Re: logging blocked connections in pf, but no line noise

[jared r r spiegel]

On Tue, Sep 20, 2005 at 02:11:44PM +0200, frantisek holop wrote:
> hmm, on Mon, Sep 19, 2005 at 06:33:16PM -0600, jared r r spiegel said that
> > 
> >   what is the noise exactly?

  looks like TCP:6346 and UDP:1434 covers about half of that.

  if you're always doing flags S/SA and keeping state on your tcp, you could
  block (w/o log) flags R/R.  after tht there's a few UDP:3223s and randomness.
 
> 62.24.90/24 is my network, .1 is the gateway .255 is the broadcast, so i
> understand why i get everything in between...

  or what about something easy like:

block in on ne3 from any to !ne3

  (without log)

> the other nets, i don't know

  you could add -e to the tcpdump, and compare to your arp table,
  maybe some of the other nets are routed to one of the IPs in
  that /24.  ( eg - if the destination IP is one of those other
  nets, but the destination ethernet is one of the hosts in your
  /24 you know about )

  jared

-- 

[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]

spamd sync

[Mike Spenard]

Has anyone written a utility to keep /var/db/spamd in sync across multiple
spamd servers?

Mike Spenard

Wifi + wired laptop

[Edd Barrett]

Hi,

My laptop has a wifi and a wired connection. Sometimes my wifi is
unreliable and does not work atall , so it is useful to plug in a cat5
cable instead. OpenBSD still tries to use wifi. I thought perhaps it
might time out and decide to use the wired interface, but it does not.
Th only solution is to su to root and rename hostname.wi0 then run
/etc/netstart. Not ideal for a desktop system for everyday use.

Can anyone think of a practical solution?

Thanks

Best Regards

Edd

Re: Wireless Strangeness (RESOLVED)

[Alex Kirk]

> > > I'm bailing here. I don't remember 3.4 well enough.
> > 
> > I was afraid of that. I've been meaning to upgrade to 3.7 for 
> > a while -- is it
> > likely to make that big of a difference if I upgrade? If I 
> > were to still
> > experience this problem with 3.7, might you be able to offer 
> > further assistance
> > (I can understand not wanting to have to dredge through 
> > memory for something not
> > particularly relevant or exciting for someone else's benefit)?
> 
> Yes. Review CVS history so you can see how many changes have happened since
> 3.4, particularly in the ieee80211 stuff.

Wow! This made all the differnce in the world. As soon as I got upgraded, my
clients connected with no trouble at all. I've even got better signal strength
than with my old Linux wireless AP. Kudos to all of the developers who did such
good work in the past few revisions, and thanks to everyone who suggested the
upgrade.
 
> Strictly speaking, upgrading from 3.4 (per the documented upgrade procedure,
> as in 3.4->3.5, 3.5->3.6, 3.6->3.7) will be a likely difficulty. Making the
> jump from 3.4 might be easier if you just install 3.7 and restore backups.

Surprisingly enough, I was able to get away with making the jump straight from
3.4 to 3.7 (or at least it appears that way so far). I reviewed all of the notes
for each step, and it was mostly a case of just replacing binaries and upgrading
/etc along the way (the GCC upgrade being perhaps the most important piece), so
I just took the plunge and did it all at once, and to my pleasant surprise, it
worked. I wouldn't recommend this to anyone -- YMMV -- but I think it speaks to
the quality of OpenBSD that it can perform well under such totally unanticipated
conditions.

Thanks,
Alex Kirk

Re: in-kernel PPPoE and linkup-script

[Steffen Michalke]

Martin Dommermuth <[EMAIL PROTECTED]> writes:

> Is it right that with the in-kernel PPPoE driver in OpenBSD 3.7
> the file /etc/ppp/ppp.linkup it not executed on reconnect? 

Yes, the files in /etc/ppp/ belong to the pppd.

> Is there another file ?

No, really nothing else than /etc/hostname.pppoe0. If you need
something special (eg. dynamic DNS) you could create a process which
is observing this interface.

>
> Thanks,
> MartinD:
>
> My file looks like this:
> (without the line break)
>
> MYADDR:
> !bg sh -c "/usr/local/bin/ez-ipupdate 
> --config-file /etc/ez-ipupdate.conf"
>
> For testing I also included an entry like
> !bg sh -c "/usr/bin/touch /tmp/likup.done"

Re: PFLogging to Syslog

[Qv6]

On Tuesday 20 September 2005 08:43 am, James Mackinnon wrote:
> Good day everyone
>
> I have 20+ OpenBSD firewalls setup across Canada and I wanted to
> bring the logs to a central server so I can make them web enabled so
> I can view them in a web app
 
>
> Is there a better technique I should be using for 20+ firewalls
> logging to a central server and then what web app would you recommend
> so I could look at the logs in some type of non-console view
>
> Any suggestions and recommendations would be great as I would like to
> get this right the first time:)
>
 
I use syslog-ng to set up a log server, with each remote log client 
logging to a file correspong to its hostname, and set up Webmin on the 
log server. Reading the logs is just a matter of logging into Webmin 
and reading any log file I choose.
This has the added bonus that you can read the logs from anywhere - 
securely

Re: snapshots (was: Re: NFS server broken in -current?)

[Theo de Raadt]

> In contrast, Otto zeroed in on the problem in minutes.

And I had a patch 5 minutes later, and we are considering it.

snapshots (was: Re: NFS server broken in -current?)

[Wolfgang S. Rupprecht]

Han Boetes <[EMAIL PROTECTED]> writes:
> That's why you should always use the latest snapshot. (:

I'm not sure it would have helped here.  mountd() did work for many
people so it probably would have found its way into a snapshot.

One of the other OS distributions I'm testing is relatively
source-code hostile.  (While the source code does exist, building the
whole distribution from source in one go is impossible.)  One might be
tempted to think this leads to better, more consistent testing since
everyone is running the exact same binary.  That hasn't been my
experience.  All it seems to do is slow down the
modify-build-test-release cycle. On that system xorg has been broken
and panics the kernel for 4 days now.  The problem has since been
found and it turns out that was also a case of code that worked for
the limited testers they had.

In contrast, Otto zeroed in on the problem in minutes.

-wolfgang

Re: NFS server broken in -current?

[Wolfgang S. Rupprecht]

Otto Moerbeek writes:
> As a workaround, revert to version 1.63 of sbin/mountd.c

1.63 does indeed fix it.

> Could you run mountd -d, mount a filesystem, run ls and and send the
> output, both when runnign 1.63 and 1.64?

Here you go:

===

with mountd.c 1.63

[EMAIL PROTECTED] mount bonnet:/ /mnt
[EMAIL PROTECTED] ls /mnt
.cshrc boot   l  pkgdb  stand  usr
.profile   bsdlost+found portalfs   sysv
CVSdevmntproc   tmpvar
altrootetcn  root   tmp_mntvol
binhome   obsd   sbin   u  w
[EMAIL PROTECTED] umount /mnt

==> openbsd/mountd-1.63.log <==

[EMAIL PROTECTED] mountd -d   
Getting export list.
Got line #  $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
Got line #
Got line # NFS exports Database
Got line # See exports(5) for more information.  Be very careful:  
misconfiguration
Got line # of this file can result in your filesystems being readable by the 
world.
Got line # allow other wsrcc machines to mount the disk
Got line /  -alldirs -maproot=root  capsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
Making new ep fs=0x0,0x8c96295d
doing opt -alldirs -maproot=rootcapsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
doing opt -maproot=root capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 
poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 
scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
got host capsicum.wsrcc.com
got host habanero.wsrcc.com
got host poblano.wsrcc.com
got host cayenne.wsrcc.com
got host bonnet.wsrcc.com
got host scoville.wsrcc.com
got host arbol.wsrcc.com
Got line /w -alldirs -maproot=root  capsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
Making new ep fs=0x10,0x62c98af4
doing opt -alldirs -maproot=rootcapsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
doing opt -maproot=root capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 
poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 
scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
got host capsicum.wsrcc.com
got host habanero.wsrcc.com
got host poblano.wsrcc.com
got host cayenne.wsrcc.com
got host bonnet.wsrcc.com
got host scoville.wsrcc.com
got host arbol.wsrcc.com
Got line # openbsd doesn't like these.  No ipv6 support in NFS???
Got line #  capsicum-wsrcc-com-v6 habanero-wsrcc-com-v6 
poblano-wsrcc-com-v6 cayenne-wsrcc-com-v6 bonnet-wsrcc-com-v6
Got line #
Got line # end
Got line #
Getting mount list.
Here we go.
Got mount request from 192.83.197.1
rpcpath: /
Mount successful for / by 192.83.197.1.
Got line #  $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
Got line #
Got line # NFS exports Database
Got line # See exports(5) for more information.  Be very careful:  
misconfiguration
Got line # of this file can result in your filesystems being readable by the 
world.
Got line # allow other wsrcc machines to mount the disk
Got line /  -alldirs -maproot=root  capsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
Making new ep fs=0x0,0x8c96295d
doing opt -alldirs -maproot=rootcapsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
doing opt -maproot=root capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 
poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 
scoville-wsrcc-com-v4 arbol-wsrcc-com-v4
got host capsicum.wsrcc.com
got host habanero.wsrcc.com
got host poblano.wsrcc.com
got host cayenne.wsrcc.com
got host bonnet.wsrcc.com
got host scoville.wsrcc.com
got host arbol.wsrcc.com
Got line /w -alldirs -maproot=root  capsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
Making new ep fs=0x10,0x62c98af4
doing opt -alldirs -maproot=rootcapsicum-wsrcc-com-v4 
habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 
bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
doing opt -maproot=root capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 
poblano-wsrcc-com-v4 cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 
scoville-wsrcc-com-v4  arbol-wsrcc-com-v4
got host capsicum.wsrcc.com
got host habanero.wsrcc.com
got host poblano.wsrcc.com
got host cayenne.wsrcc.com
got host bonnet.wsrcc.com
got host scoville.wsrcc.com
got host arbol.wsrcc.com
Got line # openbsd doesn't like these.  No ipv6 support in NFS???
Got line #  capsicum-wsrcc-co

in-kernel PPPoE and linkup-script

[Martin Dommermuth]

Hello misc,

hope I did'n miss anything here.

