPs so that every IP will be blocked for at least e.g. 1 hour or n Minutes? If such a mechanism exist pls. advice me because I didn#t found it until now and the CronJob-Solution itself isn't the best solution at all. :-/ Kind regards, Sebastian -- Don't buy anything from YeongYang. Their Computercases are expensiv, they WTX-powersuplies start burning and their support refuse any RMA even there's still some warenty.
Re: Requesting an change in the installer
From: Lars Hansson <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: Requesting an change in the installer Date: Fri, 5 Aug 2005 10:19:41 +0800 On Thu, 04 Aug 2005 20:06:55 -0600 Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Or you could just set the kernel image to bsd.mp. > > man boot.conf. > > No. That is not the same. Bad advice. My bad then. You learn sometihng new every day. --- Lars Hansson Did this newbie (me) do this wrong? cd / cp bsd bsd.old cp bsd.mp bsd #reboot rogern _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Re: software testing
I asked to see how the box would behave in terms of performance. Thanks. On 8/4/05, Bob Beck <[EMAIL PROTECTED]> wrote: > > > if it's in userland you don't need to do anything > special for it to run on "soekris hardware" i386 is i386 is > i386. Have you run your stuff on OpenBSD i386? > > -Bob > > > * Gustavo Rios <[EMAIL PROTECTED]> [2005-08-04 16:31]: > > Hey folks, > > > > i have written a piece of code i would like to test with openbsd on > > soekris hardware. My work is a replacement for DJB CDB with a the nice > > BSD license. > > > > I wonder if some in this list could provide me such environment in the > > following sense: > > > > 0) grant me a shell access for doing my tests, or > > 1) do himself the test. > > > > Thanks a lot for your time and cooperation, > > > > best regards. > > > > -- > Bob Beck Computing and Network Services > [EMAIL PROTECTED] University of Alberta > True Evil hides its real intentions in its street address.
Soekris & OBSD as servers
I would like to set a obsd and soekris boxes as a server for about 100 users. This box is supposed to handle NIS + Kerberos. Does such configuration can handle the task ? I mean on a performance matter. Does anybody have such configuration? Thanks.
Re: chroot sftp/sftp-server help needed...
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote: > Just ran into a wall with the scponly option: > > "If you do use chroot(), your binary will need to be setuid." > > I'll pass on that one for now... systrace could probably mitigate most of the risk here ... (privsep, if you're good enough to hack in support to the source. I'm not. :)) -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key
Re: Requesting an change in the installer
On Thu, 04 Aug 2005 20:06:55 -0600 Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Or you could just set the kernel image to bsd.mp. > > man boot.conf. > > No. That is not the same. Bad advice. My bad then. You learn sometihng new every day. --- Lars Hansson
Re: Requesting an change in the installer
On 8/4/05, Lars Hansson <[EMAIL PROTECTED]> wrote: > On Fri, 5 Aug 2005 03:39:01 +0200 (CEST) > [EMAIL PROTECTED] wrote: > > > It's not that bad but so I've to reboot one time more because I've to do a > > 'cd / && mv bsd.rd bsd && reboot'. > > Or you could just set the kernel image to bsd.mp. > man boot.conf. or right before he types reboot or halt in the installer, he could mv /mnt/bsd.mp /mnt/bsd CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: x86 rings?
On Thursday 04 August 2005 08:34 pm, [EMAIL PROTECTED] wrote: > C is hardly unique in not supporting segmentation. > The only languages I am aware of that even come close are Burroughs > Algol and PL/I (and as always Basic Assembly). (Lisp?) Plm86 and Asm86 provided good support for segmentation as did the loader.
Re: Requesting an change in the installer
> > It's not that bad but so I've to reboot one time more because I've to do a > > 'cd / && mv bsd.rd bsd && reboot'. > > Or you could just set the kernel image to bsd.mp. > man boot.conf. No. That is not the same. Bad advice.
Re: Requesting an change in the installer
On Fri, 5 Aug 2005 03:39:01 +0200 (CEST) [EMAIL PROTECTED] wrote: > It's not that bad but so I've to reboot one time more because I've to do a > 'cd / && mv bsd.rd bsd && reboot'. Or you could just set the kernel image to bsd.mp. man boot.conf. --- Lars Hansson
Requesting an change in the installer
Hello everybody, I wanna request a little change in the installer. If I install OpenBSD on SMP-Computers I select bsd.mp during the install. I noticed that bsd.mp will not be renamed to bsd if I don't select any other Kernels during the setup. Is it possible to provide a renaming in the installer if just bsd.mp was selected? For now I've to install bsd and bsd.mp even I just wanna use bsd.mp. It's not that bad but so I've to reboot one time more because I've to do a 'cd / && mv bsd.rd bsd && reboot'. I don't know the responseable guy for the installer so I wrote it to [EMAIL PROTECTED] I'm sorry if that's the completly wrong list to ask for such things. Kind regards, Sebastian -- Don't buy anything from YeongYang. Their Computercases are expensiv, they WTX-powersuplies (~120EUR) start burning and their support refuse any RMA even there's still warenty.
Re: x86 rings?
Rings and segments are pretty much orthogonal concepts. C is hardly unique in not supporting segmentation. The only languages I am aware of that even come close are Burroughs Algol and PL/I (and as always Basic Assembly). (Lisp?) But overriding is the fact that x86 supporting segments does not imply that all the other supported architectures also support. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Thursday, August 04, 2005 6:17 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: x86 rings? On Thursday 04 August 2005 04:47 pm, [EMAIL PROTECTED] wrote: > Unless I am very much mistaken, this is Unix not Multics. > To do anything with the rings, you must make userland > into a three-ring circus. That is precisely the point. The C programming language and Unix are incompatible with the x86 segmentation model, including rings, although amazing accommodations were made within C for 286 segments by Intel and Microsoft, et all before 386 flat addressing took hold. While x86 rings and segments were neat and useful, if extremely awkward to use within C, they are rapidly disappearing into the dustbin of history. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Dave Feustel > Sent: Thursday, August 04, 2005 4:05 PM > To: Theo de Raadt > Cc: [EMAIL PROTECTED]; misc@openbsd.org > Subject: Re: x86 rings? > > > Ed, > > Ever read anything about MIT's Multics and the GE 645?
Re: x86 rings?
On Thursday 04 August 2005 06:24 pm, Roger Neth Jr wrote: > Hello, I have been reading this thread as of some interest that I have read > some stuff on rings. > Are you able to elaborate on C programming and Unix incompatible with x86. Not with x86, but with x86 segmentation. Note that segments and rings are almost totally removed from AMD native 64-bit mode, although they remain in 32-bit modes. The natural way to use segments (which leads naturally to 2-component addresses) is to assign each object to its own segment and then pass segment descriptor IDs as arguments. This really goes against the C model of addressing. The C model of addressing (a single linear address space) is compatible with a large number of architectures and has simply won out over segmented address spaces except in some very specialized applications. Intel had a chip (the 960mp?) used in the military that used segmented addressing, but I don't think it has been used anywhere else but possibly in HP printers years ago, and (I think) without the segmentation). The 960mp was a *very* complicated chip and I shuddered to think of the learning curve for that chip when I read the 960mp architecture manuals. > Does this mean that other architectures such as Alpha, SGI and Sparc more > compatible? I would think so, although I know next to nothing about the details of the architectures of these chips as a result of lack of hands-on experience with them.
Re: x86 rings?
Hello, I have been reading this thread as of some interest that I have read some stuff on rings. Are you able to elaborate on C programming and Unix incompatible with x86. Does this mean that other architectures such as Alpha, SGI and Sparc more compatible? Thank you, rogern From: Dave Feustel <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> CC: Subject: Re: x86 rings? Date: Thu, 04 Aug 2005 18:17:17 -0500 On Thursday 04 August 2005 04:47 pm, [EMAIL PROTECTED] wrote: > Unless I am very much mistaken, this is Unix not Multics. > To do anything with the rings, you must make userland > into a three-ring circus. That is precisely the point. The C programming language and Unix are incompatible with the x86 segmentation model, including rings, although amazing accommodations were made within C for 286 segments by Intel and Microsoft, et all before 386 flat addressing took hold. While x86 rings and segments were neat and useful, if extremely awkward to use within C, they are rapidly disappearing into the dustbin of history. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Dave Feustel > Sent: Thursday, August 04, 2005 4:05 PM > To: Theo de Raadt > Cc: [EMAIL PROTECTED]; misc@openbsd.org > Subject: Re: x86 rings? > > > Ed, > > Ever read anything about MIT's Multics and the GE 645? http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: software testing
Yeah! On 8/4/05, Bob Beck <[EMAIL PROTECTED]> wrote: > > > if it's in userland you don't need to do anything > special for it to run on "soekris hardware" i386 is i386 is > i386. Have you run your stuff on OpenBSD i386? > > -Bob > > > * Gustavo Rios <[EMAIL PROTECTED]> [2005-08-04 16:31]: > > Hey folks, > > > > i have written a piece of code i would like to test with openbsd on > > soekris hardware. My work is a replacement for DJB CDB with a the nice > > BSD license. > > > > I wonder if some in this list could provide me such environment in the > > following sense: > > > > 0) grant me a shell access for doing my tests, or > > 1) do himself the test. > > > > Thanks a lot for your time and cooperation, > > > > best regards. > > > > -- > Bob Beck Computing and Network Services > [EMAIL PROTECTED] University of Alberta > True Evil hides its real intentions in its street address.