Is it right that with the in-kernel PPPoE driver in OpenBSD 3.7
the file /etc/ppp/ppp.linkup it not executed on reconnect? Is 
there another file ?

Thanks,
MartinD:

My file looks like this:
(without the line break)

MYADDR:
!bg sh -c "/usr/local/bin/ez-ipupdate 
--config-file /etc/ez-ipupdate.conf"

For testing I also included an entry like
!bg sh -c "/usr/bin/touch /tmp/likup.done"

Re: NFS server broken in -current?

[Wolfgang S. Rupprecht]

Otto Moerbeek writes:
> If I see things correctly you are mounting a fs that is served by
> the same host. Could you try a different client? It makes the logs a
> bit easier to read.

Will do.  I need to wait till a build on an exported fs finishes.

> Also, coud you send the /etc/exports file and watch /var/log/daemon
> for messages?

There is nothing in /var/log/daemon from mountd or anything related to
mounting/exporting filesystems.  (All I have is pages and pages of
thttpd and named output).

Here is the exports file in the mean time.  The important point may be
that I export "/".

#   $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
#
# NFS exports Database
# See exports(5) for more information.  Be very careful:  misconfiguration
# of this file can result in your filesystems being readable by the world.
# allow other wsrcc machines to mount the disk
/   -alldirs -maproot=root \
capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 
cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4 
arbol-wsrcc-com-v4

/w  -alldirs -maproot=root \
capsicum-wsrcc-com-v4 habanero-wsrcc-com-v4 poblano-wsrcc-com-v4 
cayenne-wsrcc-com-v4 bonnet-wsrcc-com-v4 scoville-wsrcc-com-v4  
arbol-wsrcc-com-v4

# openbsd doesn't like these.  No ipv6 support in NFS???
#   capsicum-wsrcc-com-v6 habanero-wsrcc-com-v6 poblano-wsrcc-com-v6 
cayenne-wsrcc-com-v6 bonnet-wsrcc-com-v6

#
# end
#

-wolfgang

Re: NFS server broken in -current?

[Otto Moerbeek]

On Tue, 20 Sep 2005, Otto Moerbeek wrote:

> Also, coud you send the /etc/exports file and watch /var/log/daemon
> for messages?

OK, I am able to reproduce the problem. It occurs if a fs exported to
muliple hosts, not using -network.

The following /etc/exporst line shows the problem on hosta here:

/fs hosta hostb

-Otto

Re: NFS server broken in -current?

[Otto Moerbeek]

On Tue, 20 Sep 2005, Wolfgang S. Rupprecht wrote:

> 
> Otto Moerbeek writes:
> > As a workaround, revert to version 1.63 of sbin/mountd.c
> 
> 1.63 does indeed fix it.
> 
> > Could you run mountd -d, mount a filesystem, run ls and and send the
> > output, both when runnign 1.63 and 1.64?
> 
> Here you go:

[snip]

If I see things correctly you are mounting a fs that is served by the same
host. Could you try a different client? It makes the logs a bit easier to read.

Also, coud you send the /etc/exports file and watch /var/log/daemon
for messages?

Thanks,

-Otto

Re: NFS server broken in -current?

[viq]

On Tuesday 20 of September 2005 22:04, Han Boetes wrote:
> That's why you should always use the latest snapshot. (:

Latest snapshot is 10 days old, and doesn't even let build updated packages on 
it...

-- 
viq

--
O kobietach, dla kobiet... >>> http://link.interia.pl/f18b4

Re: ftp-proxy makes new connection for each file

[Marc Espie]

On Tue, Sep 20, 2005 at 05:47:08PM +0200, Marc Peters wrote:
> hello misc.
> 
> i am using openbsd 3.7-release with pf and ftp-proxy. ftp-proxy is 
> working fine so far, but i recognised, that it establishes a new 
> connection for each file it transfers.

Update ftp-proxy, there is a bug that makes the server not see the
aborts.

Re: NFS server broken in -current?

[Han Boetes]

That's why you should always use the latest snapshot. (:

Wolfgang S. Rupprecht wrote:
> The NFS server stopped working for me after the latest cvs update.
> Remote machines can no longer mount a filesystem exported from the
> openbsd box.  NFS mounting a remote filesystem exported from a
> different OS onto the openbsd box still works as expected.
>
> [EMAIL PROTECTED] mount bonnet:/ /mnt 
> [EMAIL PROTECTED] ls /mnt
> ls: /mnt: Input/output error
> [EMAIL PROTECTED] umount /mnt
>
> [EMAIL PROTECTED] uname -a
> OpenBSD bonnet.wsrcc.com 3.8 GENERIC#106 amd64
> [EMAIL PROTECTED] ll /usr/src/cvs.log
> -rw-rw-r--  1 root  wsrc  9928 Sep 19 18:42 /usr/src/cvs.log
>
> (the above file mod-time is the time of the "cvs update")
>
> The same behavior is seen when trying to NFS mount the openbsd
> filesystem from a remote host.
>
> I noticed that nobody else on either *.misc or *.tech posted about
> this.  Am I the only one seeing it???
>
> -wolfgang
>



# Han

Re: Dell PowerEdge 2650

[Vincent Blondel]

Hi,

I don't get some DELL servers but I have one server with an Adaptec 5400s
SCSI Raid Adapter.

Two years ago, I first began by installing Linux 2.4.x on this machine and
got the worst problems of my Unix life. I could just install one Linux
distribution ( Fedora, Mandrake, ... ) and after two minutes delay, I always
had system crash. After a few reboots my filesystem was completely
corrupted. So I decided to solve this problem and had long (very long )
discussions with the aac module driver developers and mainly with Alan Cox
but the debugging was painfull. I tried many kernel snapshots without any
stable solution.

So, after 4 months, I decided to test FreeBSD 4.x because I urgently had to
setup a website architecture and never got problem with it.

So I can confirm that the FreeBSD aac driver implementation is the most
stable until now.

Regards
Vincent.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Jason Crawford
Sent: mardi 20 septembre 2005 18:58
To: John Brahy
Cc: Jan Johansson; Ryan Rothert; misc@openbsd.org
Subject: Re: Dell PowerEdge 2650


On 9/20/05, John Brahy <[EMAIL PROTECTED]> wrote:
> I've got two poweredge 2650's w/ PERC 3/di raid cards and I've tried
OpenBSD
> 3.7, 3.6 and 3.5. I've found that the aac in 3.7 is completely unstable,
the
> aac in 3.6 would have problems after an hour or so of heavy use. BUT, 3.5
> seems to be stable but now I'm stuck on a version of an os that is about
to
> become unsupported.

aac support in 3.8 seems to be much better than 3.7 in my experience,
however I still suggest better hardware if possible.

>
> I think the only long term solution is to change hardware. I have been
> considering Sun's trade in offer. I haven't found it on Sun's site but it
is
> mentioned here (http://www.theinquirer.net/?article=26143)
> I have a friend that's a Sun dealer www.acsacs.com and they said they
honor
> it. I don't believe they sell online. Does anyone know if OpenBSD likes
this
> hardware?
>
> It's really Adaptec's fault. Those fuckers won't give up the source so the
> OpenBSD developers can't provide a good driver for their hardware. My
> company will not purchase any more servers from Dell as long as they
> continue to use Adaptec cards.
>

First off, we never asked for "source" from adaptec, we were only
asking for documentation to make the driver more stable, and write
management utilities. However they only provide documentation if you
sign an NDA, which is unacceptable for any free software. Second, all
the PERC4 cards Dell uses are no longer Adaptec, but LSI Logic (unless
they've changed again reciently), which is fully supported in OpenBSD,
including completely open management utilities.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jan Johansson
> Sent: Tuesday, September 20, 2005 8:14 AM
> To: Ryan Rothert
> Cc: misc@openbsd.org
> Subject: Re: Dell PowerEdge 2650
>
> Ryan Rothert <[EMAIL PROTECTED]> wrote:
> > 3.6 will install on it. I believe the aac driver still exists
> > but is disabled by default. You could install 3.6, recompile
> > the kernel with aac support enabled then upgrade.
>
> This is a bad advice.
>
> The aac driver was disabled because it was broken and could not
> be fixed because there was no documentation.
>
> Using aac is like playing Russian Roulette with your data.

Re: NFS server broken in -current?

[Otto Moerbeek]

On Tue, 20 Sep 2005, Wolfgang S. Rupprecht wrote:

> The NFS server stopped working for me after the latest cvs update.
> Remote machines can no longer mount a filesystem exported from the
> openbsd box.  NFS mounting a remote filesystem exported from a
> different OS onto the openbsd box still works as expected.
> 
> [EMAIL PROTECTED] mount bonnet:/ /mnt 
> [EMAIL PROTECTED] ls /mnt
> ls: /mnt: Input/output error
> [EMAIL PROTECTED] umount /mnt
> 
> [EMAIL PROTECTED] uname -a
> OpenBSD bonnet.wsrcc.com 3.8 GENERIC#106 amd64
> [EMAIL PROTECTED] ll /usr/src/cvs.log
> -rw-rw-r--  1 root  wsrc  9928 Sep 19 18:42 /usr/src/cvs.log
> 
> (the above file mod-time is the time of the "cvs update")
> 
> The same behavior is seen when trying to NFS mount the openbsd
> filesystem from a remote host.
> 
> I noticed that nobody else on either *.misc or *.tech posted about
> this.  Am I the only one seeing it???

No, we have had one other report, which very much looks the same.

As a workaround, revert to version 1.63 of sbin/mountd.c

Could you run mountd -d, mount a filesystem, run ls and and send the
output, both when runnign 1.63 and 1.64?

Thanks,

-Otto

Re: Dell PowerEdge 2650

[Marco Peereboom]

> It's really Adaptec's fault. Those fuckers won't give up the source so the
> OpenBSD developers can't provide a good driver for their hardware. My
> company will not purchase any more servers from Dell as long as they
> continue to use Adaptec cards. 

Latest two generations only use ami(4).  You can't even buy a system that uses
aac if you tried.

Re: VirtualHost and SSL in httpd.conf

[Spruell, Darren-Perot]

From: Jasper [mailto:[EMAIL PROTECTED]
> 
> 

> running httpd -uDSSL gives the following warning:
> [Tue Sep 20 20:39:33 2005] [warn] VirtualHost 
> www.mercatortrading.nl:443 
> overlaps with VirtualHost www.profibas.com:443, the first has 
> precedence, perhaps you need a NameVirtualHost directive
> 
> Am i missing the point of virtual hosting?
> 
> Jasper

Not really, but you can't have more than one SSL web site on the same IP
address / port number.

$ dig a www.mercatortrading.nl

; <<>> DiG 9.2.4 <<>> a www.mercatortrading.nl
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50405
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.mercatortrading.nl.IN  A

;; ANSWER SECTION:
www.mercatortrading.nl. 86245   IN  CNAME   www.profibas.com.
www.profibas.com.   86245   IN  A   80.69.81.32

If these were on HTTP (port 80) or different IPs you could do it.

You'll find plenty of refs on the Internet for the whys of this, but in
short it doesn't work for SSL.

DS

Re: VirtualHost and SSL in httpd.conf

[L. V. Lammert]

At 09:05 PM 9/20/2005 +0200, Jasper wrote:

Hi All,

I've configured the httpd.conf file the following:

running httpd -uDSSL gives the following warning:
[Tue Sep 20 20:39:33 2005] [warn] VirtualHost www.mercatortrading.nl:443 
overlaps with VirtualHost www.profibas.com:443, the first has precedence, 
perhaps you need a NameVirtualHost directive


Am i missing the point of virtual hosting?


Yep. Hosts must be unique for SSL - you need to either specify unique names 
for each VH (note the 'NameVirtualHost' directive), or separate IPs.


Lee

Re: VirtualHost and SSL in httpd.conf

[Alexander Hall]

Jasper wrote:

Hi All,

I've configured the httpd.conf file the following:



#  General setup for the virtual host
DocumentRoot "/home/jabal/public_html"
ServerName mercatortrading.nl
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

*snip*




DocumentRoot "/home/jabal/public_html"
ServerName profibas.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/ssl/profibas.crt
SSLCertificateKeyFile /etc/ssl/private/profibas.key



running httpd -uDSSL gives the following warning:
[Tue Sep 20 20:39:33 2005] [warn] VirtualHost www.mercatortrading.nl:443 
overlaps with VirtualHost www.profibas.com:443, the first has 
precedence, perhaps you need a NameVirtualHost directive


Am i missing the point of virtual hosting?


Well, at least some parts of it. Two virtualhosts can only share the 
same ip:host tuple if they are both non-secured (SSL). Otherwise the 
server cannot know which certificate to use (or not).


If you are hosting multiple secured sites you need multiple ip addresses 
or the sites must reside on separate ports.


/Alexander

NFS server broken in -current?

[Wolfgang S. Rupprecht]

The NFS server stopped working for me after the latest cvs update.
Remote machines can no longer mount a filesystem exported from the
openbsd box.  NFS mounting a remote filesystem exported from a
different OS onto the openbsd box still works as expected.

[EMAIL PROTECTED] mount bonnet:/ /mnt 
[EMAIL PROTECTED] ls /mnt
ls: /mnt: Input/output error
[EMAIL PROTECTED] umount /mnt

[EMAIL PROTECTED] uname -a
OpenBSD bonnet.wsrcc.com 3.8 GENERIC#106 amd64
[EMAIL PROTECTED] ll /usr/src/cvs.log
-rw-rw-r--  1 root  wsrc  9928 Sep 19 18:42 /usr/src/cvs.log

(the above file mod-time is the time of the "cvs update")

The same behavior is seen when trying to NFS mount the openbsd
filesystem from a remote host.

I noticed that nobody else on either *.misc or *.tech posted about
this.  Am I the only one seeing it???

-wolfgang
-- 
Wolfgang S. Rupprechthttp://www.wsrcc.com/wolfgang/
  Microsoft Vista - because "Virus Installer" was too long.

Re: VirtualHost and SSL in httpd.conf

[Przemyslaw Nowaczyk]

Jasper wrote:

Hi All,

I've configured the httpd.conf file the following:



#  General setup for the virtual host
DocumentRoot "/home/jabal/public_html"
ServerName mercatortrading.nl
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

*snip*




DocumentRoot "/home/jabal/public_html"
ServerName profibas.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/ssl/profibas.crt
SSLCertificateKeyFile /etc/ssl/private/profibas.key



running httpd -uDSSL gives the following warning:
[Tue Sep 20 20:39:33 2005] [warn] VirtualHost www.mercatortrading.nl:443 
overlaps with VirtualHost www.profibas.com:443, the first has 
precedence, perhaps you need a NameVirtualHost directive


Am i missing the point of virtual hosting?

Jasper




are you sure you want both servers to host the same site..?
are you sure they both should log into the same file..?

--
Przemyslaw Nowaczyk <[EMAIL PROTECTED]>
CS student @ Poznan University of Technology

Re: VirtualHost and SSL in httpd.conf

[Ryan Fox]

Jasper wrote:

> running httpd -uDSSL gives the following warning:
> [Tue Sep 20 20:39:33 2005] [warn] VirtualHost 
> www.mercatortrading.nl:443 overlaps with VirtualHost 
> www.profibas.com:443, the first has precedence, perhaps you need a 
> NameVirtualHost directive
>
> Am i missing the point of virtual hosting?


Name based virtual hosting does not work with SSL.  The SSL negotation 
happens before the hostname is submitted by the client.

Ryan

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of rfox.8403DEFANGED-vcf]

VirtualHost and SSL in httpd.conf

[Jasper]

Hi All,

I've configured the httpd.conf file the following:



#  General setup for the virtual host
DocumentRoot "/home/jabal/public_html"
ServerName mercatortrading.nl
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

*snip*




DocumentRoot "/home/jabal/public_html"
ServerName profibas.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/ssl/profibas.crt
SSLCertificateKeyFile /etc/ssl/private/profibas.key



running httpd -uDSSL gives the following warning:
[Tue Sep 20 20:39:33 2005] [warn] VirtualHost www.mercatortrading.nl:443 
overlaps with VirtualHost www.profibas.com:443, the first has 
precedence, perhaps you need a NameVirtualHost directive


Am i missing the point of virtual hosting?

Jasper

Re: PFLogging to Syslog

[Will H. Backman]

> -Original Message-
> From: James Mackinnon [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 20, 2005 11:48 AM
> To: Will H. Backman; misc@openbsd.org
> Subject: RE: PFLogging to Syslog
> 
> yes, this is true.. Probably lose a bit as currently I am logging all
in
> and out on a fairly busy network all back to 1 logger.
> 
> I will do some reading on this one as well, thanks
> 
> 

You should be careful with this kind of setup.  If your log host goes
down, your network will get trashed by ARP "who has" broadcast requests
from any firewalls on the same network as the log host.  Logging every
packet in real time causes enough unicast overhead, and will drive your
network utilization way up if every packet passing though the firewall
suddenly starts causing ARP broadcasts.