Re: software testing
if it's in userland you don't need to do anything special for it to run on "soekris hardware" i386 is i386 is i386. Have you run your stuff on OpenBSD i386? -Bob * Gustavo Rios <[EMAIL PROTECTED]> [2005-08-04 16:31]: > Hey folks, > > i have written a piece of code i would like to test with openbsd on > soekris hardware. My work is a replacement for DJB CDB with a the nice > BSD license. > > I wonder if some in this list could provide me such environment in the > following sense: > > 0) grant me a shell access for doing my tests, or > 1) do himself the test. > > Thanks a lot for your time and cooperation, > > best regards. > -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
Re: x86 rings?
On Thursday 04 August 2005 04:47 pm, [EMAIL PROTECTED] wrote: > Unless I am very much mistaken, this is Unix not Multics. > To do anything with the rings, you must make userland > into a three-ring circus. That is precisely the point. The C programming language and Unix are incompatible with the x86 segmentation model, including rings, although amazing accommodations were made within C for 286 segments by Intel and Microsoft, et all before 386 flat addressing took hold. While x86 rings and segments were neat and useful, if extremely awkward to use within C, they are rapidly disappearing into the dustbin of history. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Dave Feustel > Sent: Thursday, August 04, 2005 4:05 PM > To: Theo de Raadt > Cc: [EMAIL PROTECTED]; misc@openbsd.org > Subject: Re: x86 rings? > > > Ed, > > Ever read anything about MIT's Multics and the GE 645?
Re: Via C3 IPSec test result
On Wed, 2005-08-03 at 15:29 +0200, Massimo wrote: > I've made up a test LAN built on two mini-ITX Via C3 based board to test > the AES encryption functionality of this CPU on a real setup. > > I've used flashboot 0.7.2 from Damien simply for a matter of time (I've > some flash card already configured) and since it seems to me a very good > product, the kernel is GENERIC-MD I made a similar post recently [1]. One difference was that I was using regular 3.7-release. > Now the result. > Iperf with 3DES suite show a 6.7Mbit/s with AES suit 16.8Mbit/s > > The LAN with no IPSec, just routing show a 86Mbit/s, the two OBSD boxe > wired together show up to 94Mbit/s ... > During tests, top shows from 70% to 80% of system CPU usage and here are > the vmstat output: I showed similar performance numbers. I got a suggestion off-list to try a current release because this could be related to the hlt hlt bug. I installed a snapshot from 31 July but it didn't improve things. I changed my quick mode transforms from AES SHA to BLF MD5 and improved IPSec performance to about 35Mbps. I also tried the OpenVPN 2.0 package and got around 45Mbps doing AES SHA. Something that didn't make sense to me was disabling kern.usercrypto had no impact on OpenVPN performance. I'd appreciate any suggestions about mistakes I might have made or things to try. Thanks! Mike [1]: http://marc.theaimsgroup.com/?l=openbsd-misc&m=112275803416870&w=2
software testing
Hey folks, i have written a piece of code i would like to test with openbsd on soekris hardware. My work is a replacement for DJB CDB with a the nice BSD license. I wonder if some in this list could provide me such environment in the following sense: 0) grant me a shell access for doing my tests, or 1) do himself the test. Thanks a lot for your time and cooperation, best regards.
Re: syslogd udp port
On 8/4/05, poncenby <[EMAIL PROTECTED]> wrote: > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... Sure, syslogd opens UDP/514, but unless you use the '-u' flag the very next thing it does is call shutdown(), which prevents inbound traffic on the "listening" port: http://www.bsdforums.org/forums/showthread.php?t=33250 > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. I agree, it is (mildly) annoying. The syslog daemon must bind UDP/514 even without the '-u' flag because syslogd uses this socket as the source port if/when you configure a remote log destination in /etc/syslogd.conf. FreeBSD has the '-s -s' flag which prevents the daemon from binding the port at all, but this is not necessary as a security enhancement, forcing syslogd not to bind the port is purely cosmetic, makes your netstat output shorter by one line. Kevin Kadow
Re: syslogd udp port
On Thursday, August 4, poncenby wrote: > > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... And people asked you to search the archives. > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp0 0 *.514 *.* Yes, yes, it's got a socket open. So what? > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? About 5 F*ING LINES later the man page says: >> syslogd opens an Internet domain socket as specified in /etc/services. >> Normally syslogd will only use this socket to send messages outwards, but >> in ``insecure'' mode it will also read messages from this socket. >> syslogd also opens and reads messages from the UNIX domain socket >> /dev/log, and from the special device /dev/klog (to read kernel mes- >> sages). >> >> syslogd opens the above described socket whether or not it is running in >> secure mode. If syslogd is running in secure mode, all incoming data on >> this socket is discarded. The socket is required for sending forwarded >> messages. Read, breathe, relax... Just because a program has a port open does not mean it is insecure. It could be having a port open in order to *SEND* data, and never *EVER* receive data. --Toby.
Re: syslogd udp port
The port is also used to (potentially) send data out to other syslog servers. Therefore, it is left open. This is made ASTOUNDINGLY clear in the manual page, if you would read it: syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. See that? It says anything read is DISCARDED. This behaviour is not going to be changed. Period. > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... > > hopefully a relevant part of /etc/rc > > echo 'starting system logger' > rm -f /dev/log > if [ "X${named_flags}" != X"NO" ]; then > rm -f /var/named/dev/log > syslogd_flags="${syslogd_flags} -a /var/named/dev/log" > fi > if [ -d /var/empty ]; then > rm -f /var/empty/dev/log > mkdir -p -m 0555 /var/empty/dev > syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" > fi > syslogd ${syslogd_flags} > > if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then > if ifconfig pflog0 >/dev/null 2>&1; then > ifconfig pflog0 up > pflogd ${pflogd_flags} > fi > fi > > my /etc/rc.conf > > syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" > > output from command: netstat -p udp -an > > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp0 0 *.514 *.* > > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? > > thanks in advance > > poncenby
Re: x86 rings?
Unless I am very much mistaken, this is Unix not Multics. To do anything with the rings, you must make userland into a three-ring circus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Thursday, August 04, 2005 4:05 PM To: Theo de Raadt Cc: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: x86 rings? Ed, Ever read anything about MIT's Multics and the GE 645?