Re: Banned from #openbsd

[terry tyson]

On 9/20/05, John Kintaro Tate <[EMAIL PROTECTED]> wrote:

> For some reason I am banned from #openbsd on freenode. I want to get
> unbanned but I have no idea on who to contact about this. I don't know
> why I am banned, I guess someone on my netblock was being retarded or
> someone on my computer considering I had idiot friends using it the
> other day, but I am unsure.

With friends like that, who need enemas.

I haven't used freenode much but if it's like undernet, you should
automatically be unbanned after 3 hours unless the ban is being
controlled by a bot.

Re: Banned from #openbsd

[Antti Nykänen]

Hi,

On 2005-09-21 at 02:59, John Kintaro Tate wrote:
> Since I have no idea where to go about this, I thought somebody here
> might be able to fill me in.
> 
> For some reason I am banned from #openbsd on freenode. I want to get
> unbanned but I have no idea on who to contact about this. I don't know
> why I am banned, I guess someone on my netblock was being retarded or
> someone on my computer considering I had idiot friends using it the
> other day, but I am unsure.

Gee, I wonder why...

  17:00 < xKintaro> excuse me buit does anyone klnow how 2 clean the penis
  17:00 < xKintaro> mine is a bitn itchy andf green
  17:01 -!- mode/#openbsd [+o NicM] by ChanServ
  17:01 -!- mode/#openbsd [+b [EMAIL PROTECTED] by NicM
  17:01 -!- xKintaro was kicked from #openbsd by NicM [bye]

Usually, bans will get removed eventually, and there's no reason to take
this stuff to the mailing lists.

Re: PFLogging to Syslog

[James Mackinnon]

yes, this is true.. Probably lose a bit as currently I am logging all in
and out on a fairly busy network all back to 1 logger.

I will do some reading on this one as well, thanks


On 9/20/2005, "Will H. Backman" <[EMAIL PROTECTED]> wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
>Of
>> James Mackinnon
>> Sent: Tuesday, September 20, 2005 9:43 AM
>> To: misc@openbsd.org
>> Subject: PFLogging to Syslog
>> 
>> Good day everyone
>> 
>> I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring
>> the logs to a central server so I can make them web enabled so I can
>> view them in a web app
>> 
>> In the past, I used checkpoint, I like pf much better but the logging
>> system to checkpoint was nice
>> 
>> I have followed the PF: Logging section in the manaul, but I find not
>> everything that is going in pflog.txt is coming over to @syslogger
>> 
>> Is there a better technique I should be using for 20+ firewalls
>logging
>> to a central server and then what web app would you recommend so I
>could
>> look at the logs in some type of non-console view
>> 
>> Any suggestions and recommendations would be great as I would like to
>get
>> this right the first time:)
>> 
>> Thanks
>> 
>> James
>
>Syslog uses best-effort UDP, so all log entries are not guaranteed to
>get to the central server.  There are other syslog servers that offer
>better guarantees, and you may also want to use encryption and something
>to thwart traffic analysis.
>
>Take a look at syslog-ng, although I cannot tell you how it performs.  I
>have just heard people mention it in this situation.

Re: PFLogging to Syslog

[James Mackinnon]

Sorry, replied to just you,, figured this wouldn't hurt to send to the
list

Right now I have it running real time like this
tcpdump -l -e -t -i pflog0 | logger -p local0.info -t pf &
it gets executed from the rc.local (not at the moment as I am just
testing)

I found this here

http://www.freebsdforums.org/forums/showthread.php?s=&postid=139518#post139518

This has been sending everything over in real time but I am not sure what
security risks I would be taking with this process and I would rather
have a cron going as I think having it run this way would not be a good
idea as the tcpdump command could fail, thus my logging fail

Thoughts?

James

On 9/20/2005, "Roy Morris" <[EMAIL PROTECTED]> wrote:

>James Mackinnon wrote:
>
>>Good day everyone
>>
>>I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring
>>the logs to a central server so I can make them web enabled so I can
>>view them in a web app
>>
>>In the past, I used checkpoint, I like pf much better but the logging
>>system to checkpoint was nice
>>
>>I have followed the PF: Logging section in the manaul, but I find not
>>everything that is going in pflog.txt is coming over to @syslogger
>>
>>Is there a better technique I should be using for 20+ firewalls logging
>>to a central server and then what web app would you recommend so I could
>>look at the logs in some type of non-console view
>>
>>Any suggestions and recommendations would be great as I would like to get
>>this right the first time:)
>>
>>Thanks
>>
>>James
>>
>>
>>
>You could scp all logs to a central server and do some 'stuff' on them
>there, or
>where you thinking more of a real time view?

Re: PFLogging to Syslog

[Will H. Backman]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> James Mackinnon
> Sent: Tuesday, September 20, 2005 9:43 AM
> To: misc@openbsd.org
> Subject: PFLogging to Syslog
> 
> Good day everyone
> 
> I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring
> the logs to a central server so I can make them web enabled so I can
> view them in a web app
> 
> In the past, I used checkpoint, I like pf much better but the logging
> system to checkpoint was nice
> 
> I have followed the PF: Logging section in the manaul, but I find not
> everything that is going in pflog.txt is coming over to @syslogger
> 
> Is there a better technique I should be using for 20+ firewalls
logging
> to a central server and then what web app would you recommend so I
could
> look at the logs in some type of non-console view
> 
> Any suggestions and recommendations would be great as I would like to
get
> this right the first time:)
> 
> Thanks
> 
> James

Syslog uses best-effort UDP, so all log entries are not guaranteed to
get to the central server.  There are other syslog servers that offer
better guarantees, and you may also want to use encryption and something
to thwart traffic analysis.

Take a look at syslog-ng, although I cannot tell you how it performs.  I
have just heard people mention it in this situation.

ipsec/pf/address translation

[Bob Koutsky]

Hello,

I need to connect two networks, e.g. 1.0.0.x (local) and 2.0.0.x
(remote) using IPSec and OpenBSD 3.7 on local side.  However, remote
network is already connected to another 1.0.0.x network, so I need to
translate local addreses.
I have configured IPSec so that remote thinks that my local network is
1.1.0.x without problems. However, I'm confused about how to configure
network translation. binat seems to be the solution, but its
documentation is rather short and even confusig (it mentions that binat
implicitly creates state for connections, but in my case, I see no need
for keeping state information). I tried folowing

binat on enc0 from 1.0.0.0/24 to 2.0.0.0/24 -> 1.1.0.0/24

and it almost worked - ping packets arrived to correct computer in local
network, but the replies never got back. 

thank you for any help or advice,
-- 
Bob Koutsky

Re: PFLogging to Syslog

[Roy Morris]

James Mackinnon wrote:


Good day everyone

I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring
the logs to a central server so I can make them web enabled so I can
view them in a web app

In the past, I used checkpoint, I like pf much better but the logging
system to checkpoint was nice

I have followed the PF: Logging section in the manaul, but I find not
everything that is going in pflog.txt is coming over to @syslogger

Is there a better technique I should be using for 20+ firewalls logging
to a central server and then what web app would you recommend so I could
look at the logs in some type of non-console view

Any suggestions and recommendations would be great as I would like to get
this right the first time:)

Thanks

James

 

You could scp all logs to a central server and do some 'stuff' on them 
there, or

where you thinking more of a real time view?

Re: Dell PowerEdge 2650

[Jason Crawford]

On 9/20/05, John Brahy <[EMAIL PROTECTED]> wrote:
> I've got two poweredge 2650's w/ PERC 3/di raid cards and I've tried OpenBSD
> 3.7, 3.6 and 3.5. I've found that the aac in 3.7 is completely unstable, the
> aac in 3.6 would have problems after an hour or so of heavy use. BUT, 3.5
> seems to be stable but now I'm stuck on a version of an os that is about to
> become unsupported.

aac support in 3.8 seems to be much better than 3.7 in my experience,
however I still suggest better hardware if possible.

> 
> I think the only long term solution is to change hardware. I have been
> considering Sun's trade in offer. I haven't found it on Sun's site but it is
> mentioned here (http://www.theinquirer.net/?article=26143)
> I have a friend that's a Sun dealer www.acsacs.com and they said they honor
> it. I don't believe they sell online. Does anyone know if OpenBSD likes this
> hardware?
> 
> It's really Adaptec's fault. Those fuckers won't give up the source so the
> OpenBSD developers can't provide a good driver for their hardware. My
> company will not purchase any more servers from Dell as long as they
> continue to use Adaptec cards.
> 

First off, we never asked for "source" from adaptec, we were only
asking for documentation to make the driver more stable, and write
management utilities. However they only provide documentation if you
sign an NDA, which is unacceptable for any free software. Second, all
the PERC4 cards Dell uses are no longer Adaptec, but LSI Logic (unless
they've changed again reciently), which is fully supported in OpenBSD,
including completely open management utilities.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jan Johansson
> Sent: Tuesday, September 20, 2005 8:14 AM
> To: Ryan Rothert
> Cc: misc@openbsd.org
> Subject: Re: Dell PowerEdge 2650
> 
> Ryan Rothert <[EMAIL PROTECTED]> wrote:
> > 3.6 will install on it. I believe the aac driver still exists
> > but is disabled by default. You could install 3.6, recompile
> > the kernel with aac support enabled then upgrade.
> 
> This is a bad advice.
> 
> The aac driver was disabled because it was broken and could not
> be fixed because there was no documentation.
> 
> Using aac is like playing Russian Roulette with your data.