syslogd udp port
I remember asking how to stop syslogd opening udp port 514 a while ago and never doing anything about it, here goes again... hopefully a relevant part of /etc/rc echo 'starting system logger' rm -f /dev/log if [ "X${named_flags}" != X"NO" ]; then rm -f /var/named/dev/log syslogd_flags="${syslogd_flags} -a /var/named/dev/log" fi if [ -d /var/empty ]; then rm -f /var/empty/dev/log mkdir -p -m 0555 /var/empty/dev syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" fi syslogd ${syslogd_flags} if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then if ifconfig pflog0 >/dev/null 2>&1; then ifconfig pflog0 up pflogd ${pflogd_flags} fi fi my /etc/rc.conf syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" output from command: netstat -p udp -an Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* reading the man page doesn't really answer why there is program listening on udp 514, seeing as I haven't passed syslogd the -u switch -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. can anyone point me in the right direction so this annoying behaviour stops. also, is there a switch for netstat which shows the pid/process for each listening port? thanks in advance poncenby
ath0: unable to gain access to wireless unencrypted network
I've been trying to figure this out for a while now. I've consulted the man pages for ath, ifconfig, and dhclient. I've checked the mailing lists, and done many searches, even looking at Free and NetBSD examples... but I am stumped. I bought for my Dell Inspiron 5150 laptop a DWL-650. Hardware version is "B5" and the firmware version is 2.54. I am running 3.7 -current, as I had issues with -release doing a kernel panic when I tried to remove the PCMCIA card. The misc@ mailing list said that upgrading to -current will fix this issue, and it has fixed the issue with kernel panic. My issue now is that I use my laptop on a number of different wireless networks, my home has DHCP with WEP enabled, and my school, which has no WEP, but still uses DHCP. My work uses DHCP, but it's on a CAT 5 connection. When OBSD boots up, the Dmesg sees the card: ath0 at cardbus0 dev 0 function 0 "Atheros Communications, Inc., AR5001--, Wireless LAN Reference Card": irq 11 ath0: AR5212 7.9 phy 4.5 rf2112 5.6 rf2112 5.6, FCC1A, address XX:XX:XX:XX:XX:XX and it picks up my braodcom NIC: bce0 at pci2 dev 1 function 0 "Broadcom BCM4401" rev 0x01: irq 11, address xx:xx:xx:xx:xx:xx bmtphy0 at bce0 phy 1: BCM4401 10/100baseTX PHY, rev. 0 when the system comes up, it looks first to the ath0 card because my hostname.ath0 ha the following: /etc/hostname.ath0 dhcp NONE NONE NONE and my hostname.bce0 has the following: /etc/hostname.bce0 dhcp NONE NONE NONE My laptop continues to boot, and past the dmesg.boot it begins searching for the DHCP server, ath0 gives the following output... (this is the output that I get from my school...) Aug 4 00:11:27 Lancelot dhclient[32406]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 2 Aug 4 00:11:29 Lancelot dhclient[32406]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 3 Aug 4 00:11:32 Lancelot dhclient[32406]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 8 Aug 4 00:11:40 Lancelot dhclient[32406]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 15 Aug 4 00:11:55 Lancelot dhclient[32406]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 9 Aug 4 00:12:45 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 1 Aug 4 00:12:46 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 2 Aug 4 00:12:48 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 3 Aug 4 00:12:51 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 7 Aug 4 00:12:58 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 7 Aug 4 00:13:05 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 11 Aug 4 00:13:16 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 21 Aug 4 00:13:37 Lancelot dhclient[28819]: DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 9 Aug 4 00:13:46 Lancelot dhclient[28819]: No DHCPOFFERS received. Aug 4 00:13:46 Lancelot dhclient[28819]: No working leases in persistent database - sleeping. then my bce0 picks up where ath0 failed... this is the output... bce0 has never failed to get an IP address. Even though I don't understand the error, I still get an IP address... starting network DHCPREQUEST on bce0 to 255.255.255.255 port 67 iplength 347 disagrees with bytes received 351. accepting packet with data after udp payload. DHCPACK from 172.16.220.10 bound to 172.16.224.147 -- renewal in 302400 seconds. here is my ifconfig -a lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bce0: flags=8a43 mtu 1500 lladdr xx:xx:xx:xx:xx:xx groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::20d:56ff:feb3:7011%bce0 prefixlen 64 scopeid 0x1 inet 172.16.224.147 netmask 0x broadcast 172.16.255.255 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 1348 enc0: flags=0<> mtu 1536 ath0: flags=8822 mtu 1500 lladdr xx:xx:xx:xx:xx:xx media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid tardis inet6 fe80::211:95ff:fe7c:b86%ath0 prefixlen 64 scopeid 0x6 So now, bce0 is the only way that I can get an IP address, at home, school, or work... when I try to manually configure my ifconfig, I put the following in: ifconfig ath0 nwid uophxedu -powersave media autoselect chan 3 then I issue the command: dhclient ath0 and I get the same output as above... I do disable my bce0, so that bce0 does not cause issues. I think that is all of it... If anyone can help me, I would be grateful. The best case would be to get it working on my home network with WEP. But I want to try working up to getting WEP. My first objective is to just get on the network. Both the wireless car
Re: non-prased headers in openbsd apache
Anyone on this list can help ?!? On 8/4/05, Ami Emanuel Bizamcher <[EMAIL PROTECTED]> wrote: > i have tryed what you said but i get nothing... > i just waits for the loop to finish then sends the data. > > i also checked the output directly > echo "GET /cgi-bin/somefile.pl" | nc 127.0.0.1 80 > > but no output came out > > (also plz direct me to the supplied documentation) > > thanks, > > ami. > > > On 8/4/05, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Ami Emanuel Bizamcher <[EMAIL PROTECTED]> [2005-08-04 17:58]: > > > how i can use non-prased headers in apache ?!? > > > > maybe by reading the supplied documentation... > > > > > i have mod_perl installed! > > > im using CGI written in perl. > > > > > > > > SetHandler perl-script > > PerlHandler Apache::Registry > > PerlSendHeader Off > > Options +ExecCGI > > > > > > > > -- > > BS Web Services, http://www.bsws.de/ > > OpenBSD-based Webhosting, Mail Services, Managed Servers, ... > > Unix is very simple, but it takes a genius to understand the simplicity. > > (Dennis Ritchie)
Re: pf syntax error (nat tag)
On Thu, 4 Aug 2005, Roland Penner wrote: I am setting up new firewall running OpenBSD 3.7. I am trying to implement rules using tagging. I ran into trouble with the following line: nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if) I get the following error: /etc/pf.conf:16: syntax error I am starting with a sample rule set on the OpenBSD website. The problem line is taken verbatim from the OpenBSD PF documentation: http://www.openbsd.org/faq/pf/tagging.html#policy See http://marc.theaimsgroup.com/?l=openbsd-bugs&m=112276608602981&w=2 I noticed this error just a couple of days ago. Change your nat line to: nat on $ext_if tag LAN_INET_NAT tagged LAN_INET -> ($ext_if) /Regards, Johan
Re: hardware monitoring
Shawn K. Quinn wrote: >I'm able to get sensor data from the BIOS; is there something I'm >missing to be able to get them from within OpenBSD on this system? dmesg >follows... > > Give xmbmon a try. Rickard.
Re: x86 rings?
Ed, Ever read anything about MIT's Multics and the GE 645?
Re: make /dev/pf world readable? CLOSED
Matt Provost wrote: On Aug 04 05:21 PM, Artur Grabowski wrote: Jan Sepp <[EMAIL PROTECTED]> writes: The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt Well, not as CLOSED as I thought, obviously ;-) Hope we've got all loopholes covered now. Thanks once again! Jan
Re: x86 rings?
> However, I think that the "uneducated" answer by Theo means "no". No, what I mean is that asking a stupid question, which shows you did NO WORK AT ALL TO LEARN ABOUT THIS, just makes you look like some low-grade slashdot dumbfuck. You heard about rings somewhere. Whooptie doo. You didn't even read up ANYTHING about why they are useless. Instead, you thought it would be smart to ask. No, it was not smart. It was totally stupid. It means you don't know how to learn.
pf syntax error (nat tag)
I am setting up new firewall running OpenBSD 3.7. I am trying to implement rules using tagging. I ran into trouble with the following line: nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if) I get the following error: /etc/pf.conf:16: syntax error I am starting with a sample rule set on the OpenBSD website. The problem line is taken verbatim from the OpenBSD PF documentation: http://www.openbsd.org/faq/pf/tagging.html#policy All I have changed are the macros to reflect my network/hardware. What am I missing here? Any comments welcome. full ruleset: # macros int_if = "---" dmz_if = "---" ext_if = "---" int_net = "---.---.---.---/24" dmz_net = "---.---.---.---/24" www_server = "---.---.---.---" mail_server = "---.---.---.---" table persist file "/etc/spammers" # classification -- classify packets based on the defined firewall # policy. rdr on $ext_if proto tcp from to port smtp \ tag SPAMD -> 127.0.0.1 port 8025 nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if) block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port { smtp, pop3 } \ tag INET_DMZ keep state # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET_NAT keep state pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ keep state
Re: x86 rings?
> Can you enlighten me how that would improve security? I'm not saying that rings improve security. In fact I'm asking *if* there is any plan to use them to improve security. I think that OpenBSD (and Linux and Windows) uses ring 0 for kernel and ring 3 for userland. I was asking if they planned to do some trick with ring 1 or 2, like the segment hack for W^X on i386. Also ring -1 from new cpu (as explained by Dave) could be interesting. However, I think that the "uneducated" answer by Theo means "no".
Re: x86 rings?
On Thursday 04 August 2005 10:56 am, Ed White wrote: > Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? Intel VanderPool and AMD Pacifica Virtual PC technologies will add the equivalent of ring(-1) to the x86 architecture. This new hardware capability will permit multiple (copies of) operating systems to be run simultaneously on a single cpu. The operating systems will not (at least in the case of Pacifica) need to be modified in any way to be virtualized as is currently required with Xen. Virtualization does not directly impact the security of OpenBSD, so it is probably of no interest to Openbsd developers. But it *will* make possible running a gaggle of copies of OpenBSD (eg OpenBSD 3.6, 3.7, and 3.8) simultaneously on a single computer. :-) Look for AMD chips implementing Pacifica sometime in 2006(Q1?). Dave Feustel
Re: Eschelon IPO
On 8/4/05, Tom Kegerreis <[EMAIL PROTECTED]> wrote: > Previous calls had all said it would be at the end of the year - thats what > I meant > > And since I work nights, I was asleep during the surprise conference call > :-) yea its kind of a odd feeling aint it?? remember back in the day "were going to go public! were going to go public! we could all be millionaires yahoowee atg!" and then the wheels fall off and we went boom. now full circle esch files for ipo. so I said, "groovy". come into work today and they are like, "nice ninj4 shirt. btw we went public. kkthx 75mil ching" hmm. can i get a serving of hype, rumors and cotton candy with my ipo?
Re: Eschelon IPO
oh snap. hi [EMAIL PROTECTED] sorry! On 8/4/05, Karsten McMinn <[EMAIL PROTECTED]> wrote: > On 8/4/05, Scott Call <[EMAIL PROTECTED]> wrote: > > On Thu, 2005-08-04 at 13:07 -0500, Tom Kegerreis wrote: > > > Despite everything we've been told, Eschelon went public today. ESCH > > > on the Nasdaq > > > > There was an all "associates" call about an hour ago where they made it > > pretty clear they were public. Who told you otherwise? > > the DJ news alert for the ipo first came at 6:43am est. > > "mommy, am I 'in the loop'?"?
Re: Eschelon IPO
On 8/4/05, Scott Call <[EMAIL PROTECTED]> wrote: > On Thu, 2005-08-04 at 13:07 -0500, Tom Kegerreis wrote: > > Despite everything we've been told, Eschelon went public today. ESCH > > on the Nasdaq > > There was an all "associates" call about an hour ago where they made it > pretty clear they were public. Who told you otherwise? the DJ news alert for the ipo first came at 6:43am est. "mommy, am I 'in the loop'?"?
Re: x86 rings?
On Thu, 2005-08-04 at 17:56:06 +0200, Ed White proclaimed... > Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? > No, so go back to using Windows and leave us alone.
Re: x86 rings?
> Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? Ed, Will you please stop asking uneducated questions like that?
Re: x86 rings?
On 8/4/05, Ed White <[EMAIL PROTECTED]> wrote: > Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? /usr/src/sys/arch/i386/i386/machdep.c has: #if defined(I486_CPU) || defined(I586_CPU) || defined(I686_CPU) /* * On a 486 or above, enable ring 0 write protection. */ if (cpu_class >= CPUCLASS_486) lcr0(rcr0() | CR0_WP); #endif and sys_machdep.c does checks to ensure that the LDT only has user descriptors in ring 3. From my x86 assembly days, I found that I never used ring 1 or 2, and it seems to be the same way with OpenBSD. Unneccessarily complexities with little or no added security benefits. -- Jon Simola Systems Administrator ABC Communications
Re: x86 rings?
On Thursday, August 4, Ed White wrote: > > Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? Can you enlighten me how that would improve security? If you can show me a way that does not break the unix/posix model of the universe, I'm all ears. --Toby.
Re: make /dev/pf world readable? CLOSED
On Aug 04 05:21 PM, Artur Grabowski wrote: > Jan Sepp <[EMAIL PROTECTED]> writes: > > > The answer was surprisingly simple. I just had to create a second pf > > device, chown it and make it read-only for the new owner, and I could get > > my statistics. These are the actual commands: > > > > soekris # mknod /dev/pf2 c 73 0 > > soekris # chown myUser /dev/pf2 > > soekris # chmod u-w /dev/pf2 > > soekris # ls -l /dev/pf2 > > cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 > > soekris # su - myUser > > $ pfctl -p /dev/pf2 -i sis0 -vvsI > > sis0(instance, attached) > > Cleared: Thu Aug 4 15:48:46 2005 > > etc. > > etc. > > If the idea is that the user isn't supposed to be able to write to the > device, it doesn't really work. > > # mknod /dev/pf2 c 73 0 > # chown art /dev/pf2 > # chmod u-w /dev/pf2 > # ls -l /dev/pf2 > cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 > # su - art > $ chmod u+w /dev/pf2 > $ ^D > # ls -l /dev/pf2 > crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 > # rm /dev/pf2 > # > Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt
x86 rings?
Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security?
fw(s) w/ NAT, pf and carp - failover during large download
Hi. I researched this on MARC, and while I did find posts relating to it, I found no definitive answer as to how to solve the problem. I setup two firewalls, each with in/dmz/out/sync interfaces - 4 interfaces each. preempt=1,forward=1,allow=1 I have basic failover working great, but if I start pulling down an .iso image for instance, and then shutdown the master, the download hangs. I tried setting NAT to use carp0, thinking the remote host got confused when the real IP went down. This did not work at all. Is this interrupted session behavior normal for this configuration, or do I obviously have something mis-configured? What info is needed to best help troubleshoot this? Thanks, Chris
Re: non-prased headers in openbsd apache
i have tryed what you said but i get nothing... i just waits for the loop to finish then sends the data. i also checked the output directly echo "GET /cgi-bin/somefile.pl" | nc 127.0.0.1 80 but no output came out (also plz direct me to the supplied documentation) thanks, ami. On 8/4/05, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Ami Emanuel Bizamcher <[EMAIL PROTECTED]> [2005-08-04 17:58]: > > how i can use non-prased headers in apache ?!? > > maybe by reading the supplied documentation... > > > i have mod_perl installed! > > im using CGI written in perl. > > > > SetHandler perl-script > PerlHandler Apache::Registry > PerlSendHeader Off > Options +ExecCGI > > > > -- > BS Web Services, http://www.bsws.de/ > OpenBSD-based Webhosting, Mail Services, Managed Servers, ... > Unix is very simple, but it takes a genius to understand the simplicity. > (Dennis Ritchie)
Re: non-prased headers in openbsd apache
* Ami Emanuel Bizamcher <[EMAIL PROTECTED]> [2005-08-04 17:58]: > how i can use non-prased headers in apache ?!? maybe by reading the supplied documentation... > i have mod_perl installed! > im using CGI written in perl. SetHandler perl-script PerlHandler Apache::Registry PerlSendHeader Off Options +ExecCGI -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
non-prased headers in openbsd apache
hey all, how i can use non-prased headers in apache ?!? i have mod_perl installed! im using CGI written in perl. this is my script: (i have used a famous one) #!/usr/local/bin/perl $server_protocol = $ENV{'SERVER_PROTOCOL'}; $server_software = $ENV{'SERVER_SOFTWARE'}; print "$server_protocol 200 OK", "\n"; print "Server: $server_software", "\n"; print "Content-type: text/plain", "\n\n"; print "OK, Here I go. I am going to count from 1 to 50!", "\n"; $| = 1; for ($loop=1; $loop <= 50; $loop++) { print $loop, "\n"; sleep (2); } print "All Done!", "\n"; exit (0);
Re: ospfd priority problem
On Thu, 4 Aug 2005 13:39:57 +0159 Claudio Jeker <[EMAIL PROTECTED]> wrote: > Could you test the following diff and see if this fixes the problem. No go, still the same problem with router-priority set to 1 and now i doesnt work with router-priority set to 0 either. Other routers shows it as 2way/drother except the DR and BDR where it's stuck at Exstart. No routes are inserted into the fib. The problem with prio 1 is still the same, starts working after a quick restart. The DR and BDR is running Gated 3.6, btw. (prio 0) # ospfctl sh n ID Pri State DeadTime Address Interface 203.65.245.12 0 2-WAY/DROTHER 00:00:31 203.65.245.12 sis0 203.65.245.29 2-WAY/DROTHER 00:00:37 203.65.245.2sis0 203.65.245.31 2-WAY/DROTHER 00:00:37 203.65.245.3sis0 203.65.245.15 2-WAY/DROTHER 00:00:35 203.65.245.1sis0 203.65.245.70 2-WAY/DROTHER 00:00:35 203.65.245.7sis0 203.65.245.610 2-WAY/DROTHER 00:00:32 203.65.245.6sis0 203.65.245.51 2-WAY/DROTHER 00:00:31 203.65.245.5sis0 203.65.245.91 2-WAY/DROTHER 00:00:31 203.65.245.9sis0 203.65.245.40 2-WAY/DROTHER 00:00:33 203.65.245.4sis0 debug output prio 0: http://users.unet.net.ph/~lars/files/debug3.txt prio 1: http://users.unet.net.ph/~lars/files/debug4.txt prio 1, restart: http://users.unet.net.ph/~lars/files/debug5.txt --- Lars Hansson
Re: make /dev/pf world readable? CLOSED
Jan Sepp <[EMAIL PROTECTED]> writes: > The answer was surprisingly simple. I just had to create a second pf > device, chown it and make it read-only for the new owner, and I could get > my statistics. These are the actual commands: > > soekris # mknod /dev/pf2 c 73 0 > soekris # chown myUser /dev/pf2 > soekris # chmod u-w /dev/pf2 > soekris # ls -l /dev/pf2 > cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 > soekris # su - myUser > $ pfctl -p /dev/pf2 -i sis0 -vvsI > sis0(instance, attached) > Cleared: Thu Aug 4 15:48:46 2005 > etc. > etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # //art
Re: Stupid Carp question
On Thu, Aug 04, 2005 at 08:28:49AM -0400, Monah Baki wrote: > Hi all, > > Implementing carp, I have 2 net4801's that seem to be synchronizing, when I do > a ifconfig -a on the secondary I see carp0 on the slave becomes Master when > the primary goes down. > The internal machines are working fine accessing the internet and all. > > The pf.conf rule has the 2 rules: > > pass quick on { sis2 } proto pfsync > pass on { sis0 sis1 } proto carp keep state > > > However when I physiclly remove the ethernet cable from sis0 on the master, > the internal machine cannot access the net anymore. > Do I need to copy the pf.conf from the master to the scondary unit, have them > both identical The way I understand it (someone correct me if I'm wrong), is that if the slave has no ruleset (or a non identical ruleset), when the master goes down, the slave will have all the states that the master did, but packets will not pass unless there are rules that explicitly allow them. -jon
make /dev/pf world readable? CLOSED
On Jul 27 09:31 AM, Jan Sepp wrote: > Hello, > > I am creating a shell script that gathers PF statistics for my various > interfaces, as in pfctl -i <> -vvsI . (Yes, I am aware of the > existence of rpfcd, but as I want to monitor only one local box and > write the output directly to console, that seems overkill to me.) I am > running OpenBSD 3.6 on a Soekris. > > This script should not run as root. If I run it as a non-privileged > user, I get an error. Basically, the problem is in the mode bits for > /dev/pf, which are crw---, owner root. > > [ Jan Sepp snipped here ] The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. Thank you all who answered my question and most notably Matt Provost, who essentially wrote the answer down for me! Jan Sepp
Re: Stupid Carp question
> -Original Message- > From: Monah Baki [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 04, 2005 8:29 AM > To: misc@openbsd.org > Subject: Stupid Carp question > > Hi all, > > Implementing carp, I have 2 net4801's that seem to be > synchronizing, when I do > a ifconfig -a on the secondary I see carp0 on the slave > becomes Master when > the primary goes down. > The internal machines are working fine accessing the internet and all. > > The pf.conf rule has the 2 rules: > > pass quick on { sis2 } proto pfsync > pass on { sis0 sis1 } proto carp keep state > > > However when I physiclly remove the ethernet cable from sis0 > on the master, > the internal machine cannot access the net anymore. > Do I need to copy the pf.conf from the master to the scondary > unit, have them > both identical > > > Thank you > > > Do I need to copy the pf.conf from the master to the scondary > unit, have them > both identical yes.