Re: To secure WiFi networks

[dg]

The squid solution only would encrypt http or ftp traffic if I'm familiar with 
the basic working, leaving out e-mail encryption, which would be quit an issue 
for the security-sensitive wifi users.

The Google solution is nothing but a vpn client with a google paint job.


On Tue, Sep 20, 2005 at 06:09:49PM +0200, Johan P. Lindstr?m wrote:
> On 7/15/05, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote:
> > Good afternoon list, I'm just going to throw out an idea here and lets take
> > turns kicking at it.
> >  
> > I'm not too familiar with the inner workings of the needed technologies
> > (sometimes a pro, often a con) but what if one would use a https proxy, like
> > say squid with SSL/TLS support, to obfuscate the http traffic leaving your
> > laptop over the WiFi LAN to your local OpenBSD box that runs the proxy, that
> > would then with some magic serve you the pages. So that http traffic could
> > not be intercepted on the open WiFi network. 
> >  
> > Is someone doing something similar already?
> >  
> > Googling did not turn up anything helpful here apart from the SSL support in
> > Squid, but would the protocols allow something like this?
> >  
> > -- Johan
> >  
> >  
> 
> I probably shouldn't be kicking my own dead thread, but in lack of
> better knowledge...
> 
> I just found someone who is doing roughly what I was trying to explain.
> 
> http://wifi.google.com/faq.html
> 
> Haven't tried it since I'm about 10-11 hours in a Airbus 330 away...
> 
> http://wifi.google.com/download.html
> 
> 
> 
> -- 
> // Johan
> 

-- 



mitc groningen 9736cp

Banned from #openbsd

[John Kintaro Tate]

Hello,

Since I have no idea where to go about this, I thought somebody here
might be able to fill me in.

For some reason I am banned from #openbsd on freenode. I want to get
unbanned but I have no idea on who to contact about this. I don't know
why I am banned, I guess someone on my netblock was being retarded or
someone on my computer considering I had idiot friends using it the
other day, but I am unsure.

Yours,
John Tate.

-- 
John Kintaro Tate
Mobile: 0413 348 815 (Yep, old number, but I have a new phone)

Free OpenBSD shell accounts for all with no gimmicks. Just send your
desired username and password to me, and I will create it.

Personal Website: http://kintaro.noobify.com

Illhostit Webhosting:
https://secure.illhostit.com/cgi-bin/affiliates/clickthru.cgi?id=Kintaro&campaign=Email

Re: Live dc

[Tobias Weingartner]

On Tuesday, September 20, Alex Stamatis wrote:
> 
> I want to thank all of you who replied on my previous mail about the live
> cd. I've seen many of those links you sent me which talk on how you can
> create a live cd. I would have done it my self but unfortunatelly I cant due
> to tech reasons right now.

Do the "tech reasons" happen to exist between your ears?  Ok, that was a
little harsh.  I appologize.

> Also I dont know if it would have been good since
> i am an openbsd noob ! As i said I study at the American College of Greece
> and the head of dept agreed to use obsd for the teaching of unix instead of
> the crapy linux and asked me to get it to him.

So, point your browser at www.openbsd.org/items.html and purchase a 3.8 CD
set.  Give that to you head of department.

> So if someone can create this
> live cd and upload it on the web just to download it and dist to all college
> I would really apriciate it.

You want us to distribute a live cd to all the colleges?

> I know that time is precious for everybody so
> if noone can do it I will understand. But if you can you will help openbsd
> grow not only in many ppl but in the educational system of c.i.s as well.

How precious do you think this time is?  Enough to pay?  Enough to
actually go and look at some of the links that people have given
you?  Enough for you to spend some time, money, and frustration in
following one or two of those links?

--Toby.

Re: mailinglist using sendmail aliases

[Claus Assmann]

On Tue, Sep 20, 2005, Jasper wrote:
> Claus Assmann wrote:

> > Include File
> >   :include:/path/name

> >You want the second option, right?

> Thank you Claus, this works, but only with double collon(:)!!
> name::include:/path/name

The first colon is the delimiter (aliases(5)) to distinguish LHS
and RHS of an alias entry:

 This file describes user ID aliases used by /usr/sbin/sendmail.  The file
 resides in /etc/mail and is formatted as a series of lines of the form

   name: addr_1, addr_2, addr_3, . . .


The second colon is part of the ":include:" token, hence:

name:   :include:/path/name

Re: Dell PowerEdge 2650

[John Brahy]

I've got two poweredge 2650's w/ PERC 3/di raid cards and I've tried OpenBSD
3.7, 3.6 and 3.5. I've found that the aac in 3.7 is completely unstable, the
aac in 3.6 would have problems after an hour or so of heavy use. BUT, 3.5
seems to be stable but now I'm stuck on a version of an os that is about to
become unsupported. 

I think the only long term solution is to change hardware. I have been
considering Sun's trade in offer. I haven't found it on Sun's site but it is
mentioned here (http://www.theinquirer.net/?article=26143) 
I have a friend that's a Sun dealer www.acsacs.com and they said they honor
it. I don't believe they sell online. Does anyone know if OpenBSD likes this
hardware? 

It's really Adaptec's fault. Those fuckers won't give up the source so the
OpenBSD developers can't provide a good driver for their hardware. My
company will not purchase any more servers from Dell as long as they
continue to use Adaptec cards. 






-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jan Johansson
Sent: Tuesday, September 20, 2005 8:14 AM
To: Ryan Rothert
Cc: misc@openbsd.org
Subject: Re: Dell PowerEdge 2650

Ryan Rothert <[EMAIL PROTECTED]> wrote:
> 3.6 will install on it. I believe the aac driver still exists
> but is disabled by default. You could install 3.6, recompile
> the kernel with aac support enabled then upgrade.

This is a bad advice.

The aac driver was disabled because it was broken and could not
be fixed because there was no documentation.

Using aac is like playing Russian Roulette with your data.

Re: mailinglist using sendmail aliases

[Jasper]

Claus Assmann wrote:


 Include File
   :include:/path/name

You want the second option, right?


Thank you Claus, this works, but only with double collon(:)!!
name::include:/path/name

regards,
JB

Re: PFLogging to Syslog

[Spruell, Darren-Perot]

From: James Mackinnon [mailto:[EMAIL PROTECTED]
> Is there a better technique I should be using for 20+ 
> firewalls logging
> to a central server and then what web app would you recommend 
> so I could
> look at the logs in some type of non-console view
> 
> Any suggestions and recommendations would be great as I would 
> like to get
> this right the first time:)

In that case, Jason Dixon's Hatchet is very nice. Give it a go, you might
like it.

 http://www.dixongroup.net/hatchet/

DS

Re: To secure WiFi networks

[Johan P . Lindström]

On 7/15/05, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote:
> Good afternoon list, I'm just going to throw out an idea here and lets take
> turns kicking at it.
>  
> I'm not too familiar with the inner workings of the needed technologies
> (sometimes a pro, often a con) but what if one would use a https proxy, like
> say squid with SSL/TLS support, to obfuscate the http traffic leaving your
> laptop over the WiFi LAN to your local OpenBSD box that runs the proxy, that
> would then with some magic serve you the pages. So that http traffic could
> not be intercepted on the open WiFi network. 
>  
> Is someone doing something similar already?
>  
> Googling did not turn up anything helpful here apart from the SSL support in
> Squid, but would the protocols allow something like this?
>  
> -- Johan
>  
>  

I probably shouldn't be kicking my own dead thread, but in lack of
better knowledge...

I just found someone who is doing roughly what I was trying to explain.

http://wifi.google.com/faq.html

Haven't tried it since I'm about 10-11 hours in a Airbus 330 away...

http://wifi.google.com/download.html



-- 
// Johan

Re: BIOS/CMOS "Plug and Play OS"

[Michael Shalayeff]

Making, drinking tea and reading an opus magnum from Ted Unangst:
> On Sun, 18 Sep 2005, Michael Shalayeff wrote:
> 
> > > set it to no.
> > 
> > actually set it to yes. always.
> > on most modern machine setting it to no often
> > results in incorrect pcibios config tables
> > generated and thus often screwed interrupts routing.
> > that's on i386 anyway. on amd64 it makes no diff i guess.
> 
> i guess i've only fiddled with it on older machines then, where turning it 
> on meant some onboard devices stopped working. :(

as any bios whacking^Wtweaking you never know.
i've not seen a box that made devices unusable
while whacking pcibios before (:

cu

-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: Dell PowerEdge 2650

[Jason Crawford]

On 9/20/05, Jan Johansson <[EMAIL PROTECTED]> wrote:
> Ryan Rothert <[EMAIL PROTECTED]> wrote:
> > 3.6 will install on it. I believe the aac driver still exists
> > but is disabled by default. You could install 3.6, recompile
> > the kernel with aac support enabled then upgrade.
> 
> This is a bad advice.
> 
> The aac driver was disabled because it was broken and could not
> be fixed because there was no documentation.
> 
> Using aac is like playing Russian Roulette with your data.
> 
However if you have no choice but to use aac, what else are you going
to do? For a lot of people (like me) who have machines with the aac
raid controller, it's either uncomment the aac driver in the kernel,
or use a different OS. Buying another raid controller isn't always an
option, especially when it's company hardware. I currently run 3.8
release on a machine with aac, and it's running a lot better than it
did on 3.7 actually.