Re: IPSEC between OpenBSD (isakmpd) and Linux (FreeS/Wan)
Hi, yes, this howto is basically unmaintained since, uhm, several years and I actually should remove it. However, I have configs for interop with Openswan (don't know what's different to Freeswan) somewhere, will dig them out tonight... On Thu, Aug 04, 2005 at 04:09:56PM +0200, Guido Tschakert wrote: ... > I found the following page but the configfile for isakmpd is full of > bugs (looks like a lot of copy and paste without re-editing :-) ) > http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html ... -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer <[EMAIL PROTECTED]> Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
IPSEC between OpenBSD (isakmpd) and Linux (FreeS/Wan)
Hello All, I'm trying to build a vpn between an OpenBSD and a Linux Router. (If I could, I would directly replace the linux box to simplify matters ;-) but that's not possible at the moment :-( BTW: I want to use RSA-based authentication using x509 certificates. I have already build the CA and also create my certs. I found the following page but the configfile for isakmpd is full of bugs (looks like a lot of copy and paste without re-editing :-) ) http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html I want you to ask if one of you already has setup this sort of connection and is willing to give me some config files. (Or point me to some good documentation about inter-OS VPNs. I read a lot of docu but most of them deal with homogeneous networks) Otherwise I will send my configs an error messages in the next days to the list :-D And yes, I know openvpn is easy to set up, but I don't want to deal with the lower mss/mtu. (But on the other hand openvpn is my fallback solution.) TIA -- Mit freundlichen Gr|_en, Guido Tschakert
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 3 Aug 2005 18:26:52 -0600 (MDT), Diana Eichert <[EMAIL PROTECTED]> wrote: >just use some 50cal BMG rounds, that should be effective ammunition. > >sorry, I just had to after following this thread for awhile I think you're taking the phrase "Bullet-Proof Software" a bit too literally. ;-) JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Stupid Carp question
On Thursday, August 04, 2005 Monah Baki wrote: > However when I physiclly remove the ethernet cable from sis0 > on the master, the internal machine cannot access the net anymore. > Do I need to copy the pf.conf from the master to the scondary > unit, have them both identical arp cache on the
Re: Stupid Carp question
On Thursday, August 04, 2005 Monah Baki wrote: > However when I physiclly remove the ethernet cable from sis0 > on the master, the internal machine cannot access the net anymore. > Do I need to copy the pf.conf from the master to the scondary > unit, have them both identical Sorry about my previous non-complete response...it's still early, anyway Wondering if you need to wait for the arp cache to clear on the internal machine...try clearing it yourself and making another 'net attempt -Todd
Stupid Carp question
Hi all, Implementing carp, I have 2 net4801's that seem to be synchronizing, when I do a ifconfig -a on the secondary I see carp0 on the slave becomes Master when the primary goes down. The internal machines are working fine accessing the internet and all. The pf.conf rule has the 2 rules: pass quick on { sis2 } proto pfsync pass on { sis0 sis1 } proto carp keep state However when I physiclly remove the ethernet cable from sis0 on the master, the internal machine cannot access the net anymore. Do I need to copy the pf.conf from the master to the scondary unit, have them both identical Thank you
Re: nForce SATA testers required
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ya ..I could test it Bye Matteo Jonathan Gray wrote: > Can people who are able to test SATA on any nForce board mail > me off list? iD8DBQFC0lwE/TjXD9LUVswRAjQfAJ4tC4p05yvI9b1Xz4KpG0n9xTr2BwCfQxqL 4UvYnTItQViOd+OotekeeNk= =WKFS -END PGP SIGNATURE-
Re: ospfd priority problem
On Thu, 4 Aug 2005 13:39:57 +0159 Claudio Jeker <[EMAIL PROTECTED]> wrote: > Could you test the following diff and see if this fixes the problem. > It looks like the RFC is busted and we need to find out how to fix it > without generating more troubles. Getting the CVS as I type and will test as soon as it's finished. I put up the debug output from ospfd -d in case it will help further. starting with prio 1: http://users.unet.net.ph/~lars/files/debug1.txt after quick restart: http://users.unet.net.ph/~lars/files/debug2.txt --- Lars Hansson
Re: VPN behind a router, now with OpenVPN
Helio Santana wrote: > Hi, > I've disabled AH in my sysctl.conf but it doesn't work... > > No I have been trying to do with OpenVPN. After read all how-to, and > some samples the connection successfull with 2 obsd behind routers. > It's very simple to do... I can see servers, but, how can I do to > check my connections is encrypted? > > Last days with IPSEC, doing an tcpdump -i enc0 gives me > 'private/confidential)... but now, how can I do? tcpdump the external interfaces, looking at packets on the udp port you selected for OpenVPN. (5000 for openvpn 1.x, and 1194 for ovpn2.x) -- Janne Johansson Sektionen fvr IT & Media, Stockholms Universitet Frescati Hagvdg 10 106 91 STOCKHOLM http://www.it.su.se
Re: ospfd priority problem
On Thu, Aug 04, 2005 at 06:49:58PM +0800, Lars Hansson wrote: > Running a recent snapshot (a few days ago) ospfd seems to have a problem > with correctly joining an ospf area unless it's router-priority is 0 > or higher than the current BDR. Ospfd is here connected to our ospf backbone > wich is a mix of openbsd boxes running gated, Huawei 1760's and Cisco's > running various versions of IOS. > The first output below is after ospfd has been running with a router-priority > of 1 for a couple of minutes, the second one is after a very quick restart (ie > less than the dead time). > It seems it get stuck in a state and doesnt proceed until it has been > restarded. > It's notable that on the other routers in the backbone the ospfd box appears > as a full 2way/drother member while ospfd itself seems to think it's still in > exstart. The output also states that the BDR is in FULL/DROTHER but sometimes > it's the DR that shows up in that state. It's never both at the same time > though. > > # ospfctl sh n > ID Pri State DeadTime Address Interface > 203.65.245.31 EXSTART/DROTHER 00:00:32 203.65.245.3sis0 > 203.65.245.610 FULL/DR 00:00:31 203.65.245.6sis0 > 203.65.245.51 EXSTART/DROTHER 00:00:39 203.65.245.5sis0 > 203.65.245.40 EXSTART/DROTHER 00:00:35 203.65.245.4sis0 > 203.65.245.29 FULL/DROTHER 00:00:36 203.65.245.2sis0 > 203.65.245.12 0 EXSTART/DROTHER 00:00:32 203.65.245.12 sis0 > 203.65.245.91 EXSTART/DROTHER 00:00:35 203.65.245.9sis0 > 203.65.245.70 EXSTART/DROTHER 00:00:33 203.65.245.7sis0 > 203.65.245.15 EXSTART/DROTHER 00:00:33 203.65.245.1sis0 > > # ospfctl sh n > ID Pri State DeadTime Address Interface > 203.65.245.29 FULL/BACKUP 00:00:31 203.65.245.2sis0 > 203.65.245.91 2-WAY/DROTHER 00:00:30 203.65.245.9sis0 > 203.65.245.12 0 2-WAY/DROTHER 00:00:39 203.65.245.12 sis0 > 203.65.245.70 2-WAY/DROTHER 00:00:39 203.65.245.7sis0 > 203.65.245.15 2-WAY/DROTHER 00:00:39 203.65.245.1sis0 > 203.65.245.31 2-WAY/DROTHER 00:00:37 203.65.245.3sis0 > 203.65.245.610 FULL/DR 00:00:36 203.65.245.6sis0 > 203.65.245.51 2-WAY/DROTHER 00:00:34 203.65.245.5sis0 > 203.65.245.40 2-WAY/DROTHER 00:00:32 203.65.245.4sis0 > Could you test the following diff and see if this fixes the problem. It looks like the RFC is busted and we need to find out how to fix it without generating more troubles. -- :wq Claudio Index: hello.c === RCS file: /cvs/src/usr.sbin/ospfd/hello.c,v retrieving revision 1.8 diff -u -p -r1.8 hello.c --- hello.c 13 Jun 2005 08:22:39 - 1.8 +++ hello.c 30 Jun 2005 13:09:20 - @@ -117,9 +117,9 @@ recv_hello(struct iface *iface, struct i u_int16_t len) { struct hello_hdr hello; - struct nbr *nbr = NULL; + struct nbr *nbr = NULL, *dr; u_int32_tnbr_id; - int twoway = 0, nbr_change = 0; + int nbr_change = 0; if (len < sizeof(hello) && (len & 0x03)) { log_warnx("recv_hello: bad packet size, interface %s", @@ -186,8 +186,13 @@ recv_hello(struct iface *iface, struct i fatalx("recv_hello: unknown interface type"); } - if (!nbr) + if (!nbr) { nbr = nbr_new(rtr_id, iface, 0); + /* set neighbor parameters */ + nbr->dr.s_addr = hello.d_rtr; + nbr->bdr.s_addr = hello.bd_rtr; + nbr->priority = hello.rtr_priority; + } /* actually the neighbor address shouldn't be stored on virtual links */ nbr->addr.s_addr = src.s_addr; @@ -199,8 +204,8 @@ recv_hello(struct iface *iface, struct i memcpy(&nbr_id, buf, sizeof(nbr_id)); if (nbr_id == iface->rtr_id.s_addr) { /* seen myself */ - if (nbr->state < NBR_STA_XSTRT) - twoway = 1; + if (nbr->state & NBR_STA_PRELIM) + nbr_fsm(nbr, NBR_EVT_2_WAY_RCVD); break; } buf += sizeof(nbr_id); @@ -222,9 +227,25 @@ recv_hello(struct iface *iface, struct i } if (iface->state & IF_STA_WAITING && - ((hello.d_rtr == nbr->addr.s_addr && hello.bd_rtr == 0) || - hello.bd_rtr == nbr->addr.s_addr)) + hello.d_rtr == nbr->addr.s_addr && hello.bd_rtr == 0) { + log_debug("hello: DR seen with NO BDR"); if_fsm(iface, IF_EVT_BACKUP_SEEN); + } + + if (iface->state & IF_STA_WAITING && hello.bd_rtr == nbr->addr.s_addr
Re: openbsd 3.7 in-kernel pppoe issues
There's no /etc/mygate. That's why I suggested hardwiring the IP. But in your case there was, so this is completely another issue. > From: Alexis de BRUYN [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 03, 2005 6:23 PM > To: Schvberle Daniel; misc@openbsd.org > Subject: RE: openbsd 3.7 in-kernel pppoe issues > > Try to remove your /etc/mygate if exists. > > >Hi, > > > >I have the same problem here in Hungary, running 3.7- > >(almost)stable. My ISP is Axelero (T-Online Hungary now) and the > >userland ppp worked like a charm. I switched to kernel pppoe but > >it only works if I specify the remote peer (gateway) IP address > >by hand. Luckily for me it's static so this works. > > > >So get the remote gateway IP by using userland pppoe, then type > >it in hostname.pppoe instead of 0.0.0.1 and pray that it doesn't > >change. > > > >Maybe -current does it better? Since it works for now I never got > >the motivation to put -current on my home firewall but it might > >be worth a shot.
nForce SATA testers required
Can people who are able to test SATA on any nForce board mail me off list?
Re: isakmpd question
On Wed, Aug 03, 2005 at 09:28:32AM -0400, Brandon Mercer wrote: > I've tried running the debug, but I > can't figure out which part of the proposal is incompatible. My config has: when i had to setup a tunnel against a speedstream 5930 ( dsl modem/router ), i told the speedstream to make an active connection against my end, whilst my end was watching isakmpd with lots of debug output. was able to see the lifetime and (iirc) the encryption settings come through; then i just set the isakmpd end up to match those and anything else that came through from the speedstream and it worked. jared - [ openbsd 3.7 GENERIC ( jun 25 ) // i386 ]
VPN behind a router, now with OpenVPN
Hi, I've disabled AH in my sysctl.conf but it doesn't work... No I have been trying to do with OpenVPN. After read all how-to, and some samples the connection successfull with 2 obsd behind routers. It's very simple to do... I can see servers, but, how can I do to check my connections is encrypted? Last days with IPSEC, doing an tcpdump -i enc0 gives me 'private/confidential)... but now, how can I do? Thanks in advance, Helio.
ospfd priority problem
Running a recent snapshot (a few days ago) ospfd seems to have a problem with correctly joining an ospf area unless it's router-priority is 0 or higher than the current BDR. Ospfd is here connected to our ospf backbone wich is a mix of openbsd boxes running gated, Huawei 1760's and Cisco's running various versions of IOS. The first output below is after ospfd has been running with a router-priority of 1 for a couple of minutes, the second one is after a very quick restart (ie less than the dead time). It seems it get stuck in a state and doesnt proceed until it has been restarded. It's notable that on the other routers in the backbone the ospfd box appears as a full 2way/drother member while ospfd itself seems to think it's still in exstart. The output also states that the BDR is in FULL/DROTHER but sometimes it's the DR that shows up in that state. It's never both at the same time though. # ospfctl sh n ID Pri State DeadTime Address Interface 203.65.245.31 EXSTART/DROTHER 00:00:32 203.65.245.3sis0 203.65.245.610 FULL/DR 00:00:31 203.65.245.6sis0 203.65.245.51 EXSTART/DROTHER 00:00:39 203.65.245.5sis0 203.65.245.40 EXSTART/DROTHER 00:00:35 203.65.245.4sis0 203.65.245.29 FULL/DROTHER 00:00:36 203.65.245.2sis0 203.65.245.12 0 EXSTART/DROTHER 00:00:32 203.65.245.12 sis0 203.65.245.91 EXSTART/DROTHER 00:00:35 203.65.245.9sis0 203.65.245.70 EXSTART/DROTHER 00:00:33 203.65.245.7sis0 203.65.245.15 EXSTART/DROTHER 00:00:33 203.65.245.1sis0 # ospfctl sh n ID Pri State DeadTime Address Interface 203.65.245.29 FULL/BACKUP 00:00:31 203.65.245.2sis0 203.65.245.91 2-WAY/DROTHER 00:00:30 203.65.245.9sis0 203.65.245.12 0 2-WAY/DROTHER 00:00:39 203.65.245.12 sis0 203.65.245.70 2-WAY/DROTHER 00:00:39 203.65.245.7sis0 203.65.245.15 2-WAY/DROTHER 00:00:39 203.65.245.1sis0 203.65.245.31 2-WAY/DROTHER 00:00:37 203.65.245.3sis0 203.65.245.610 FULL/DR 00:00:36 203.65.245.6sis0 203.65.245.51 2-WAY/DROTHER 00:00:34 203.65.245.5sis0 203.65.245.40 2-WAY/DROTHER 00:00:32 203.65.245.4sis0 --- Lars Hansson
The Motley Fool Password Assistance
Hello from The Motley Fool. Please click the link below to create a Motley Fool password. Once you do, you will have access to areas of Fool.com that require a password: http://www.fool.com/EditPassword.asp?U=184191259&C=0F4849F393EA0204&FP=1 Need Help? If you experience problems creating a password, contact us at [EMAIL PROTECTED] If you did not request to create a password, please disregard this email.
pf problem
hi: my content of pf.conf is #set macros ext_if="vr0" int_if="bge0" ext_ip="222.185.xxx.xxx" int_ip="192.168.0.1" webserver="192.168.0.2" priv_net="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}" scrub in all #give NAT to the internal address nat on $ext_if from $webserver to any ->$ext_if #ftp proxy rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #redirect request to the external IP address to the proper internal IP rdr on $ext_if proto tcp from any to $ext_ip port 80 -> $webserver port 80 #filter rules block log all #protect against spoofing pass quick on lo0 all block out quick on $ext_if from any to $priv_net block in quick on $ext_if from $priv_net to any #allow the incoming connection to the webserver pass in log on $ext_if proto tcp from any to $webserver port 80 flags S/SA synproxy state #pass the icmp packets ,allow ping pass in inet proto icmp all icmp-type echoreq keep state #pass ssh to firewall pass in log on $ext_if proto tcp from any to $ext_if port ssh keep state #pass all from internal out pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp,icmp} all keep state I have enable the pf in my openbsd firewall. but when i test the firewall using the hgod utility :a syn flood ddos utility, the result of "tcpdump -n -e -ttt -i pflog0" is : Aug 05 00:19:37.757647 rule 10/(match) pass in on vr0: 222.185.40.174.14292 > 192.168.0.2.80: S 31615:31615(0) win 16384 Aug 05 00:19:37.758051 rule 10/(match) pass in on vr0: 222.185.40.174.57220 > 192.168.0.2.80: S 18212:18212(0) win 16384 Aug 05 00:19:37.758322 rule 10/(match) pass in on vr0: 222.185.40.174.34738 > 192.168.0.2.80: S 25017:25017(0) win 16384 Aug 05 00:19:37.760149 rule 10/(match) pass in on vr0: 222.185.40.174.42348 > 192.168.0.2.80: S 42515:42515(0) win 16384 Aug 05 00:19:37.760330 rule 10/(match) pass in on vr0: 222.185.40.174.22409 > 192.168.0.2.80: S 40767:40767(0) win 16384 I use the synproxy state ,why the firewall where pass the packets? Who can give me some suggestions?