Jason

ftp-proxy makes new connection for each file

[Marc Peters]

hello misc.

i am using openbsd 3.7-release with pf and ftp-proxy. ftp-proxy is 
working fine so far, but i recognised, that it establishes a new 
connection for each file it transfers.


a little excerpt from netstat -an:

[snip]
tcp0  0  192.168.83.1.53966 192.168.83.14.2503 TIME_WAIT
tcp0  0  192.168.83.1.53311 192.168.83.14.2502 TIME_WAIT
tcp0  0  192.168.83.1.58646 192.168.83.14.2501 TIME_WAIT
tcp0  0  192.168.83.1.56139 192.168.83.14.2500 TIME_WAIT
tcp0  0  192.168.83.1.56362 192.168.83.14.2499 TIME_WAIT
tcp0  0  192.168.83.1.64507 192.168.83.14.2498 TIME_WAIT
tcp0  0  192.168.83.1.60030 192.168.83.14.2497 TIME_WAIT
tcp0  0  192.168.83.1.51063 192.168.83.14.2496 TIME_WAIT
tcp0  0  192.168.83.1.54752 192.168.83.14.2495 TIME_WAIT
tcp0  0  192.168.83.1.55199 192.168.83.14.2494 TIME_WAIT
tcp0  0  192.168.83.1.61263 192.168.83.14.2493 TIME_WAIT
tcp0  0  192.168.83.1.58911 192.168.83.14.2492 TIME_WAIT
[snip]

whereas the first adress is my firewall and the latter my client which 
is transferring a lot of small files from an ftp-server. pftop looks 
similiar. after a little while the server on the other gets a lot of 
connections from pftop too and doesn't accept any more and so the 
data-transfer stalls:


netstat -an:

[snip]

tcp0  0 192.168.75.130:20   192.168.75.254:60017 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:57010 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:65138 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:53747 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:53363 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:59692 
TIME_WAIT
tcp0  0 192.168.75.130:20   192.168.75.254:57964 
TIME_WAIT


[snip]

where the left one ist the ftp-server and the latter the interface of 
the obsd-box.


i am starting ftp-proxy out of inetd:

127.0.0.1:8021  stream  tcp nowait  root/usr/libexec/ftp-proxy 
ftp-proxy -t 90


the lines in pf.conf relating to ftp-proxy:

# alle FTP-anfragen auf ftp-proxy umleiten
rdr pass on { $dmz_if, $int_if, $vpn_if } proto tcp from any to any port 
21 -> 127.0.0.1 port 8021


# ftp-proxy regeln
pass in on $ext_if proto tcp from any to ($ext_if) user proxy keep state
pass out on {$dmz_if, $int_if, $vpn_if} proto tcp from any to ($ext_if) 
user proxy keep state

pass in on $dmz_if proto tcp from any to ($dmz_if) user proxy keep state
pass out on {$int_if, $vpn_if} proto tcp from port > 49151 user proxy 
keep state



can anybody point me in the correct direction to solve this, or is this 
the expected behaviour of ftp-proxy?


TIA,
marc

dmesg:
OpenBSD 3.7 (GENERIC) #0: Thu Jun 16 17:53:41 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 535318528 (522772K)
avail mem = 481673216 (470384K)
using 4278 buffers containing 26869760 bytes (26240K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x13d2
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x5400
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x02: rng active, 
398Kb/sec
vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x02: aperture 
at 0xf800, size 0x400

wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x02
pci1 at ppb0 bus 1
xl0 at pci1 dev 9 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11, 
address 00:04:76:9e:42:2a

exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci1 dev 10 function 0 "3Com 3c905 100Base-TX" rev 0x00: irq 10, 
address 00:60:08:2d:35:8d

nsphy0 at xl1 phy 24: DP83840 10/100 PHY, rev. 1
ahc1 at pci1 dev 13 function 0 "Adaptec AIC-7899 U160" rev 0x01: irq 11
scsibus0 at ahc1: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 
0/direct fixed

sd0: 8759MB, 17338 cyl, 3 head, 344 sec, 512 bytes/sec, 17938985 sec total
ahc2 at pci1 dev 13 function 1 "Adaptec AIC-7899 U160" rev 0x01: irq 10
scsibus1 at ahc2: 16 targets
xl2 at pci1 dev 15 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 9, 
address 00:e0:18:05:10:1a

exphy1 at xl2 phy 24: 3Com internal media interface
ichpcib0 at pci0 dev 31 fu

Re: Jacek Artymiak --off topic

[Bryan Irvine]

On 9/20/05, Siju George <[EMAIL PROTECTED]> wrote:
> Hi list,
> 
> Any Idea if Jacek Artymiak is well??? I heard that he was sufferring
> from some serious health problems:-(

I don't recall seeing anything in his blog.
http://netatnik.com/

Last post on sept 9.

FWIW, there's also a podcast.
feed://jacek.libsyn.com/rss/english

But that hasn't been updated for a while.

--Bryan

PFLogging to Syslog

[James Mackinnon]

Good day everyone

I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring
the logs to a central server so I can make them web enabled so I can
view them in a web app

In the past, I used checkpoint, I like pf much better but the logging
system to checkpoint was nice

I have followed the PF: Logging section in the manaul, but I find not
everything that is going in pflog.txt is coming over to @syslogger

Is there a better technique I should be using for 20+ firewalls logging
to a central server and then what web app would you recommend so I could
look at the logs in some type of non-console view

Any suggestions and recommendations would be great as I would like to get
this right the first time:)

Thanks

James

Re: Dell PowerEdge 2650

[Jan Johansson]

Ryan Rothert <[EMAIL PROTECTED]> wrote:
> 3.6 will install on it. I believe the aac driver still exists
> but is disabled by default. You could install 3.6, recompile
> the kernel with aac support enabled then upgrade.

This is a bad advice.

The aac driver was disabled because it was broken and could not
be fixed because there was no documentation.

Using aac is like playing Russian Roulette with your data.

Re: PF performance question

[Stuart Henderson]

On 2005/09/19 14:30:14, Joe . wrote:
> I would check to make sure the nic is negotiating properly. It might
> be half duplex instead of full or something flakey etc. Check the
> output of ifconfig.

That would show up in netstat -ni (Vinicius says he looked there).

I have just been looking at a nicely-coloured but fairly useless
switch which randomly doesn't forward some packets of ~300+ bytes
and almost all packets >700 bytes or so. Ethernet layer appears
to be clean (at least netstat -ni doesn't show errors) but it's
definitely not forwarding correctly (including to it's own
IP stack). So it's quite possible that the ISP's kit could be
broken in some way that doesn't easily show up.

> > i also enabled STP as my ISP told me it would help their redundancy.

I question this.. STP allows you to put multiple ethernet connections
in place and disable all but one. This means there's a spare path to
an upstream switch in case of link failure. You don't appear to be
doing this, so I don't see how it could help. (I don't see a reason
for it to hurt either, but who knows if you're triggering some switch
vendor's bug).

Have you detected *where* the packets are being dropped?

One simple way is to use hubs (obviously you must not be forcing full-
duplex in this case) in between your transparent-proxying bridge and
the switches it's connecting to (port-mirroring might also be an
option if you have control of the switches). Plug boxes into these
to run tcpdump on, then send and watch for some identifiable traffic
(ICMP or something).

I would be inclined to try:

1. Ask ISP to try at least another switch port, if not another switch.
2. Disable any special options such as STP.

Also check they're not being lost downstream/upstream (e.g. between
the switch and the other host) by checking switch port stats if you can.

> > real mem  = 2146459648 (2096152K)
> > cpu3: Intel(R) Xeon(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz

That's quite some box to see a Realtek attached to ;-)

Re: Jacek Artymiak --off topic

[Chris Smith]

On Tuesday 20 September 2005 06:19 am, Siju George wrote:
> Any Idea if Jacek Artymiak is well??? I heard that he was sufferring
> from some serious health problems:-(
>
> Sometime back he told me that he was willing to allow his book
> published in the Indian re-print if I could find an interested Indian
> Publisher

I know nothing about his health, but he did recently email me the pdf 
version of his book.

Chris

Connecting to HSCSD/GPRS

[Alexander Farber]

Hello,

I'd like to share my working ppp.conf here (for Vodafone Germany)
and would like to learn any good tricks from other mobile users.

I run the ircomm (of the comms/birda-1.1 package on a 3.7 -stable installed 
on a Thinkpad T41) to connect to a Nokia 9300 commie through infrared port.

laptop72:afarber {555} dmesg | grep pccom
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

Currently I launch ircomm from ppp.conf and pkill it from ppp.linkdown:

laptop72:afarber {556} cat /etc/ppp/ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
shell ircomm -Y -d /dev/cua01 -v 2 -y /dev/ptyps
set device /dev/ttyps
set speed 115200
set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
add! default HISADDR
enable dns

gprs:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\"
AT OK-AT-OK AT&F&K4 OK AT+CGDCONT=1,\\\"IP\\\",\\\"web.vodafone.de\\\"
OK ATD*99# TIMEOUT 30 CONNECT"

hscsd:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\"
AT OK-AT-OK AT&F&K4 OK AT+CBST=81 OK \\dATDT\\T TIMEOUT 30 CONNECT"
set phone 0049172229000

laptop72:afarber {557} cat /etc/ppp/ppp.linkdown
MYADDR:
shell pkill "ircomm -Y"

It works, but I still have some questions (I'm still rereading "man 8 ppp"):

1) Is there a nicer way to start ircomm/detect its failure?