Re: Device not configured (APM, sound, modem)
> Apart from providing the *complete* dmesg output already requested by > someone else Below is the complete dmesg output: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 468688896 (457704K) avail mem = 420716544 (410856K) using 4278 buffers containing 23535616 bytes (22984K) of memory User Kernel Config UKC> disable pcibios 254 pcibios0 disabled UKC> disable pcibios 254 pcibios0 already disabled UKC> exit Continuing... mainbus0 (root) bios0 at mainbus0: AT/286+(87) BIOS, date 01/16/04, BIOS32 rev. 0 @ 0xfd700 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xf000 0xd/0x6000! 0xd6000/0x800! 0xd8000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor "ATI", unknown product 0x5831 rev 0x02 ppb0 at pci0 dev 1 function 0 "ATI Radeon IGP 9100 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "ATI Radeon Mobility IGP 9100" rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ohci0 at pci0 dev 19 function 0 vendor "ATI", unknown product 0x4347 rev 0x01: irq 11, version 1.0, legacy support ohci0: SMM does not respond, resetting usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ATI OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 19 function 1 vendor "ATI", unknown product 0x4348 rev 0x01: irq 11, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: ATI OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 19 function 2 vendor "ATI", unknown product 0x4345 rev 0x01: irq 11 ehci0: EHCI version 1.0 ehci0: companion controllers, 3 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: ATI EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: single transaction translator uhub2: 6 ports with 6 removable, self powered vendor "ATI", unknown product 0x4353 (class serial bus subclass SMBus, rev 0x17) at pci0 dev 20 function 0 not configured pciide0 at pci0 dev 20 function 1 vendor "ATI", unknown product 0x4349 rev 0x00: DMA (unsupported), channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 57231MB, 117210240 sectors atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable pcib0 at pci0 dev 20 function 3 vendor "ATI", unknown product 0x434c rev 0x00 ppb1 at pci0 dev 20 function 4 vendor "ATI", unknown product 0x4342 rev 0x00 pci2 at ppb1 bus 2 "Texas Instruments TSB43AB21 FireWire" rev 0x00 at pci2 dev 0 function 0 not configured ath0 at pci2 dev 2 function 0 "Atheros AR5212" rev 0x01: irq 11 ath0: mac 80.6 phy 4.1 radio 1.7 2.3, 802.11a/b/g, WOR4W, address 00:90:96:72:4d:f1 gpio at ath0 not configured rl0 at pci2 dev 3 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:02:3f:d3:3a:7b rlphy0 at rl0 phy 0: RTL internal phy cbb0 at pci2 dev 4 function 0 "ENE CB-1410 CardBus" rev 0x01pci_intr_map: no mapping for pin A : couldn't map interrupt vendor "ATI", unknown product 0x4341 (class multimedia subclass audio, rev 0x00) at pci0 dev 20 function 5 not configured vendor "ATI", unknown product 0x434d (class communications subclass modem, rev 0x01) at pci0 dev 20 function 6 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask ef75 netmask ef75 ttymask fff7 pctr: user-level cycle counter enabled uhidev0 at uhub0 port 3 configuration 1 interface 0 uhidev0: vendor 0x062a product 0x0001, rev 1.10/0.00, addr 2, iclass 3/1 ums0 at uhidev0: 3 buttons and Z dir. wsmouse1 at ums0 mux 0 dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: login_ldap
2005/8/4, John Wright <[EMAIL PROTECTED]>: > On Thu, Aug 04, 2005 at 10:47:00AM +0200, Alexander Farber wrote: > > # base with scope sub > > Maybe the scope? If I'm reading the code correctly the default is onelevel > (or "-s one" on the ldapsearch command line) but the default for ldapsearch > is subtree. > Ahh, that was it. Thank you, now I can login blowfish# tail /etc/login.conf ldap:\ :auth=-ldap:\ :x-ldap-server=172.25.93.242:\ :x-ldap-basedn=o=bonmp.XXX.com:\ :x-ldap-uscope=subtree:\ :x-ldap-filter=(uid=%u): blowfish# /usr/local/libexec/auth/login_-ldap -d afarber ldap Password: uri = ldap://172.25.93.242:389/ filter = (uid=afarber) search result 0x0 authorize Now my problem is, that for every user there needs to be an entry in /etc/passwd (is it needed for setting the login class to "ldap"?). And we have 200-300 users at our site (and much more globally). I wonder, how do the others handle this case of many users? Regards Alex
Re: Device not configured (APM, sound, modem)
On 8/4/05, Z L <[EMAIL PROTECTED]> wrote: > I installed OBSD3.7 on my laptop. Things that are not working are: > sound and modem (dial-up internal laptop modem) and apm. Apart from providing the *complete* dmesg output already requested by someone else, you will also want to check the notes on the i386 laptop page [1]. Among other things, it will tell you that your modem will probably never work as it is probably a winmodem. Regarding APM; my own laptop ships without APM support and only has ACPI built in. Check the BIOS and documentation that go with your device to ensure your device really has APM support built in. Without APM, changing flags in rc.conf[.local] is a waste of your time. Cheers, Rogier References: 1. OpenBSD i386 laptop page http://www.openbsd.org/i386-laptop.html -- If you don't know where you're going, any road will get you there.
Re: login_ldap
On Thu, Aug 04, 2005 at 10:47:00AM +0200, Alexander Farber wrote: > # base with scope sub Maybe the scope? If I'm reading the code correctly the default is onelevel (or "-s one" on the ldapsearch command line) but the default for ldapsearch is subtree.
Re: login_ldap
Here is what I get on the command line (a "result: 0 Success", so I wonder why does login_-ldap fail?) blowfish# ldapsearch -x -h 172.25.93.242 \ -b o=bonmp.XXX.com "(uid=afarber)" # extended LDIF # # LDAPv3 # base with scope sub # filter: (uid=afarber) # requesting: ALL # # afarber, People, bonmp.XXX.com dn: uid=afarber,ou=People,o=bonmp.XXX.com shadowLastChange: 12947 userPassword:: e2NyeXB0fXXkMW1xaDkxSUo2OEE= gidNumber: 5525 mail: [EMAIL PROTECTED] loginShell: /bin/tcsh employeeNumber: 20164153 shadowFlag: 0 uid: afarber cn: Alexander Farber objectClass: top objectClass: account objectClass: posixAccount objectClass: XXXperson objectClass: shadowAccount uidNumber: 22323 homeDirectory: /home/afarber gecos: Alexander Farber,joined-0X/0X,No_Number,,,[EMAIL PROTECTED] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 2005/8/4, Alexander Farber <[EMAIL PROTECTED]>: > blowfish# /usr/local/libexec/auth/login_-ldap -d afarber ldap > Password: > uri = ldap://172.25.93.242:389/ > filter = (uid=afarber) > search result 0x0 > reject > > # $OpenBSD: login.conf,v 1.19 2005/02/07 08:33:05 otto Exp $ > > ldap:\ > :auth=-ldap:\ > :x-ldap-server=172.25.93.242:\ > :x-ldap-basedn=o=bonmp.XXX.com:\ > :x-ldap-filter=(uid=%u):
Re: login_ldap
2005/8/4, John Wright <[EMAIL PROTECTED]>: > /usr/libexec/auth/login_-ldap -d afarber should be more verbose. > Thank you, now I get: blowfish# /usr/local/libexec/auth/login_-ldap -d afarber Password: couldn't get x-ldap-server reject Aug 4 10:11:43 blowfish login_-ldap: couldn't get x-ldap-server Aug 4 10:11:43 blowfish login_-ldap: couldn't get x-ldap-server I tried to look into login_ldap.c too and understood that it probably didn't get my class correctly (wasn't it supposed to know it is "ldap" - from my /etc/passwd entry?). So now I specify the class too and get: blowfish# /usr/local/libexec/auth/login_-ldap -d afarber ldap Password: uri = ldap://172.25.93.242:389/ filter = (uid=afarber) search result 0x0 reject What does it mean, is my filter maybe wrong? What LDAP-fields is login_-ldap looking at? Regards Alex PS: I paste my /etc/login.conf below, but actually only the last 6 lines were added by me to the stock version: # $OpenBSD: login.conf,v 1.19 2005/02/07 08:33:05 otto Exp $ # # Sample login.conf file. See login.conf(5) for details. # # # Standard authentication styles: # # krb5-or-pwd First try Kerberos V password, then local password file # passwdUse only the local password file # krb5 Use only the Kerberos V password # chpassDo not authenticate, but change users password (change # the kerberos password if the user has one, else change # the local password) # lchpass Do not login; change user's local password instead # radiusUse radius authentication # skey Use S/Key authentication # activ ActivCard X9.9 token authentication # cryptoCRYPTOCard X9.9 token authentication # snk Digital Pathways SecureNet Key authentication # token Generic X9.9 token authentication # # Default allowed authentication styles # useradd -m -d /home/afarber -s /usr/local/bin/tcsh -L ldap afarber # auth-defaults:auth=-ldap,passwd,skey: auth-defaults:auth=passwd,skey: # Default allowed authentication styles for authentication type ftp auth-ftp-defaults:auth-ftp=passwd: # # The default values # To alter the default authentication types change the line: # :tc=auth-defaults:\ # to be read something like: (enables passwd, "myauth", and activ) # :auth=passwd,myauth,activ:\ # Any value changed in the daemon class should be reset in default # class. # default:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\ :umask=022:\ :datasize-max=256M:\ :datasize-cur=75M:\ :maxproc-max=128:\ :maxproc-cur=64:\ :openfiles-cur=64:\ :stacksize-cur=4M:\ :localcipher=blowfish,6:\ :ypcipher=old:\ :tc=auth-defaults:\ :tc=auth-ftp-defaults: # # Settings used by /etc/rc and root # This must be set properly for daemons started as root by inetd as well. # Be sure reset these values back to system defaults in the default class! # daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=128:\ :stacksize-cur=8M:\ :localcipher=blowfish,8:\ :tc=default: # # Staff have fewer restrictions and can login even when nologins are set. # staff:\ :datasize-cur=75M:\ :datasize-max=infinity:\ :maxproc-max=256:\ :maxproc-cur=128:\ :ignorenologin:\ :requirehome@:\ :tc=default: # XXX ldap:\ :auth=-ldap:\ :x-ldap-server=172.25.93.242:\ :x-ldap-basedn=o=bonmp.XXX.com:\ :x-ldap-filter=(uid=%u): [demime 1.01d removed an attachment of type application/octet-stream which had a name of login.conf]
Re: raid for boot/root disk ?