2) Are there any compression options to enable/disable in ppp.conf?
 I've tried "set vj slotcomp off", but couldn't see any difference

3) In Nokia 9300 I have to run Desk->Tools->Modem to switch on
 its infrared port (and then it works fine as a modem and I'm able
 to enter "term" on the ppp prompt and issue "AT"-commands).
 But when I switch on infrared with the blue "Chr" button, then
 ircomm fails to connect to it: "failed to match ports, NYI".
 That message is coming from birda-1.1/src/commclt.c and
 looks like some mismatch. Wonder if that could be fixed...

Regards
Alex

PS: I used this German article to find the AT-command and set up my ppp
http://www.linux-magazin.de/Artikel/ausgabe/2002/10/gprs/gprs.html?print=y

PPS: My GPRS ppp.log (talks something about VJ?)

Sep 20 17:25:50 laptop72 ppp[28253]: Phase: Using interface: tun0 
Sep 20 17:25:50 laptop72 ppp[28253]: Phase: deflink: Created in closed state 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: shell
ircomm -Y -d /dev/cua01 -v 2 -y /dev/ptyps
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: set
device /dev/ttyps
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: set speed 115200 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: set
ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: add!
default HISADDR
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: default: enable dns 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Command: gprs: set dial
ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 "" AT OK-AT-OK AT&F&K4 OK
AT+CGDCONT=1,\\"IP\\",\\"web.vodafone.de\\" OK ATD*99# TIMEOUT 30
CONNECT
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Phase: PPP Started
(foreground mode).
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Phase: bundle: Establish 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Phase: deflink: closed -> opening 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Phase: deflink: Connected! 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Phase: deflink: opening -> dial 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Chat: deflink: Dial attempt 1 of 1 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Chat: Send: AT\^M 
Sep 20 17:25:50 laptop72 ppp[28253]: tun0: Chat: Expect(5): OK 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received: AT\^M\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received: OK\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Send: AT&F&K4\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Expect(5): OK 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received: AT&F&K4\^M\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received: OK\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Send:
AT+CGDCONT=1,"IP","web.vodafone.de"\^M
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Expect(5): OK 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received:
AT+CGDCONT=1,"IP","web.vodafone.de"\^M\^M
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Received: OK\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Send: ATD*99#\^M 
Sep 20 17:25:51 laptop72 ppp[28253]: tun0: Chat: Expect(30): CONNECT 
Sep 20 17:25:52 laptop72 ppp[28253]: tun0: Chat: Received: ATD*99#\^M\^M 
Sep 20 17:25:52 laptop72 ppp[28253]: tun0: Chat: Received: CONNECT\^M 
Sep 20 17:25:52 laptop72 ppp[28253]: tun0: Phase: deflink: dial -> carrier 
Sep 20 17:25:53 laptop72 ppp[28253]: tun0: Phase: deflink: carrier -> login 
Sep 20 17:25:53 laptop72 ppp[28253]: 

Re: HW: Wireles PCCARD

[Johan P . Lindström]

On 9/20/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 20 September 2005 14:45 +0200, Johan P. Lindstrvm wrote:
> 
> > not confirm if there where revisions released of those cards. Now this
> > differs from what I read on the manpage where supported chipsets are
> > AR5210, AR5211 and AR5212.
> >
> > At Atheros site (http://www.atheros.com/pt/index.html) the products
> > section shows only families of chipsets.
> >
> > So, what is my best bet?
> 
> Buy them from a supplier that lets you return them if they're no good...
> 
> 

I came  back from a quick visit at the suppliers dungeon, he had a
Netgear WG511, it could have worked but it did not, the dmesg reported
Marvel internals (not configured) for those curious.

I now ordered a Netgear WG511T, with some luck there will be more
progress during the week.
-- 
// Johan

Re: HW: Wireles PCCARD

[Stuart Henderson]

--On 20 September 2005 14:45 +0200, Johan P. LindstrC6m wrote:


not confirm if there where revisions released of those cards. Now this
differs from what I read on the manpage where supported chipsets are
AR5210, AR5211 and AR5212.

At Atheros site (http://www.atheros.com/pt/index.html) the products
section shows only families of chipsets.

So, what is my best bet?


Buy them from a supplier that lets you return them if they're no good...

HW: Wireles PCCARD

[Johan P . Lindström]

As I am browsing the hw page

http://www.openbsd.org/i386.html

looking for a WiFi PCCARD cross checking with my usual supplier I hit
the Netgear WAG511 (Atheros AR5001X+) and WG511T (Atheros AR5002g),
knowing that the usual suspects change the chipsets but keep the
product name I called Netgear and put forth my query, 10 minutes or so
(that's quick no?) of elevator music later I  am told that the cards
should be equipped with above mentioned chipsets, how ever she could
not confirm if there where revisions released of those cards. Now this
differs from what I read on the manpage where supported chipsets are
AR5210, AR5211 and AR5212.

At Atheros site (http://www.atheros.com/pt/index.html) the products
section shows only families of chipsets.

So, what is my best bet?
-- 
// Johan

Re: logging blocked connections in pf, but no line noise

[frantisek holop]

hmm, on Mon, Sep 19, 2005 at 06:33:16PM -0600, jared r r spiegel said that
> > this doesn't seem to have the disired effect...
> > the rule got translated into
> > 
> > block drop in quick inet from any to xxx.xxx.xxx.255
> > 
> > and is not stopping all the noise...
> 
>   heh.. cable modem? (arparparparparparparparp.. :P)...
> 
>   what is the noise exactly?
> 
>   give tcpdump pflog0, make known what is/isn't your IP
>   ( xxx out the middle 2 octets or whatever makes you happy ).
> 
>   i understand you mean 'noise' to be "a lot of traffic that shows up
>   on my line that is full of valid CRCs but not intended for me or of
>   no interest to me", but what is it, exactly?

ok, here's some "noise"
(just to show what else i get, i filtered all the ports you suggested,
and some more):

:set paste

rule 4/(match) block in on ne3: 222.180.36.139.1056 > 62.24.89.85.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 61.172.203.237.7000 > 62.24.90.3.16170: S 
3881939974:3881939974(0) ack 4195173196 win 16384  
[tos 0x20]
rule 4/(match) block in on ne3: 84.31.197.172.1875 > 62.24.89.111.6346: S 
1956560420:1956560420(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 220.237.169.60.4342 > 62.24.89.22.22718: R 
0:0(0) win 0 [tos 0x20]
rule 4/(match) block in on ne3: 68.238.152.155.21100 > 84.42.169.201.6346: S 
3348705148:3348705148(0) win 16384  (DF) [tos 0x40]
rule 4/(match) block in on ne3: 61.142.81.161.80 > 62.24.89.164.4829: R 0:0(0) 
ack 2253512466 win 0 [tos 0x20]
rule 4/(match) block in on ne3: 71.2.166.221.14276 > 62.24.89.124.6346:  udp 35 
[tos 0x20]
rule 4/(match) block in on ne3: 222.180.36.139.1056 > 62.24.90.213.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 72.36.170.26.1046 > 84.42.169.41.1434:  udp 376 
[tos 0x20]
rule 4/(match) block in on ne3: 81.193.101.175.11782 > 62.24.89.70.6346: S 
1933151585:1933151585(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 194.149.104.58.10052 > 62.24.89.22.1071:  udp 75
rule 4/(match) block in on ne3: 60.191.129.114.1110 > 213.220.238.29.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 194.108.142.123.25859 > 62.24.90.57.3223:  udp 
77 [tos 0x20]
rule 4/(match) block in on ne3: 61.142.81.161.80 > 62.24.89.139.853: R 0:0(0) 
ack 978635617 win 0 [tos 0x20]
rule 4/(match) block in on ne3: 81.193.101.175.11902 > 62.24.89.70.6346: S 
1197886245:1197886245(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 222.73.0.110.2344 > 213.220.238.79.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 222.180.36.139.1056 > 84.42.169.95.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 84.90.47.222.52369 > 84.42.169.41.4110:  udp 74
rule 4/(match) block in on ne3: 81.193.101.175.11980 > 62.24.89.70.6346: S 
2900328972:2900328972(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 219.132.23.236.1317 > 62.24.89.175.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 219.132.16.242.1065 > 62.24.89.252.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 81.193.101.175.12005 > 62.24.89.70.6346: S 
3648369907:3648369907(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 202.101.70.43.3010 > 62.24.89.157.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 66.177.118.190.3999 > 213.220.238.139.2295: S 
2270693086:2270693086(0) win 16384  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 61.139.37.28.1807 > 62.24.90.9.1434:  udp 376 
[tos 0x20]
rule 4/(match) block in on ne3: 81.193.101.175.12078 > 62.24.89.70.6346: S 
234221371:234221371(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 219.153.6.49.1185 > 62.24.90.81.1434:  udp 376 
[tos 0x20]
rule 4/(match) block in on ne3: 86.137.77.76.4761 > 84.42.169.80.6346: S 
80365531:80365531(0) win 65535  (DF)
rule 4/(match) block in on ne3: 81.193.101.175.12103 > 62.24.89.70.6346: S 
183360:183360(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 212.65.215.9.54848 > 62.24.89.76.6346: S 
2858633983:2858633983(0) win 64240  [tos 0x20]
rule 4/(match) block in on ne3: 216.74.57.104.1038 > 84.42.169.141.1434:  udp 
376 [tos 0x20]
rule 4/(match) block in on ne3: 210.29.135.111.80 > 62.24.90.93.602: S 
2436337942:2436337942(0) ack 2021041446 win 16384  
[tos 0x20]
rule 4/(match) block in on ne3: 219.92.155.13.1362 > 62.24.89.202.1434:  udp 376
rule 4/(match) block in on ne3: 217.79.145.214.1041 > 84.42.169.80.6346: S 
578003833:578003833(0) win 25200  (DF) [tos 0x60]
rule 4/(match) block in on ne3: 81.193.101.175.12173 > 62.24.89.70.6346: S 
1330783368:1330783368(0) win 65535  (DF) [tos 0x20]
rule 4/(match) block in on ne3: 172.168.103.47.3331 > 213.220.238.103.3127: S 
2863424814:2863424814(0) win 16384  (DF)
rule 4/(match) block in on ne3: 202.107.250.82.1221 > 213.220.238.204.1434:  
udp 376 [tos 0x20]
rule 4/(match) block in on ne3: 84.244.69.124 > 62.24.89.250: icmp: echo 
request (DF)
rule 4/(match) block in on ne3: 194.108.142.123.25859 > 62.24.90.57.3223:  udp 
77 [tos 0x20]
rule 4/(m

Re: Wireless Strangeness

[Rod.. Whitworth]

On Tue, 20 Sep 2005 12:49:16 +0100, Stuart Henderson wrote:

>--On 19 September 2005 20:24 -0400, Alex Kirk wrote:
>
>>> > wi0 at pci0 dev 12 function 0 "National Datacomm Corp NCP130 Rev
>>> > A2" rev 0x01: irq 9 wi0: PRISM2 HWB3163 rev.B, Firmware 0.3.0
>>> > (primary), 1.7.1 (station), address 00:80:c6:e3:72:2c
>>>
>>> It's ancient but it should work.
>>
>> It was the most current I could find for this particular chipset. If
>> you know of any more modern versions that are supported for this
>> card, I'll happily install them. :-)
>
>With an old card and old OS release, it might be worth trying older 
>station (secondary) firmware too... I've often seen 1.4.9 recommended 
>unless newer features are required (e.g. 1.5.6 for WDS, 1.6.3 for 
>beacon hiding [not that it's really useful], etc).
>
>There are collections of PRISM firmware at
> 1.4.9 to 1.8.4
> 1.1.0 to 1.7.4
>
> has more info on filename 
>conventions and how to identify which cards you can use different flash 
>files with (there are different files for PRISM2 and PRISM2.5, for 
>example). Some things suggested on that page are linux-only though.
>
>But I think you should try a newer OS release before playing that 
>game... If you want to make a quick test before installing, you could 
>use a flashboot-bindist kernel.
>
>

Heck, I'm running 1.0.7/1.3.6 on a Netgear card and it works on3.6/7/8
So don't sweat it - you just may find something you want (or think you
need) doesn't happen.
Worry then. As Stuart says there is firmware "out there" if you need
it.
I thought I needed later firmware so that I could kill the beaconing.
Heh, a bit more research show that the data I would hide would be
sniffable in every packet from an associated client. Too easy.


>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: Wireless Strangeness

[Stuart Henderson]

--On 19 September 2005 20:24 -0400, Alex Kirk wrote:


> wi0 at pci0 dev 12 function 0 "National Datacomm Corp NCP130 Rev
> A2" rev 0x01: irq 9 wi0: PRISM2 HWB3163 rev.B, Firmware 0.3.0
> (primary), 1.7.1 (station), address 00:80:c6:e3:72:2c

It's ancient but it should work.


It was the most current I could find for this particular chipset. If
you know of any more modern versions that are supported for this
card, I'll happily install them. :-)


With an old card and old OS release, it might be worth trying older 
station (secondary) firmware too... I've often seen 1.4.9 recommended 
unless newer features are required (e.g. 1.5.6 for WDS, 1.6.3 for 
beacon hiding [not that it's really useful], etc).


There are collections of PRISM firmware at
 1.4.9 to 1.8.4
 1.1.0 to 1.7.4

 has more info on filename 
conventions and how to identify which cards you can use different flash 
files with (there are different files for PRISM2 and PRISM2.5, for 
example). Some things suggested on that page are linux-only though.


But I think you should try a newer OS release before playing that 
game... If you want to make a quick test before installing, you could 
use a flashboot-bindist kernel.

Re: PowerEdge 1850 w/ dual Xeon : now tested with 3.8 GENERIC.MP

[Nick Holland]

Mariano Benedettini wrote:
> I wrote last week, about some problems I've experienced with 3.7 GENERIC.MP
> on a PowerEdge 1850 dual Xeon [1].
> Some people suggested to try a 3.8 snapshot, and that's what I did.
> The system runs fine, but is there any way to make it work with 3.7
> GENERIC.MP ?

Of course there is!  Push all the things that changed in 3.8 to 3.7.
You will then end up with...a poorly done 3.8!  Wow!  :)

Slightly more seriously, no.  The OpenBSD project is about moving
forward, not adding features to previous versions.  3.7 may have bugs
fixed, but will not be receiving new features, support new hardware, etc.

Just run 3.8.  It works.  Obviously, you weren't running 3.7 on this
machine.  There is no reason not to keep running what you have now, and
bump to 3.8-release when it ships.

Nick.

> Here's the full dmesg:
> 
> OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
...
thanks! :)

Re: Mini DV USB Connection

[Johan P . Lindström]

On 9/20/05, Dan Smythe <[EMAIL PROTECTED]> wrote:
> I am looking into Mini DV camcorders. I see that one
> model in particular, the MV320 has USB computer
> support. What program would you recommend for copying
> the files to the OpenBSD system?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> 




Good question, but is the USB really used to transfer video content or
is it just images? My Canon does only FireWire and I have only tried
it on Ms XP so I can't help you there...

 
// Johan

Re: pOf

[Lukasz Sztachanski]

On Mon, Sep 19, 2005 at 09:27:10PM +1000, Steve Murdoch wrote:
> Is there any way of limiting access to pptpd from pocket pc clients ?
> 
> I cant find any fingerprints for pocket pc in pf.os ?
I see:
32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
If it doesn't match, you can always initiate connection from PocketPC 
while listening out traffic using p0f and add this fingerprint to pf.os

-- 
Lukasz Sztachanski  
...proud user of C8H10N4O2 :)
http://szati.blogspot.com
http://rudy.mif.pg.gda.pl/~szati/szati.asc

Jacek Artymiak --off topic

[Siju George]

Hi list,

Any Idea if Jacek Artymiak is well??? I heard that he was sufferring
from some serious health problems:-(

Sometime back he told me that he was willing to allow his book
published in the Indian re-print if I could find an interested Indian
Publisher

http://www.shroffpublishers.com/

is willing. I had contacted Jacek through mail and got no reply for
some time now.
Hope he is doing well. Anybody any idea???

Thankyou so much

Kind Regards

Siju

OpenCVS architecture

[Vincent Blondel]

Hi Bsd's lovers,

I would like to set up a public cvs server with read/write and anonymous 
access. So I googled and have found a howto that describe the
setup with openssh.

http://www.pointless.nl/~peter/stuff/cvs-server.html

I find the proposed way very interested because the authentication is made with 
an OpenSSH server and not with cvs directly but I
still get a problem.

You can find below a little ( and simplified ) network diagram on which I am 
working :

  firewall
 |
  OpenBSD 3.7 ( DMZ )
 |
  firewall
 |
  FreeBSD 5.x

The method involves that cvs and sshd run on the same machine and that's a 
problem for me. In my network configuration, the DMZ
doesn't contain any production data. We only have proxy machines ( 
Bind,Apache,... ) that validates the traffic and forwards it to the
lan.

So in this case, I should have a jail OpenSSH server hosted in the DMZ ( 
OpenBSD machine ) that sould connect with a cvs (CVSROOT)
hosted on the lan ( FreeBSD machines ... ).

I just immagine to store the CVSROOT on a NFS share that I could mount from the 
DMZ but I haven't found anything else until now.

So are there people having such experience with this matter. Is that possible 
to solve this situation with OpenCVS ???

Thanks to help me.

Regards
Vincent.

Mini DV USB Connection

[Dan Smythe]

I am looking into Mini DV camcorders. I see that one
model in particular, the MV320 has USB computer
support. What program would you recommend for copying
the files to the OpenBSD system?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com