On Thursday, August 4, "Stefan Sczekalla-Waldschmidt" wrote: > > > Would a hardware el-cheapo raid-controller be of any help in a way > > > that the joe-user standard setup procedure will work ? > > > > If your mobo supports booting from the controller that would > > probably be the easies way, just create the array and install > > onto it just as if it had been a normal drive. Check so that > > GENERIC supports the card though. > > any suggestions ? ami(4) --Toby.
Re: hardware monitoring
On Thu, Aug 04, 2005 at 03:06:34AM -0500, Shawn K. Quinn wrote: > On Thu, 2005-08-04 at 15:44 +0800, Lars Hansson wrote: > > Your hardware sensor, whatever it is is, isn't supported. > > Okay, next question: where in the dmesg is it? Does it show up in the > dmesg at all? since the most of sensors sits behind ISA or I2C it can't be autodetected like pci devices. so it doesn't show up in the dmesg at all. > > -- > Shawn K. Quinn <[EMAIL PROTECTED]> -- Alexander Yurchenko (aka grange)
Re: raid for boot/root disk ?
> > Would a hardware el-cheapo raid-controller be of any help in a way > > that the joe-user standard setup procedure will work ? > > If your mobo supports booting from the controller that would > probably be the easies way, just create the array and install > onto it just as if it had been a normal drive. Check so that > GENERIC supports the card though. any suggestions ?
Re: login_ldap
On Thu, Aug 04, 2005 at 09:43:28AM +0200, Alexander Farber wrote: > Also, does anybody know, how to run /usr/local/libexec/auth/login_-ldap > on a command line, to see if it works at all? I try following: > > blowfish# /usr/local/libexec/auth/login_-ldap afarber > blowfish# echo $? > 1 Eyeing the code it looks like: /usr/libexec/auth/login_-ldap -d afarber should be more verbose.
Re: hardware monitoring
On Thu, 2005-08-04 at 15:44 +0800, Lars Hansson wrote: > Your hardware sensor, whatever it is is, isn't supported. Okay, next question: where in the dmesg is it? Does it show up in the dmesg at all? -- Shawn K. Quinn <[EMAIL PROTECTED]>
Re: hardware monitoring
On Thu, 04 Aug 2005 02:14:38 -0500 "Shawn K. Quinn" <[EMAIL PROTECTED]> wrote: > I'm able to get sensor data from the BIOS; is there something I'm > missing to be able to get them from within OpenBSD on this system? dmesg > follows... Your hardware sensor, whatever it is is, isn't supported. --- Lars Hansson
login_ldap
Hi, we have a mostly RH Linux environment were the PCs authenticate against a Netscape LDAP server. They have a quite short /etc/ldap.conf: host 172.25.93.242 <-- that is our LDAP server base o=bonmp.XXX.com ssl no pam_password crypt And I'm trying to setup this OpenBSD PC: blowfish# uname -a OpenBSD blowfish.europe.XXX.com 3.7 GENERIC#50 i386 blowfish# pkg_info | grep -i ldap login_ldap-3.3 provide ldap authentication type openldap-client-2.2.23 Open source LDAP software (client) After reading "man login_ldap" have added a user for myself: useradd -m -d /home/afarber -s /usr/local/bin/tcsh -L ldap afarber and have now the following line in vipw: afarber:*:1000:10:ldap:0:0::/home/afarber:/usr/local/bin/tcsh For that login class "ldap" I've added this entry in /etc/login.conf: ldap:\ :auth=-ldap:\ :x-ldap-server=172.25.93.242:\ :x-ldap-basedn=o=bonmp.XXX.com:\ :x-ldap-filter=(uid=%u): On the command line I seem to be able to perform some searches: blowfish# ldapsearch -x -h 172.25.93.242 \ -b o=bonmp.XXX.com "(uid=afarber)" mail uid # extended LDIF # # LDAPv3 # base with scope sub # filter: (uid=afarber) # requesting: mail uid # # afarber, People, bonmp.XXX.com dn: uid=afarber,ou=People,o=bonmp.XXX.com mail: Alexander.Farber at XXX.com uid: afarber # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But logging in on the "login:" prompt doesn't work and there is no message in /var/log/authlog besides LOGIN FAILED 3 TIMES. I have tried logging in using these usernames: afarber afarber:-ldap So has anybody please been successful in this an can share some tips? Also, does anybody know, how to run /usr/local/libexec/auth/login_-ldap on a command line, to see if it works at all? I try following: blowfish# /usr/local/libexec/auth/login_-ldap afarber blowfish# echo $? 1 but don't know, how to interpret this? What LDAP field does it look for, "uid"? The information in the archives and on the web is unfortunately scarce. Regards Alex
hardware monitoring
I'm able to get sensor data from the BIOS; is there something I'm missing to be able to get them from within OpenBSD on this system? dmesg follows... OpenBSD 3.7-current (GENERIC) #1: Sat Jul 30 19:44:49 CDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K7(tm) Processor ("AuthenticAMD" 686-class, 512KB L2 cache) 604 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,MMX real mem = 267952128 (261672K) avail mem = 237645824 (232076K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 02/22/00, BIOS32 rev. 0 @ 0xfdad0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7ae0/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:3 ("AMD 756 Power" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "AMD 751 System" rev 0x25 ppb0 at pci0 dev 1 function 0 "AMD 751 PCI-PCI" rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 "AMD 756 ISA" rev 0x01 pciide0 at pci0 dev 7 function 1 "AMD 756 IDE" rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors wd1 at pciide0 channel 0 drive 1: wd1: 16-sector PIO, LBA, 26105MB, 53464320 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: <, 40X CD-ROM, 1.3C> SCSI0 5/cdrom removable pciide0:1:0: multi-word DMA disabled due to chip revision cd0(pciide0:1:0): using PIO mode 4 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 "AMD 756 Power" rev 0x03 at pci0 dev 7 function 3 not configured ohci0 at pci0 dev 7 function 4 "AMD 756 USB Host" rev 0x06: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered vga1 at pci0 dev 8 function 0 "S3 ViRGE" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cmpci0 at pci0 dev 10 function 0 "C-Media Electronics CMI8738/C3DX Audio" rev 0x10: irq 10 audio0 at cmpci0 rl0 at pci0 dev 11 function 0 "D-Link Systems 530TX+" rev 0x10: irq 9 address 00:11:95:26:23:07 rlphy0 at rl0 phy 0: RTL internal phy isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask e965 netmask eb65 ttymask fbe7 pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -- Shawn K. Quinn <[EMAIL PROTECTED]>